diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/hooks.c | 21 | ||||
-rw-r--r-- | security/selinux/include/av_perm_to_string.h | 3 | ||||
-rw-r--r-- | security/selinux/include/av_permissions.h | 3 | ||||
-rw-r--r-- | security/selinux/include/class_to_string.h | 1 | ||||
-rw-r--r-- | security/selinux/include/flask.h | 1 |
5 files changed, 27 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e5ed07510309..44f16d9041e3 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1, | |||
1272 | SECCLASS_PROCESS, perms, NULL); | 1272 | SECCLASS_PROCESS, perms, NULL); |
1273 | } | 1273 | } |
1274 | 1274 | ||
1275 | #if CAP_LAST_CAP > 63 | ||
1276 | #error Fix SELinux to handle capabilities > 63. | ||
1277 | #endif | ||
1278 | |||
1275 | /* Check whether a task is allowed to use a capability. */ | 1279 | /* Check whether a task is allowed to use a capability. */ |
1276 | static int task_has_capability(struct task_struct *tsk, | 1280 | static int task_has_capability(struct task_struct *tsk, |
1277 | int cap) | 1281 | int cap) |
1278 | { | 1282 | { |
1279 | struct task_security_struct *tsec; | 1283 | struct task_security_struct *tsec; |
1280 | struct avc_audit_data ad; | 1284 | struct avc_audit_data ad; |
1285 | u16 sclass; | ||
1286 | u32 av = CAP_TO_MASK(cap); | ||
1281 | 1287 | ||
1282 | tsec = tsk->security; | 1288 | tsec = tsk->security; |
1283 | 1289 | ||
@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk, | |||
1285 | ad.tsk = tsk; | 1291 | ad.tsk = tsk; |
1286 | ad.u.cap = cap; | 1292 | ad.u.cap = cap; |
1287 | 1293 | ||
1288 | return avc_has_perm(tsec->sid, tsec->sid, | 1294 | switch (CAP_TO_INDEX(cap)) { |
1289 | SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad); | 1295 | case 0: |
1296 | sclass = SECCLASS_CAPABILITY; | ||
1297 | break; | ||
1298 | case 1: | ||
1299 | sclass = SECCLASS_CAPABILITY2; | ||
1300 | break; | ||
1301 | default: | ||
1302 | printk(KERN_ERR | ||
1303 | "SELinux: out of range capability %d\n", cap); | ||
1304 | BUG(); | ||
1305 | } | ||
1306 | return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad); | ||
1290 | } | 1307 | } |
1291 | 1308 | ||
1292 | /* Check whether a task is allowed to use a system operation. */ | 1309 | /* Check whether a task is allowed to use a system operation. */ |
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 399f868c5c8f..d5696690d3a2 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h | |||
@@ -132,6 +132,9 @@ | |||
132 | S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") | 132 | S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") |
133 | S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") | 133 | S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") |
134 | S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") | 134 | S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") |
135 | S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap") | ||
136 | S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override") | ||
137 | S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin") | ||
135 | S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read") | 138 | S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read") |
136 | S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write") | 139 | S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write") |
137 | S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read") | 140 | S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read") |
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 84c9abc80978..75b41311ab86 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h | |||
@@ -533,6 +533,9 @@ | |||
533 | #define CAPABILITY__LEASE 0x10000000UL | 533 | #define CAPABILITY__LEASE 0x10000000UL |
534 | #define CAPABILITY__AUDIT_WRITE 0x20000000UL | 534 | #define CAPABILITY__AUDIT_WRITE 0x20000000UL |
535 | #define CAPABILITY__AUDIT_CONTROL 0x40000000UL | 535 | #define CAPABILITY__AUDIT_CONTROL 0x40000000UL |
536 | #define CAPABILITY__SETFCAP 0x80000000UL | ||
537 | #define CAPABILITY2__MAC_OVERRIDE 0x00000001UL | ||
538 | #define CAPABILITY2__MAC_ADMIN 0x00000002UL | ||
536 | #define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL | 539 | #define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL |
537 | #define NETLINK_ROUTE_SOCKET__READ 0x00000002UL | 540 | #define NETLINK_ROUTE_SOCKET__READ 0x00000002UL |
538 | #define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL | 541 | #define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL |
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h index b1b0d1d8f950..bd813c366e34 100644 --- a/security/selinux/include/class_to_string.h +++ b/security/selinux/include/class_to_string.h | |||
@@ -71,3 +71,4 @@ | |||
71 | S_(NULL) | 71 | S_(NULL) |
72 | S_(NULL) | 72 | S_(NULL) |
73 | S_("peer") | 73 | S_("peer") |
74 | S_("capability2") | ||
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h index 09e9dd23ee1a..febf8868e852 100644 --- a/security/selinux/include/flask.h +++ b/security/selinux/include/flask.h | |||
@@ -51,6 +51,7 @@ | |||
51 | #define SECCLASS_DCCP_SOCKET 60 | 51 | #define SECCLASS_DCCP_SOCKET 60 |
52 | #define SECCLASS_MEMPROTECT 61 | 52 | #define SECCLASS_MEMPROTECT 61 |
53 | #define SECCLASS_PEER 68 | 53 | #define SECCLASS_PEER 68 |
54 | #define SECCLASS_CAPABILITY2 69 | ||
54 | 55 | ||
55 | /* | 56 | /* |
56 | * Security identifier indices for initial entities | 57 | * Security identifier indices for initial entities |