From 5f849b400016f736268104f1186dda233e07290e Mon Sep 17 00:00:00 2001
From: desbma <desbma@users.noreply.github.com>
Date: Mon, 15 Jul 2024 21:59:21 +0200
Subject: [PATCH] doc: add comments

---
 src/systemd/options.rs | 42 +++++++++++++++++++++++++++++++++++++++++-
 tests/cl.rs            |  2 ++
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/systemd/options.rs b/src/systemd/options.rs
index 32e416b..8165bef 100644
--- a/src/systemd/options.rs
+++ b/src/systemd/options.rs
@@ -1291,14 +1291,49 @@ pub fn build_options(
 
     // https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#CapabilityBoundingSet=
     let cap_effects = [
+        // TODO CAP_AUDIT_CONTROL
+        // TODO CAP_AUDIT_READ
+        // TODO CAP_AUDIT_WRITE
+        // TODO CAP_BLOCK_SUSPEND
+        // TODO CAP_BPF
+        // TODO CAP_CHECKPOINT_RESTORE
         (
             "CAP_CHOWN",
             OptionValueEffect::DenySyscalls(DenySyscalls::Class("chown")),
         ),
+        // TODO CAP_DAC_OVER
+        // TODO CAP_DAC_OVERRIDE
+        // TODO CAP_DAC_READ_SEARCH
+        // TODO CAP_FOWNER
+        // TODO CAP_FSETID
+        // TODO CAP_INIT_EFF_SET
+        // TODO CAP_IPC_LOCK
+        // TODO CAP_IPC_OWNER
+        // TODO CAP_KILL
+        // TODO CAP_LAST_CAP
+        // TODO CAP_LEASE
+        // TODO CAP_LINUX_IMMUTABLE
+        // TODO CAP_MAC_ADMIN
+        // TODO CAP_MAC_OVERRIDE
+        // TODO CAP_MKNOD
+        // TODO CAP_NET_ADMIN
+        // CAP_NET_BIND_SERVICE would be too complex/unreliable to handle:
+        // - for IPv4 sockets, either PROT_SOCK or net.ipv4.ip_unprivileged_port_start sysctl control the provileged port threshold
+        // - for other socket families, rules are different
+        // TODO CAP_NET_BROADCAST
+        // TODO CAP_NET_RAW
+        // TODO CAP_PERFMON
+        // TODO CAP_SETFCAP
+        // TODO CAP_SETGID
+        // TODO CAP_SETPCAP
+        // TODO CAP_SETUID
+        // TODO CAP_SYS_ADMIN
         (
             "CAP_SYS_BOOT",
             OptionValueEffect::DenySyscalls(DenySyscalls::Class("reboot")),
         ),
+        // TODO CAP_SYS_CHROOT
+        // TODO CAP_SYSLOG
         (
             "CAP_SYS_MODULE",
             OptionValueEffect::DenySyscalls(DenySyscalls::Class("module")),
@@ -1311,7 +1346,12 @@ pub fn build_options(
             "CAP_SYS_PACCT",
             OptionValueEffect::DenySyscalls(DenySyscalls::Single("acct")),
         ),
-        // TODO more complex capabilities
+        // TODO CAP_SYS_PTRACE
+        // TODO CAP_SYS_RAWIO
+        // TODO CAP_SYS_RESOURCE
+        // TODO CAP_SYS_TIME
+        // TODO CAP_SYS_TTY_CONFIG
+        // TODO CAP_WAKE_ALARM
     ];
     options.push(OptionDescription {
         name: "CapabilityBoundingSet",
diff --git a/tests/cl.rs b/tests/cl.rs
index e82aea4..28ba78c 100644
--- a/tests/cl.rs
+++ b/tests/cl.rs
@@ -14,6 +14,8 @@ use predicates::prelude::*;
 // tests.
 //
 
+// TODO test CapabilityBoundingSet
+
 #[test]
 fn run_true() {
     Command::cargo_bin(env!("CARGO_PKG_NAME"))