summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/selinux/hooks.c21
-rw-r--r--security/selinux/include/av_perm_to_string.h3
-rw-r--r--security/selinux/include/av_permissions.h3
-rw-r--r--security/selinux/include/class_to_string.h1
-rw-r--r--security/selinux/include/flask.h1
5 files changed, 27 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e5ed075..44f16d9 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1,
SECCLASS_PROCESS, perms, NULL);
}
+#if CAP_LAST_CAP > 63
+#error Fix SELinux to handle capabilities > 63.
+#endif
+
/* Check whether a task is allowed to use a capability. */
static int task_has_capability(struct task_struct *tsk,
int cap)
{
struct task_security_struct *tsec;
struct avc_audit_data ad;
+ u16 sclass;
+ u32 av = CAP_TO_MASK(cap);
tsec = tsk->security;
@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk,
ad.tsk = tsk;
ad.u.cap = cap;
- return avc_has_perm(tsec->sid, tsec->sid,
- SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
+ switch (CAP_TO_INDEX(cap)) {
+ case 0:
+ sclass = SECCLASS_CAPABILITY;
+ break;
+ case 1:
+ sclass = SECCLASS_CAPABILITY2;
+ break;
+ default:
+ printk(KERN_ERR
+ "SELinux: out of range capability %d\n", cap);
+ BUG();
+ }
+ return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
}
/* Check whether a task is allowed to use a system operation. */
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 399f868..d569669 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -132,6 +132,9 @@
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
+ S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
+ S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
+ S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 84c9abc..75b4131 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -533,6 +533,9 @@
#define CAPABILITY__LEASE 0x10000000UL
#define CAPABILITY__AUDIT_WRITE 0x20000000UL
#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
+#define CAPABILITY__SETFCAP 0x80000000UL
+#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
+#define CAPABILITY2__MAC_ADMIN 0x00000002UL
#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index b1b0d1d..bd813c3 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -71,3 +71,4 @@
S_(NULL)
S_(NULL)
S_("peer")
+ S_("capability2")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index 09e9dd23..febf886 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -51,6 +51,7 @@
#define SECCLASS_DCCP_SOCKET 60
#define SECCLASS_MEMPROTECT 61
#define SECCLASS_PEER 68
+#define SECCLASS_CAPABILITY2 69
/*
* Security identifier indices for initial entities
OpenPOWER on IntegriCloud