apparmor/parser/capability.h

/*
 *   Copyright (c) 2020
 *   Canonical Ltd. (All rights reserved)
 *
 *   This program is free software; you can redistribute it and/or
 *   modify it under the terms of version 2 of the GNU General Public
 *   License published by the Free Software Foundation.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, contact Novell, Inc. or Canonical
 *   Ltd.
 */

#ifndef __AA_CAPABILITY_H
#define __AA_CAPABILITY_H

#define NO_BACKMAP_CAP 0xff

#ifndef CAP_PERFMON
#define CAP_PERFMON 38
#endif

#ifndef CAP_BPF
#define CAP_BPF 39
#endif

#ifndef CAP_CHECKPOINT_RESTORE
#define CAP_CHECKPOINT_RESTORE 40
#endif

typedef enum capability_flags {
	CAPFLAGS_CLEAR = 0,
	CAPFLAG_BASE_FEATURE = 1,
	CAPFLAG_KERNEL_FEATURE = 2,
	CAPFLAG_POLICY_FEATURE = 4,
	CAPFLAG_EXTERNAL_FEATURE = 8,
} capability_flags;

int name_to_capability(const char *keyword);
void capabilities_init(void);
void __debug_capabilities(uint64_t capset, const char *name);
bool add_cap_feature_mask(struct aa_features *features, capability_flags flags);
void clear_cap_flag(capability_flags flags);
int capability_backmap(unsigned int cap);
bool capability_in_kernel(unsigned int cap);

#endif /* __AA_CAPABILITY_H */
parser: Use the kernel and policy abis to detect new capabilities The kernel and policy abis can be used to detect and support new capabilities without having to update base_cap_names.h and and rebuilding the compiler. This is not perfect however in that the does not provide any backwards compatibility mappings, so we still need to keep the internal capability table. Signed-off-by: John Johansen <john.johansen@canonical.com> 2020-07-03 02:19:41 -07:00			`/*`
			`* Copyright (c) 2020`
			`* Canonical Ltd. (All rights reserved)`
			`*`
			`* This program is free software; you can redistribute it and/or`
			`* modify it under the terms of version 2 of the GNU General Public`
			`* License published by the Free Software Foundation.`
			`*`
			`* This program is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with this program; if not, contact Novell, Inc. or Canonical`
			`* Ltd.`
			`*/`

			`#ifndef __AA_CAPABILITY_H`
			`#define __AA_CAPABILITY_H`

			`#define NO_BACKMAP_CAP 0xff`

			`#ifndef CAP_PERFMON`
			`#define CAP_PERFMON 38`
			`#endif`

			`#ifndef CAP_BPF`
			`#define CAP_BPF 39`
			`#endif`

parser: Add support for CAP_CHECKPOINT_RESTORE Linux 5.9 added CAP_CHECKPOINT_RESTORE add it to the set of supported capabilities. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/654 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com> 2020-10-13 19:19:10 -07:00			`#ifndef CAP_CHECKPOINT_RESTORE`
			`#define CAP_CHECKPOINT_RESTORE 40`
			`#endif`

parser: Use the kernel and policy abis to detect new capabilities The kernel and policy abis can be used to detect and support new capabilities without having to update base_cap_names.h and and rebuilding the compiler. This is not perfect however in that the does not provide any backwards compatibility mappings, so we still need to keep the internal capability table. Signed-off-by: John Johansen <john.johansen@canonical.com> 2020-07-03 02:19:41 -07:00			`typedef enum capability_flags {`
			`CAPFLAGS_CLEAR = 0,`
			`CAPFLAG_BASE_FEATURE = 1,`
			`CAPFLAG_KERNEL_FEATURE = 2,`
			`CAPFLAG_POLICY_FEATURE = 4,`
			`CAPFLAG_EXTERNAL_FEATURE = 8,`
			`} capability_flags;`

			`int name_to_capability(const char *keyword);`
			`void capabilities_init(void);`
			`void __debug_capabilities(uint64_t capset, const char *name);`
			`bool add_cap_feature_mask(struct aa_features *features, capability_flags flags);`
			`void clear_cap_flag(capability_flags flags);`
parser: allow backwards mapping of a capability If a capability is known in policy but not by the kernel, check to see if it has a backwards mapping to a different capability and use that instead. Signed-off-by: John Johansen <john.johansen@canonical.com> 2020-07-07 07:31:06 -07:00			`int capability_backmap(unsigned int cap);`
			`bool capability_in_kernel(unsigned int cap);`
parser: Use the kernel and policy abis to detect new capabilities The kernel and policy abis can be used to detect and support new capabilities without having to update base_cap_names.h and and rebuilding the compiler. This is not perfect however in that the does not provide any backwards compatibility mappings, so we still need to keep the internal capability table. Signed-off-by: John Johansen <john.johansen@canonical.com> 2020-07-03 02:19:41 -07:00
			`#endif /* __AA_CAPABILITY_H */`