[apparmor] [patch] klog-needs-CAP_SYSLOG
John Johansen
john.johansen at canonical.com
Thu Aug 18 21:38:51 UTC 2011
On 08/16/2011 04:57 PM, Kees Cook wrote:
> Hi,
>
> On Tue, Aug 09, 2011 at 12:13:56AM +0200, Christian Boltz wrote:
>> Please ask Jeff if you want to know what it does ;-)
>>
>> --- a/parser/parser_misc.c
>> +++ b/parser/parser_misc.c
>> @@ -129,6 +129,9 @@ static int get_table_token(const char *n
>> static struct keyword_table capability_table[] = {
>> /* capabilities */
>> #include "cap_names.h"
>> +#ifndef CAP_SYSLOG
>> + {"syslog", 34},
>> +#endif
>> /* terminate */
>> {NULL, 0}
>> };
>
> This shouldn't be needed since cap_names.h is auto-generated. If it's
> missing that means the kernel includes aren't up to date.
>
>> @@ -866,6 +869,7 @@ static const char *capnames[] = {
>> "audit_control",
>> "setfcap",
>> "mac_override"
>> + "syslog",
>> };
>
> This is good, though we might want to make it more dynamic
> or at least less fragile.
>
So for I think we take this as is for 2.7 as we are already in beta freeze
and then get the update to make this dynamic in 3.0
>> const char *capability_to_name(unsigned int cap)
>> --- a/profiles/apparmor.d/sbin.klogd
>> +++ b/profiles/apparmor.d/sbin.klogd
>> @@ -15,6 +15,7 @@
>> #include <abstractions/base>
>>
>> capability sys_admin,
>> + capability syslog,
>>
>> network inet stream,
>
> Yes, we'll need this for the other loggers too.
>
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the AppArmor
mailing list