Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits) MAINTAINERS: Add tomoyo-dev-en ML. SELinux: define permissions for DCB netlink messages encrypted-keys: style and other cleanup encrypted-keys: verify datablob size before converting to binary trusted-keys: kzalloc and other cleanup trusted-keys: additional TSS return code and other error handling syslog: check cap_syslog when dmesg_restrict Smack: Transmute labels on specified directories selinux: cache sidtab_context_to_sid results SELinux: do not compute transition labels on mountpoint labeled filesystems This patch adds a new security attribute to Smack called SMACK64EXEC. It defines label that is used while task is running. SELinux: merge policydb_index_classes and policydb_index_others selinux: convert part of the sym_val_to_name array to use flex_array selinux: convert type_val_to_struct to flex_array flex_array: fix flex_array_put_ptr macro to be valid C SELinux: do not set automatic i_ino in selinuxfs selinux: rework security_netlbl_secattr_to_sid SELinux: standardize return code handling in selinuxfs.c SELinux: standardize return code handling in selinuxfs.c SELinux: standardize return code handling in policydb.c ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2011-01-10 14:18:59 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2011-01-10 14:18:59 -0500
commit: e0e736fc0d33861335e2a132e4f688f7fd380c61 (patch)
tree: d9febe9ca1ef1e24efc5e6e1e34e412316d246bd /include
parent: a08948812b30653eb2c536ae613b635a989feb6f (diff)
parent: aeda4ac3efc29e4d55989abd0a73530453aa69ba (diff)
9 files changed, 106 insertions, 5 deletions
diff --git a/include/keys/encrypted-type.h b/include/keys/encrypted-type.h
new file mode 100644
index 000000000000..95855017a32b
--- /dev/null
+++ b/include/keys/encrypted-type.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2010 IBM Corporation
+ * Author: Mimi Zohar <zohar@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ */
+#ifndef _KEYS_ENCRYPTED_TYPE_H
+#define _KEYS_ENCRYPTED_TYPE_H
+#include <linux/key.h>
+#include <linux/rcupdate.h>
+struct encrypted_key_payload {
+        struct rcu_head rcu;
+        char *master_desc;      /* datablob: master key name */
+        char *datalen;          /* datablob: decrypted key length */
+        u8 *iv;                 /* datablob: iv */
+        u8 *encrypted_data;     /* datablob: encrypted data */
+        unsigned short datablob_len;    /* length of datablob */
+        unsigned short decrypted_datalen;       /* decrypted data length */
+        u8 decrypted_data[0];   /* decrypted data +  datablob + hmac */
+};
+extern struct key_type key_type_encrypted;
+#endif /* _KEYS_ENCRYPTED_TYPE_H */
diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h
new file mode 100644
index 000000000000..56f82e5c9975
--- /dev/null
+++ b/include/keys/trusted-type.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2010 IBM Corporation
+ * Author: David Safford <safford@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, version 2 of the License.
+ */
+#ifndef _KEYS_TRUSTED_TYPE_H
+#define _KEYS_TRUSTED_TYPE_H
+#include <linux/key.h>
+#include <linux/rcupdate.h>
+#define MIN_KEY_SIZE                    32
+#define MAX_KEY_SIZE                    128
+#define MAX_BLOB_SIZE                   320
+struct trusted_key_payload {
+        struct rcu_head rcu;
+        unsigned int key_len;
+        unsigned int blob_len;
+        unsigned char migratable;
+        unsigned char key[MAX_KEY_SIZE + 1];
+        unsigned char blob[MAX_BLOB_SIZE];
+};
+extern struct key_type key_type_trusted;
+#endif /* _KEYS_TRUSTED_TYPE_H */
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 90012b9ddbf3..fb16a3699b99 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -246,7 +246,6 @@ struct cpu_vfs_cap_data {
 /* Allow configuration of the secure attention key */
 /* Allow administration of the random device */
 /* Allow examination and configuration of disk quotas */
-/* Allow configuring the kernel's syslog (printk behaviour) */
 /* Allow setting the domainname */
 /* Allow setting the hostname */
 /* Allow calling bdflush() */
@@ -352,7 +351,11 @@ struct cpu_vfs_cap_data {
 #define CAP_MAC_ADMIN        33
-#define CAP_LAST_CAP         CAP_MAC_ADMIN
+/* Allow configuring the kernel's syslog (printk behaviour) */
+#define CAP_SYSLOG           34
+#define CAP_LAST_CAP         CAP_SYSLOG
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
diff --git a/include/linux/flex_array.h b/include/linux/flex_array.h
index 631b77f2ac70..70e4efabe0fb 100644
--- a/include/linux/flex_array.h
+++ b/include/linux/flex_array.h
@@ -71,7 +71,7 @@ void *flex_array_get(struct flex_array *fa, unsigned int element_nr);
 int flex_array_shrink(struct flex_array *fa);
 #define flex_array_put_ptr(fa, nr, src, gfp) \
-        flex_array_put(fa, nr, &(void *)(src), gfp)
+        flex_array_put(fa, nr, (void *)&(src), gfp)
 void *flex_array_get_ptr(struct flex_array *fa, unsigned int element_nr);
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index b6de9a6f7018..d0fbc043de60 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -56,6 +56,8 @@
 #define FIELD_SIZEOF(t, f) (sizeof(((t*)0)->f))
 #define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))
+/* The `const' in roundup() prevents gcc-3.3 from calling __divdi3 */
 #define roundup(x, y) (                                 \
 {                                                       \
        const typeof(y) __y = y;                        \
@@ -263,6 +265,7 @@ static inline char *pack_hex_byte(char *buf, u8 byte)
 }
 extern int hex_to_bin(char ch);
+extern void hex2bin(u8 *dst, const char *src, size_t count);
 /*
 * General tracing related utility functions - trace_printk(),
diff --git a/include/linux/security.h b/include/linux/security.h
index 1ac42475ea08..c642bb8b8f5a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1058,8 +1058,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @cred points to the credentials to provide the context against which to
 *      evaluate the security data on the key.
 *      @perm describes the combination of permissions required of this key.
- *      Return 1 if permission granted, 0 if permission denied and -ve it the
+ *      Return 0 if permission is granted, -ve error otherwise.
- *      normal permissions model should be effected.
 * @key_getsecurity:
 *      Get a textual representation of the security context attached to a key
 *      for the purposes of honouring KEYCTL_GETSECURITY.  This function
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index ac5d1c1285d9..fdc718abf83b 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -31,6 +31,7 @@
 extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
 extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
+extern int tpm_send(u32 chip_num, void *cmd, size_t buflen);
 #else
 static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
        return -ENODEV;
@@ -38,5 +39,8 @@ static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
 static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
        return -ENODEV;
 }
+static inline int tpm_send(u32 chip_num, void *cmd, size_t buflen) {
+        return -ENODEV;
+}
 #endif
 #endif
diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h
new file mode 100644
index 000000000000..727512e249b5
--- /dev/null
+++ b/include/linux/tpm_command.h
@@ -0,0 +1,28 @@
+#ifndef __LINUX_TPM_COMMAND_H__
+#define __LINUX_TPM_COMMAND_H__
+/*
+ * TPM Command constants from specifications at
+ * http://www.trustedcomputinggroup.org
+ */
+/* Command TAGS */
+#define TPM_TAG_RQU_COMMAND             193
+#define TPM_TAG_RQU_AUTH1_COMMAND       194
+#define TPM_TAG_RQU_AUTH2_COMMAND       195
+#define TPM_TAG_RSP_COMMAND             196
+#define TPM_TAG_RSP_AUTH1_COMMAND       197
+#define TPM_TAG_RSP_AUTH2_COMMAND       198
+/* Command Ordinals */
+#define TPM_ORD_GETRANDOM               70
+#define TPM_ORD_OSAP                    11
+#define TPM_ORD_OIAP                    10
+#define TPM_ORD_SEAL                    23
+#define TPM_ORD_UNSEAL                  24
+/* Other constants */
+#define SRKHANDLE                       0x40000000
+#define TPM_NONCE_SIZE                  20
+#endif
diff --git a/include/linux/xattr.h b/include/linux/xattr.h
index f1e5bde4b35a..e6131ef98d8f 100644
--- a/include/linux/xattr.h
+++ b/include/linux/xattr.h
@@ -40,9 +40,13 @@
 #define XATTR_SMACK_SUFFIX "SMACK64"
 #define XATTR_SMACK_IPIN "SMACK64IPIN"
 #define XATTR_SMACK_IPOUT "SMACK64IPOUT"
+#define XATTR_SMACK_EXEC "SMACK64EXEC"
+#define XATTR_SMACK_TRANSMUTE "SMACK64TRANSMUTE"
 #define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX
 #define XATTR_NAME_SMACKIPIN    XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
 #define XATTR_NAME_SMACKIPOUT   XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
+#define XATTR_NAME_SMACKEXEC    XATTR_SECURITY_PREFIX XATTR_SMACK_EXEC
+#define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
 #define XATTR_CAPS_SUFFIX "capability"
 #define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX
author	Linus Torvalds <torvalds@linux-foundation.org>	2011-01-10 14:18:59 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2011-01-10 14:18:59 -0500
commit	e0e736fc0d33861335e2a132e4f688f7fd380c61 (patch)
tree	d9febe9ca1ef1e24efc5e6e1e34e412316d246bd /include
parent	a08948812b30653eb2c536ae613b635a989feb6f (diff)
parent	aeda4ac3efc29e4d55989abd0a73530453aa69ba (diff)

diff --git a/include/keys/encrypted-type.h b/include/keys/encrypted-type.h new file mode 100644 index 000000000000..95855017a32b --- /dev/null +++ b/include/keys/encrypted-type.h
@@ -0,0 +1,29 @@
		1	/*
		2	* Copyright (C) 2010 IBM Corporation
		3	* Author: Mimi Zohar <zohar@us.ibm.com>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License as published by
		7	* the Free Software Foundation, version 2 of the License.
		8	*/
		9
		10	#ifndef _KEYS_ENCRYPTED_TYPE_H
		11	#define _KEYS_ENCRYPTED_TYPE_H
		12
		13	#include <linux/key.h>
		14	#include <linux/rcupdate.h>
		15
		16	struct encrypted_key_payload {
		17	struct rcu_head rcu;
		18	char master_desc; / datablob: master key name */
		19	char datalen; / datablob: decrypted key length */
		20	u8 iv; / datablob: iv */
		21	u8 encrypted_data; / datablob: encrypted data */
		22	unsigned short datablob_len; /* length of datablob */
		23	unsigned short decrypted_datalen; /* decrypted data length */
		24	u8 decrypted_data[0]; /* decrypted data + datablob + hmac */
		25	};
		26
		27	extern struct key_type key_type_encrypted;
		28
		29	#endif /* _KEYS_ENCRYPTED_TYPE_H */


diff --git a/include/keys/trusted-type.h b/include/keys/trusted-type.h new file mode 100644 index 000000000000..56f82e5c9975 --- /dev/null +++ b/include/keys/trusted-type.h
@@ -0,0 +1,31 @@
		1	/*
		2	* Copyright (C) 2010 IBM Corporation
		3	* Author: David Safford <safford@us.ibm.com>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License as published by
		7	* the Free Software Foundation, version 2 of the License.
		8	*/
		9
		10	#ifndef _KEYS_TRUSTED_TYPE_H
		11	#define _KEYS_TRUSTED_TYPE_H
		12
		13	#include <linux/key.h>
		14	#include <linux/rcupdate.h>
		15
		16	#define MIN_KEY_SIZE 32
		17	#define MAX_KEY_SIZE 128
		18	#define MAX_BLOB_SIZE 320
		19
		20	struct trusted_key_payload {
		21	struct rcu_head rcu;
		22	unsigned int key_len;
		23	unsigned int blob_len;
		24	unsigned char migratable;
		25	unsigned char key[MAX_KEY_SIZE + 1];
		26	unsigned char blob[MAX_BLOB_SIZE];
		27	};
		28
		29	extern struct key_type key_type_trusted;
		30
		31	#endif /* _KEYS_TRUSTED_TYPE_H */


diff --git a/include/linux/capability.h b/include/linux/capability.h index 90012b9ddbf3..fb16a3699b99 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h
@@ -246,7 +246,6 @@ struct cpu_vfs_cap_data {
246	/* Allow configuration of the secure attention key */	246	/* Allow configuration of the secure attention key */
247	/* Allow administration of the random device */	247	/* Allow administration of the random device */
248	/* Allow examination and configuration of disk quotas */	248	/* Allow examination and configuration of disk quotas */
249	/* Allow configuring the kernel's syslog (printk behaviour) */
250	/* Allow setting the domainname */	249	/* Allow setting the domainname */
251	/* Allow setting the hostname */	250	/* Allow setting the hostname */
252	/* Allow calling bdflush() */	251	/* Allow calling bdflush() */
@@ -352,7 +351,11 @@ struct cpu_vfs_cap_data {
352		351
353	#define CAP_MAC_ADMIN 33	352	#define CAP_MAC_ADMIN 33
354		353
355	#define CAP_LAST_CAP CAP_MAC_ADMIN	354	/* Allow configuring the kernel's syslog (printk behaviour) */
		355
		356	#define CAP_SYSLOG 34
		357
		358	#define CAP_LAST_CAP CAP_SYSLOG
356		359
357	#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)	360	#define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
358		361


diff --git a/include/linux/flex_array.h b/include/linux/flex_array.h index 631b77f2ac70..70e4efabe0fb 100644 --- a/include/linux/flex_array.h +++ b/include/linux/flex_array.h
@@ -71,7 +71,7 @@ void flex_array_get(struct flex_array fa, unsigned int element_nr);
71	int flex_array_shrink(struct flex_array *fa);	71	int flex_array_shrink(struct flex_array *fa);
72		72
73	#define flex_array_put_ptr(fa, nr, src, gfp) \	73	#define flex_array_put_ptr(fa, nr, src, gfp) \
74	flex_array_put(fa, nr, &(void *)(src), gfp)	74	flex_array_put(fa, nr, (void *)&(src), gfp)
75		75
76	void flex_array_get_ptr(struct flex_array fa, unsigned int element_nr);	76	void flex_array_get_ptr(struct flex_array fa, unsigned int element_nr);
77		77


diff --git a/include/linux/kernel.h b/include/linux/kernel.h index b6de9a6f7018..d0fbc043de60 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h
@@ -56,6 +56,8 @@
56		56
57	#define FIELD_SIZEOF(t, f) (sizeof(((t*)0)->f))	57	#define FIELD_SIZEOF(t, f) (sizeof(((t*)0)->f))
58	#define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))	58	#define DIV_ROUND_UP(n,d) (((n) + (d) - 1) / (d))
		59
		60	/* The `const' in roundup() prevents gcc-3.3 from calling __divdi3 */
59	#define roundup(x, y) ( \	61	#define roundup(x, y) ( \
60	{ \	62	{ \
61	const typeof(y) __y = y; \	63	const typeof(y) __y = y; \
@@ -263,6 +265,7 @@ static inline char pack_hex_byte(char buf, u8 byte)
263	}	265	}
264		266
265	extern int hex_to_bin(char ch);	267	extern int hex_to_bin(char ch);
		268	extern void hex2bin(u8 dst, const char src, size_t count);
266		269
267	/*	270	/*
268	* General tracing related utility functions - trace_printk(),	271	* General tracing related utility functions - trace_printk(),


diff --git a/include/linux/security.h b/include/linux/security.h index 1ac42475ea08..c642bb8b8f5a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -1058,8 +1058,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1058	* @cred points to the credentials to provide the context against which to	1058	* @cred points to the credentials to provide the context against which to
1059	* evaluate the security data on the key.	1059	* evaluate the security data on the key.
1060	* @perm describes the combination of permissions required of this key.	1060	* @perm describes the combination of permissions required of this key.
1061	* Return 1 if permission granted, 0 if permission denied and -ve it the	1061	* Return 0 if permission is granted, -ve error otherwise.
1062	* normal permissions model should be effected.
1063	* @key_getsecurity:	1062	* @key_getsecurity:
1064	* Get a textual representation of the security context attached to a key	1063	* Get a textual representation of the security context attached to a key
1065	* for the purposes of honouring KEYCTL_GETSECURITY. This function	1064	* for the purposes of honouring KEYCTL_GETSECURITY. This function


diff --git a/include/linux/tpm.h b/include/linux/tpm.h index ac5d1c1285d9..fdc718abf83b 100644 --- a/include/linux/tpm.h +++ b/include/linux/tpm.h
@@ -31,6 +31,7 @@
31		31
32	extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);	32	extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
33	extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);	33	extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
		34	extern int tpm_send(u32 chip_num, void *cmd, size_t buflen);
34	#else	35	#else
35	static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {	36	static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
36	return -ENODEV;	37	return -ENODEV;
@@ -38,5 +39,8 @@ static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
38	static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {	39	static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
39	return -ENODEV;	40	return -ENODEV;
40	}	41	}
		42	static inline int tpm_send(u32 chip_num, void *cmd, size_t buflen) {
		43	return -ENODEV;
		44	}
41	#endif	45	#endif
42	#endif	46	#endif


diff --git a/include/linux/tpm_command.h b/include/linux/tpm_command.h new file mode 100644 index 000000000000..727512e249b5 --- /dev/null +++ b/include/linux/tpm_command.h
@@ -0,0 +1,28 @@
		1	#ifndef __LINUX_TPM_COMMAND_H__
		2	#define __LINUX_TPM_COMMAND_H__
		3
		4	/*
		5	* TPM Command constants from specifications at
		6	* http://www.trustedcomputinggroup.org
		7	*/
		8
		9	/* Command TAGS */
		10	#define TPM_TAG_RQU_COMMAND 193
		11	#define TPM_TAG_RQU_AUTH1_COMMAND 194
		12	#define TPM_TAG_RQU_AUTH2_COMMAND 195
		13	#define TPM_TAG_RSP_COMMAND 196
		14	#define TPM_TAG_RSP_AUTH1_COMMAND 197
		15	#define TPM_TAG_RSP_AUTH2_COMMAND 198
		16
		17	/* Command Ordinals */
		18	#define TPM_ORD_GETRANDOM 70
		19	#define TPM_ORD_OSAP 11
		20	#define TPM_ORD_OIAP 10
		21	#define TPM_ORD_SEAL 23
		22	#define TPM_ORD_UNSEAL 24
		23
		24	/* Other constants */
		25	#define SRKHANDLE 0x40000000
		26	#define TPM_NONCE_SIZE 20
		27
		28	#endif


diff --git a/include/linux/xattr.h b/include/linux/xattr.h index f1e5bde4b35a..e6131ef98d8f 100644 --- a/include/linux/xattr.h +++ b/include/linux/xattr.h
@@ -40,9 +40,13 @@
40	#define XATTR_SMACK_SUFFIX "SMACK64"	40	#define XATTR_SMACK_SUFFIX "SMACK64"
41	#define XATTR_SMACK_IPIN "SMACK64IPIN"	41	#define XATTR_SMACK_IPIN "SMACK64IPIN"
42	#define XATTR_SMACK_IPOUT "SMACK64IPOUT"	42	#define XATTR_SMACK_IPOUT "SMACK64IPOUT"
		43	#define XATTR_SMACK_EXEC "SMACK64EXEC"
		44	#define XATTR_SMACK_TRANSMUTE "SMACK64TRANSMUTE"
43	#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX	45	#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX
44	#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN	46	#define XATTR_NAME_SMACKIPIN XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN
45	#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT	47	#define XATTR_NAME_SMACKIPOUT XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT
		48	#define XATTR_NAME_SMACKEXEC XATTR_SECURITY_PREFIX XATTR_SMACK_EXEC
		49	#define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE
46		50
47	#define XATTR_CAPS_SUFFIX "capability"	51	#define XATTR_CAPS_SUFFIX "capability"
48	#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX	52	#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX