On 03/22/2012 10:06 AM, Steve Beattie wrote: > This patch adds several missing capabilities to the utils/ > severity.db file as detected by the newly added make check target, > along with corresponding severity levels that I believe :re appropriate > (discussion welcome): > > CAP_MAC_ADMIN 10 > CAP_MAC_OVERRIDE 10 > CAP_SETFCAP 9 > CAP_SYSLOG 8 > CAP_WAKE_ALARM 8 > > The latter two are undocumented in the capabilities(7) man page > provided in Ubuntu 12.04; the syslog one is the separation out of > accessing the dmesg buffer from CAP_SYSADMIN, and the CAP_WAKE_ALARM > allows setting alarms that would wake a system from a suspended state, > if my reading is correct. > > This also fixes a trailing whitespace on CAP_CHOWN, moves > CAP_DAC_READ_SEARCH to the end of the section of capabilities it's > in due to its lower priority level (7). >
Acked-by: John Johansen <[email protected]> > --- > utils/severity.db | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > Index: b/utils/severity.db > =================================================================== > --- a/utils/severity.db > +++ b/utils/severity.db > @@ -14,9 +14,12 @@ > CAP_SYS_MODULE 10 > CAP_SYS_PTRACE 10 > CAP_SYS_RAWIO 10 > + CAP_MAC_ADMIN 10 > + CAP_MAC_OVERRIDE 10 > # Allow other processes to 0wn the machine: > CAP_SETPCAP 9 > - CAP_CHOWN 9 > + CAP_SETFCAP 9 > + CAP_CHOWN 9 > CAP_FSETID 9 > CAP_MKNOD 9 > CAP_LINUX_IMMUTABLE 9 > @@ -38,9 +41,11 @@ > CAP_LEASE 8 > CAP_IPC_LOCK 8 > CAP_SYS_TTY_CONFIG 8 > - CAP_DAC_READ_SEARCH 7 > CAP_AUDIT_CONTROL 8 > CAP_AUDIT_WRITE 8 > + CAP_SYSLOG 8 > + CAP_WAKE_ALARM 8 > + CAP_DAC_READ_SEARCH 7 > # unused > CAP_NET_BROADCAST 0 > > > > -- AppArmor mailing list [email protected] Modify settings or > unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor > -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
