Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / kernel / msm / b68e418c445e8a468634d0a7ca2fb63bbaa74028^! / . / security / selinux / include
commitb68e418c445e8a468634d0a7ca2fb63bbaa74028[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Thu Feb 07 11:21:04 2008 -0500
committerJames Morris <jmorris@namei.org>Mon Feb 11 20:30:02 2008 +1100
treee49b4a94ef28a9288ed6735a994387205b7cc5bd
parent19af35546de68c872dcb687613e0902a602cb20e [diff]
selinux: support 64-bit capabilities

Fix SELinux to handle 64-bit capabilities correctly, and to catch
future extensions of capabilities beyond 64 bits to ensure that SELinux
is properly updated.

Signed-off-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>

diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 399f868..d569669 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h

@@ -132,6 +132,9 @@
    S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
    S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
    S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
    S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")

diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 84c9abc..75b4131 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h

@@ -533,6 +533,9 @@
 #define CAPABILITY__LEASE                         0x10000000UL
 #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
 #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
+#define CAPABILITY__SETFCAP                       0x80000000UL
+#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
+#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
 #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
 #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
 #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL

diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index b1b0d1d..bd813c3 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h

@@ -71,3 +71,4 @@
     S_(NULL)
     S_(NULL)
     S_("peer")
+    S_("capability2")

diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index 09e9dd2..febf886 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h

@@ -51,6 +51,7 @@
 #define SECCLASS_DCCP_SOCKET                             60
 #define SECCLASS_MEMPROTECT                              61
 #define SECCLASS_PEER                                    68
+#define SECCLASS_CAPABILITY2                             69
 
 /*
  * Security identifier indices for initial entities