selinux: support 64-bit capabilities

author Stephen Smalley <sds@tycho.nsa.gov>

Thu, 7 Feb 2008 16:21:04 +0000 (11:21 -0500)

committer James Morris <jmorris@namei.org>

Mon, 11 Feb 2008 09:30:02 +0000 (20:30 +1100)
author Stephen Smalley <sds@tycho.nsa.gov>
Thu, 7 Feb 2008 16:21:04 +0000 (11:21 -0500)
committer James Morris <jmorris@namei.org>
Mon, 11 Feb 2008 09:30:02 +0000 (20:30 +1100)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c

index e5ed07510309edb0da10a151095cd3529bf41442..44f16d9041e3896b2444f2fc77f14c5d3181cde1 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1,
                             SECCLASS_PROCESS, perms, NULL);
  }
  
+#if CAP_LAST_CAP > 63
+#error Fix SELinux to handle capabilities > 63.
+#endif
+
  /* Check whether a task is allowed to use a capability. */
  static int task_has_capability(struct task_struct *tsk,
                                int cap)
  {
         struct task_security_struct *tsec;
         struct avc_audit_data ad;
+       u16 sclass;
+       u32 av = CAP_TO_MASK(cap);
  
         tsec = tsk->security;
  
@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk,
         ad.tsk = tsk;
         ad.u.cap = cap;
  
-       return avc_has_perm(tsec->sid, tsec->sid,
-                           SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
+       switch (CAP_TO_INDEX(cap)) {
+       case 0:
+               sclass = SECCLASS_CAPABILITY;
+               break;
+       case 1:
+               sclass = SECCLASS_CAPABILITY2;
+               break;
+       default:
+               printk(KERN_ERR
+                      "SELinux:  out of range capability %d\n", cap);
+               BUG();
+       }
+       return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
  }
  
  /* Check whether a task is allowed to use a system operation. */
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h

index 399f868c5c8fb945f430e1f3206c73036bb38045..d5696690d3a2c583bdb1762d7a75468968d67a84 100644 (file)
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -132,6 +132,9 @@
     S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
     S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
+   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
     S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
     S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h

index 84c9abc809787026b077d2f0a808ee9f1efe71ca..75b41311ab86bd94391a21daa7e03795a3192877 100644 (file)
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -533,6 +533,9 @@
  #define CAPABILITY__LEASE                         0x10000000UL
  #define CAPABILITY__AUDIT_WRITE                   0x20000000UL
  #define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
+#define CAPABILITY__SETFCAP                       0x80000000UL
+#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL
+#define CAPABILITY2__MAC_ADMIN                    0x00000002UL
  #define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL
  #define NETLINK_ROUTE_SOCKET__READ                0x00000002UL
  #define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h

index b1b0d1d8f9503d11004ab32581a8d17e647ea16a..bd813c366e34d3e00025136fb131967ea3d033ca 100644 (file)
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -71,3 +71,4 @@
      S_(NULL)
      S_(NULL)
      S_("peer")
+    S_("capability2")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h

index 09e9dd23ee1a5f54345122b1f286852772e25227..febf8868e8524226c637565802b6efbb411f88be 100644 (file)
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -51,6 +51,7 @@
  #define SECCLASS_DCCP_SOCKET                             60
  #define SECCLASS_MEMPROTECT                              61
  #define SECCLASS_PEER                                    68
+#define SECCLASS_CAPABILITY2                             69
  
  /*
   * Security identifier indices for initial entities
author	Stephen Smalley <sds@tycho.nsa.gov>
	Thu, 7 Feb 2008 16:21:04 +0000 (11:21 -0500)
committer	James Morris <jmorris@namei.org>
	Mon, 11 Feb 2008 09:30:02 +0000 (20:30 +1100)
security/selinux/hooks.c		patch \| blob \| history
security/selinux/include/av_perm_to_string.h		patch \| blob \| history
security/selinux/include/av_permissions.h		patch \| blob \| history
security/selinux/include/class_to_string.h		patch \| blob \| history
security/selinux/include/flask.h		patch \| blob \| history