Skip to content

Commit

Permalink
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel…
Browse files Browse the repository at this point in the history
…/git/jmorris/selinux-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6:
  selinux: support 64-bit capabilities
  • Loading branch information
Linus Torvalds committed Feb 11, 2008
2 parents 1f07e98 + b68e418 commit 0faa908
Show file tree
Hide file tree
Showing 5 changed files with 27 additions and 2 deletions.
21 changes: 19 additions & 2 deletions security/selinux/hooks.c
Original file line number Diff line number Diff line change
Expand Up @@ -1272,21 +1272,38 @@ static int task_has_perm(struct task_struct *tsk1,
SECCLASS_PROCESS, perms, NULL);
}

#if CAP_LAST_CAP > 63
#error Fix SELinux to handle capabilities > 63.
#endif

/* Check whether a task is allowed to use a capability. */
static int task_has_capability(struct task_struct *tsk,
int cap)
{
struct task_security_struct *tsec;
struct avc_audit_data ad;
u16 sclass;
u32 av = CAP_TO_MASK(cap);

tsec = tsk->security;

AVC_AUDIT_DATA_INIT(&ad,CAP);
ad.tsk = tsk;
ad.u.cap = cap;

return avc_has_perm(tsec->sid, tsec->sid,
SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
switch (CAP_TO_INDEX(cap)) {
case 0:
sclass = SECCLASS_CAPABILITY;
break;
case 1:
sclass = SECCLASS_CAPABILITY2;
break;
default:
printk(KERN_ERR
"SELinux: out of range capability %d\n", cap);
BUG();
}
return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
}

/* Check whether a task is allowed to use a system operation. */
Expand Down
3 changes: 3 additions & 0 deletions security/selinux/include/av_perm_to_string.h
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,9 @@
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
Expand Down
3 changes: 3 additions & 0 deletions security/selinux/include/av_permissions.h
Original file line number Diff line number Diff line change
Expand Up @@ -533,6 +533,9 @@
#define CAPABILITY__LEASE 0x10000000UL
#define CAPABILITY__AUDIT_WRITE 0x20000000UL
#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
#define CAPABILITY__SETFCAP 0x80000000UL
#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
#define CAPABILITY2__MAC_ADMIN 0x00000002UL
#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
Expand Down
1 change: 1 addition & 0 deletions security/selinux/include/class_to_string.h
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,4 @@
S_(NULL)
S_(NULL)
S_("peer")
S_("capability2")
1 change: 1 addition & 0 deletions security/selinux/include/flask.h
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
#define SECCLASS_DCCP_SOCKET 60
#define SECCLASS_MEMPROTECT 61
#define SECCLASS_PEER 68
#define SECCLASS_CAPABILITY2 69

/*
* Security identifier indices for initial entities
Expand Down

0 comments on commit 0faa908

Please sign in to comment.