SELinux: Add a capabilities bitmap to SELinux policy version 22

config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

config SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

	int "NSA SELinux maximum supported policy format version value"

	int "NSA SELinux maximum supported policy format version value"

	depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX

	depends on SECURITY_SELINUX_POLICYDB_VERSION_MAX

	range 15 21

	range 15 22

	default 19

	default 19

	help

	help

	  This option sets the value for the maximum policy format version

	  This option sets the value for the maximum policy format version

#define POLICYDB_VERSION_MLS		19

#define POLICYDB_VERSION_MLS		19

#define POLICYDB_VERSION_AVTAB		20

#define POLICYDB_VERSION_AVTAB		20

#define POLICYDB_VERSION_RANGETRANS	21

#define POLICYDB_VERSION_RANGETRANS	21

#define POLICYDB_VERSION_POLCAP		22

/* Range of policy versions we understand*/

/* Range of policy versions we understand*/

#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE

#define POLICYDB_VERSION_MIN   POLICYDB_VERSION_BASE

#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX

#ifdef CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX

#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

#define POLICYDB_VERSION_MAX	CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX_VALUE

#else

#else

#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_RANGETRANS

#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_POLCAP

#endif

#endif

struct netlbl_lsm_secattr;

struct netlbl_lsm_secattr;

extern int selinux_enabled;

extern int selinux_enabled;

extern int selinux_mls_enabled;

extern int selinux_mls_enabled;

/* Policy capabilities */

enum {

	POLICYDB_CAPABILITY_NETPEER,

	__POLICYDB_CAPABILITY_MAX

};

#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)

extern int selinux_policycap_netpeer;

int security_load_policy(void * data, size_t len);

int security_load_policy(void * data, size_t len);

int security_policycap_supported(unsigned int req_cap);

#define SEL_VEC_MAX 32

#define SEL_VEC_MAX 32

struct av_decision {

struct av_decision {

	u32 allowed;

	u32 allowed;

int security_get_permissions(char *class, char ***perms, int *nperms);

int security_get_permissions(char *class, char ***perms, int *nperms);

int security_get_reject_unknown(void);

int security_get_reject_unknown(void);

int security_get_allow_unknown(void);

int security_get_allow_unknown(void);

int security_get_policycaps(int *len, int **values);

#define SECURITY_FS_USE_XATTR		1 /* use xattr */

#define SECURITY_FS_USE_XATTR		1 /* use xattr */

#define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */

#define SECURITY_FS_USE_TRANS		2 /* use transition SIDs, e.g. devpts/tmpfs */

 *

 *

 * 	Added conditional policy language extensions

 * 	Added conditional policy language extensions

 *

 *

 *  Updated: Hewlett-Packard <paul.moore@hp.com>

 *

 *      Added support for the policy capability bitmap

 *

 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.

 * Copyright (C) 2003 - 2004 Tresys Technology, LLC

 * Copyright (C) 2003 - 2004 Tresys Technology, LLC

 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>

 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>

 *	This program is free software; you can redistribute it and/or modify

 *	This program is free software; you can redistribute it and/or modify

#include "objsec.h"

#include "objsec.h"

#include "conditional.h"

#include "conditional.h"

/* Policy capability filenames */

static char *policycap_names[] = {

	"network_peer_controls"

};

unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;

unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;

#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT

#ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT

static struct dentry *class_dir = NULL;

static struct dentry *class_dir = NULL;

static unsigned long last_class_ino;

static unsigned long last_class_ino;

/* global data for policy capabilities */

static struct dentry *policycap_dir = NULL;

extern void selnl_notify_setenforce(int val);

extern void selnl_notify_setenforce(int val);

/* Check whether a task is allowed to use a security operation. */

/* Check whether a task is allowed to use a security operation. */

#define SEL_INITCON_INO_OFFSET		0x01000000

#define SEL_INITCON_INO_OFFSET		0x01000000

#define SEL_BOOL_INO_OFFSET		0x02000000

#define SEL_BOOL_INO_OFFSET		0x02000000

#define SEL_CLASS_INO_OFFSET		0x04000000

#define SEL_CLASS_INO_OFFSET		0x04000000

#define SEL_POLICYCAP_INO_OFFSET	0x08000000

#define SEL_INO_MASK			0x00ffffff

#define SEL_INO_MASK			0x00ffffff

#define TMPBUFLEN	12

#define TMPBUFLEN	12

/* declaration for sel_write_load */

/* declaration for sel_write_load */

static int sel_make_bools(void);

static int sel_make_bools(void);

static int sel_make_classes(void);

static int sel_make_classes(void);

static int sel_make_policycap(void);

/* declaration for sel_make_class_dirs */

/* declaration for sel_make_class_dirs */

static int sel_make_dir(struct inode *dir, struct dentry *dentry,

static int sel_make_dir(struct inode *dir, struct dentry *dentry,

	}

	}

	ret = sel_make_classes();

	ret = sel_make_classes();

	if (ret) {

		length = ret;

		goto out1;

	}

	ret = sel_make_policycap();

	if (ret)

	if (ret)

		length = ret;

		length = ret;

	else

	else

	.read		= sel_read_perm,

	.read		= sel_read_perm,

};

};

static ssize_t sel_read_policycap(struct file *file, char __user *buf,

				  size_t count, loff_t *ppos)

{

	int value;

	char tmpbuf[TMPBUFLEN];

	ssize_t length;

	unsigned long i_ino = file->f_path.dentry->d_inode->i_ino;

	value = security_policycap_supported(i_ino & SEL_INO_MASK);

	length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value);

	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);

}

static const struct file_operations sel_policycap_ops = {

	.read		= sel_read_policycap,

};

static int sel_make_perm_files(char *objclass, int classvalue,

static int sel_make_perm_files(char *objclass, int classvalue,

				struct dentry *dir)

				struct dentry *dir)

{

{

	return rc;

	return rc;

}

}

static int sel_make_policycap(void)

{

	unsigned int iter;

	struct dentry *dentry = NULL;

	struct inode *inode = NULL;

	sel_remove_entries(policycap_dir);

	for (iter = 0; iter <= POLICYDB_CAPABILITY_MAX; iter++) {

		if (iter < ARRAY_SIZE(policycap_names))

			dentry = d_alloc_name(policycap_dir,

					      policycap_names[iter]);

		else

			dentry = d_alloc_name(policycap_dir, "unknown");

		if (dentry == NULL)

			return -ENOMEM;

		inode = sel_make_inode(policycap_dir->d_sb, S_IFREG | S_IRUGO);

		if (inode == NULL)

			return -ENOMEM;

		inode->i_fop = &sel_policycap_ops;

		inode->i_ino = iter | SEL_POLICYCAP_INO_OFFSET;

		d_add(dentry, inode);

	}

	return 0;

}

static int sel_make_dir(struct inode *dir, struct dentry *dentry,

static int sel_make_dir(struct inode *dir, struct dentry *dentry,

			unsigned long *ino)

			unsigned long *ino)

{

{

	class_dir = dentry;

	class_dir = dentry;

	dentry = d_alloc_name(sb->s_root, "policy_capabilities");

	if (!dentry) {

		ret = -ENOMEM;

		goto err;

	}

	ret = sel_make_dir(root_inode, dentry, &sel_last_ino);

	if (ret)

		goto err;

	policycap_dir = dentry;

out:

out:

	return ret;

	return ret;

err:

err:

 *

 *

 * 	Added conditional policy language extensions

 * 	Added conditional policy language extensions

 *

 *

 * Updated: Hewlett-Packard <paul.moore@hp.com>

 *

 *      Added support for the policy capability bitmap

 *

 * Copyright (C) 2007 Hewlett-Packard Development Company, L.P.

 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.

 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.

 * Copyright (C) 2003 - 2004 Tresys Technology, LLC

 * Copyright (C) 2003 - 2004 Tresys Technology, LLC

 *	This program is free software; you can redistribute it and/or modify

 *	This program is free software; you can redistribute it and/or modify

		.sym_num        = SYM_NUM,

		.sym_num        = SYM_NUM,

		.ocon_num       = OCON_NUM,

		.ocon_num       = OCON_NUM,

	},

	},

	{

		.version	= POLICYDB_VERSION_POLCAP,

		.sym_num	= SYM_NUM,

		.ocon_num	= OCON_NUM,

	}

};

};

static struct policydb_compat_info *policydb_lookup_compat(int version)

static struct policydb_compat_info *policydb_lookup_compat(int version)

	if (rc)

	if (rc)

		goto out_free_symtab;

		goto out_free_symtab;

	ebitmap_init(&p->policycaps);

out:

out:

	return rc;

	return rc;

			ebitmap_destroy(&p->type_attr_map[i]);

			ebitmap_destroy(&p->type_attr_map[i]);

	}

	}

	kfree(p->type_attr_map);

	kfree(p->type_attr_map);

	kfree(p->undefined_perms);

	kfree(p->undefined_perms);

	ebitmap_destroy(&p->policycaps);

	return;

	return;

}

}

	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);

	p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);

	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);

	p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);

	if (p->policyvers >= POLICYDB_VERSION_POLCAP &&

	    ebitmap_read(&p->policycaps, fp) != 0)

		goto bad;

	info = policydb_lookup_compat(p->policyvers);

	info = policydb_lookup_compat(p->policyvers);

	if (!info) {

	if (!info) {

		printk(KERN_ERR "security:  unable to find policy compat info "

		printk(KERN_ERR "security:  unable to find policy compat info "

	/* type -> attribute reverse mapping */

	/* type -> attribute reverse mapping */

	struct ebitmap *type_attr_map;

	struct ebitmap *type_attr_map;

	struct ebitmap policycaps;

	unsigned int policyvers;

	unsigned int policyvers;

	unsigned int reject_unknown : 1;

	unsigned int reject_unknown : 1;