diff options
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/capability.h | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h index ffe7bab8c3a0..7d50ff6d269f 100644 --- a/include/linux/capability.h +++ b/include/linux/capability.h | |||
| @@ -315,7 +315,24 @@ typedef struct kernel_cap_struct { | |||
| 315 | 315 | ||
| 316 | #define CAP_SETFCAP 31 | 316 | #define CAP_SETFCAP 31 |
| 317 | 317 | ||
| 318 | #define CAP_LAST_CAP CAP_SETFCAP | 318 | /* Override MAC access. |
| 319 | The base kernel enforces no MAC policy. | ||
| 320 | An LSM may enforce a MAC policy, and if it does and it chooses | ||
| 321 | to implement capability based overrides of that policy, this is | ||
| 322 | the capability it should use to do so. */ | ||
| 323 | |||
| 324 | #define CAP_MAC_OVERRIDE 32 | ||
| 325 | |||
| 326 | /* Allow MAC configuration or state changes. | ||
| 327 | The base kernel requires no MAC configuration. | ||
| 328 | An LSM may enforce a MAC policy, and if it does and it chooses | ||
| 329 | to implement capability based checks on modifications to that | ||
| 330 | policy or the data required to maintain it, this is the | ||
| 331 | capability it should use to do so. */ | ||
| 332 | |||
| 333 | #define CAP_MAC_ADMIN 33 | ||
| 334 | |||
| 335 | #define CAP_LAST_CAP CAP_MAC_ADMIN | ||
| 319 | 336 | ||
| 320 | #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) | 337 | #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) |
| 321 | 338 | ||
| @@ -341,6 +358,8 @@ typedef struct kernel_cap_struct { | |||
| 341 | | CAP_TO_MASK(CAP_FOWNER) \ | 358 | | CAP_TO_MASK(CAP_FOWNER) \ |
| 342 | | CAP_TO_MASK(CAP_FSETID)) | 359 | | CAP_TO_MASK(CAP_FSETID)) |
| 343 | 360 | ||
| 361 | # define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE)) | ||
| 362 | |||
| 344 | #if _LINUX_CAPABILITY_U32S != 2 | 363 | #if _LINUX_CAPABILITY_U32S != 2 |
| 345 | # error Fix up hand-coded capability macro initializers | 364 | # error Fix up hand-coded capability macro initializers |
| 346 | #else /* HAND-CODED capability initializers */ | 365 | #else /* HAND-CODED capability initializers */ |
| @@ -348,8 +367,9 @@ typedef struct kernel_cap_struct { | |||
| 348 | # define CAP_EMPTY_SET {{ 0, 0 }} | 367 | # define CAP_EMPTY_SET {{ 0, 0 }} |
| 349 | # define CAP_FULL_SET {{ ~0, ~0 }} | 368 | # define CAP_FULL_SET {{ ~0, ~0 }} |
| 350 | # define CAP_INIT_EFF_SET {{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }} | 369 | # define CAP_INIT_EFF_SET {{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }} |
| 351 | # define CAP_FS_SET {{ CAP_FS_MASK_B0, 0 }} | 370 | # define CAP_FS_SET {{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 } } |
| 352 | # define CAP_NFSD_SET {{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), 0 }} | 371 | # define CAP_NFSD_SET {{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \ |
| 372 | CAP_FS_MASK_B1 } } | ||
| 353 | 373 | ||
| 354 | #endif /* _LINUX_CAPABILITY_U32S != 2 */ | 374 | #endif /* _LINUX_CAPABILITY_U32S != 2 */ |
| 355 | 375 | ||