1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
#
#=DESCRIPTION validate some uses of capabilties.
#=EXRESULT FAIL
# vim:syntax=subdomain
# Last Modified: Sun Apr 17 19:44:44 2005
#
/does/not/exist {
set capability chown,
set capability dac_override,
set capability dac_read_search,
set capability fowner,
set capability fsetid,
set capability kill,
set capability setgid,
set capability setuid,
set capability setpcap,
set capability linux_immutable,
set capability net_bind_service,
set capability net_broadcast,
set capability net_admin,
set capability net_raw,
set capability ipc_lock,
set capability ipc_owner,
set capability sys_module,
set capability sys_rawio,
set capability sys_chroot,
set capability sys_ptrace,
set capability sys_pacct,
set capability sys_admin,
set capability sys_boot,
set capability sys_nice,
set capability sys_resource,
set capability sys_time,
set capability sys_tty_config,
set capability mknod,
set capability lease,
set capability audit_write,
set capability audit_control,
}
/does/not/exist2 {
^chown {
set capability chown,
}
^dac_override {
set capability dac_override,
}
^dac_read_search {
set capability dac_read_search,
}
^fowner {
set capability fowner,
}
^fsetid {
set capability fsetid,
}
^kill {
set capability kill,
}
^setgid {
set capability setgid,
}
^setuid {
set capability setuid,
}
^setpcap {
set capability setpcap,
}
^linux_immutable {
set capability linux_immutable,
}
^net_bind_service {
set capability net_bind_service,
}
^net_broadcast {
set capability net_broadcast,
}
^net_admin {
set capability net_admin,
}
^net_raw {
set capability net_raw,
}
^ipc_lock {
set capability ipc_lock,
}
^ipc_owner {
set capability ipc_owner,
}
^sys_module {
set capability sys_module,
}
^sys_rawio {
set capability sys_rawio,
}
^sys_chroot {
set capability sys_chroot,
}
^sys_ptrace {
set capability sys_ptrace,
}
^sys_pacct {
set capability sys_pacct,
}
^sys_admin {
set capability sys_admin,
}
^sys_boot {
set capability sys_boot,
}
^sys_nice {
set capability sys_nice,
}
^sys_resource {
set capability sys_resource,
}
^sys_time {
set capability sys_time,
}
^sys_tty_config {
set capability sys_tty_config,
}
^mknod {
set capability mknod,
}
^lease {
set capability lease,
}
^audit_write {
set capability audit_write,
}
^audit_control {
set capability audit_control,
}
}
# Test for duplicates?
/does/not/exist3 {
set capability mknod,
set capability mknod,
}
/does/not/exit101 {
set capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
}
/does/not/exit102 {
set capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
set capability chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control,
}
|
