CapabilityRule: Validate given caps against cap list

... and error out if an unknown capability is given.

This also means recognizing bad capabilities in the parser simple_tests
now works (so remove these from the exception_not_raised list), and that
we can no longer hand over an unknown capability in test-capability.py
to test their severity.

utils/apparmor/rule/capability.py

@@ -15,7 +15,7 @@
 
 import re
 
-from apparmor.common import AppArmorBug
+from apparmor.common import AppArmorBug, AppArmorException
 from apparmor.regex import RE_PROFILE_CAP
 from apparmor.rule import BaseRule, BaseRuleset, logprof_value_or_all, parse_modifiers
 from apparmor.translations import init_translation
@@ -58,8 +58,17 @@ class CapabilityRule(BaseRule):
             self.capability = set()
         else:
             if isinstance(cap_list, str):
+                if not cap_list.strip():
+                    raise AppArmorBug('Passed empty/whitespace-only capability to %s: %s' % (type(self).__name__, cap_list))
+                if cap_list not in capability_keywords:
+                    raise AppArmorException('Passed unknown capability to %s: %s' % (type(self).__name__, cap_list))
                 self.capability = {cap_list}
             elif isinstance(cap_list, list) and cap_list:
+                for cap in cap_list:
+                    if not cap.strip():
+                        raise AppArmorBug('Passed empty/whitespace-only capability to %s: %s' % (type(self).__name__, cap))
+                    if cap not in capability_keywords:
+                        raise AppArmorException('Passed unknown capability to %s: %s' % (type(self).__name__, cap))
                 self.capability = set(cap_list)
             else:
                 raise AppArmorBug('Passed unknown object to %s: %s' % (type(self).__name__, str(cap_list)))

utils/test/test-capability.py

@@ -460,7 +460,6 @@ class CapabiliySeverityTest(AATest):
         ('dac_read_search',             7),
         (['fsetid', 'dac_read_search'], 9),
         (CapabilityRule.ALL,            10),
-        ('foo',                         'unknown'),
     )
 
     def _run_test(self, params, expected):

utils/test/test-parser-simple-tests.py

@@ -44,12 +44,6 @@ exception_not_raised = (
     'abi/bad_11.sd',
     'abi/bad_12.sd',
 
-    # invalid capabilities (like "foobar"), but syntactically correct
-    'capability/bad_1.sd',
-    'capability/bad_2.sd',
-    'capability/bad_3.sd',
-    'capability/bad_4.sd',
-
     # interesting[tm] profile name
     'change_hat/bad_parsing.sd',
 
@@ -176,8 +170,6 @@ exception_not_raised = (
     'profile/flags/flags_bad_disconnected_path4.sd',
     'profile/flags/flags_bad_disconnected_path5.sd',
     'profile/profile_ns_bad8.sd',  # 'profile :ns/t' without terminating ':'
-    'ptrace/bad_05.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
-    'ptrace/bad_06.sd',  # actually contains a capability rule with invalid (ptrace-related) keyword
     'ptrace/bad_10.sd',  # peer with invalid regex
     'signal/bad_21.sd',  # invalid regex
     'unix/bad_attr_1.sd',