Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b68e418c authored by Stephen Smalley's avatar Stephen Smalley Committed by James Morris
Browse files

selinux: support 64-bit capabilities 



Fix SELinux to handle 64-bit capabilities correctly, and to catch
future extensions of capabilities beyond 64 bits to ensure that SELinux
is properly updated.

Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 19af3554

security/selinux/hooks.c

+19 −2
Original line number Diff line number Diff line
@@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1, 
			    SECCLASS_PROCESS, perms, NULL);

}



#if CAP_LAST_CAP > 63

#error Fix SELinux to handle capabilities > 63.

#endif



/* Check whether a task is allowed to use a capability. */

static int task_has_capability(struct task_struct *tsk,

			       int cap)

{

	struct task_security_struct *tsec;

	struct avc_audit_data ad;

	u16 sclass;

	u32 av = CAP_TO_MASK(cap);



	tsec = tsk->security;
@@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk, 
	ad.tsk = tsk;

	ad.u.cap = cap;



	return avc_has_perm(tsec->sid, tsec->sid,

			    SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);

	switch (CAP_TO_INDEX(cap)) {

	case 0:

		sclass = SECCLASS_CAPABILITY;

		break;

	case 1:

		sclass = SECCLASS_CAPABILITY2;

		break;

	default:

		printk(KERN_ERR

		       "SELinux:  out of range capability %d\n", cap);

		BUG();

	}

	return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);

}



/* Check whether a task is allowed to use a system operation. */

security/selinux/include/av_perm_to_string.h

+3 −0
Original line number Diff line number Diff line
@@ -132,6 +132,9 @@ 
   S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")

   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")

   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")

   S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")

   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")

   S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")

   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")

   S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")

   S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")

security/selinux/include/av_permissions.h

+3 −0
Original line number Diff line number Diff line
@@ -533,6 +533,9 @@ 
#define CAPABILITY__LEASE                         0x10000000UL

#define CAPABILITY__AUDIT_WRITE                   0x20000000UL

#define CAPABILITY__AUDIT_CONTROL                 0x40000000UL

#define CAPABILITY__SETFCAP                       0x80000000UL

#define CAPABILITY2__MAC_OVERRIDE                 0x00000001UL

#define CAPABILITY2__MAC_ADMIN                    0x00000002UL

#define NETLINK_ROUTE_SOCKET__IOCTL               0x00000001UL

#define NETLINK_ROUTE_SOCKET__READ                0x00000002UL

#define NETLINK_ROUTE_SOCKET__WRITE               0x00000004UL

security/selinux/include/class_to_string.h

+1 −0
Original line number Diff line number Diff line
@@ -71,3 +71,4 @@ 
    S_(NULL)

    S_(NULL)

    S_("peer")

    S_("capability2")

security/selinux/include/flask.h

+1 −0
Original line number Diff line number Diff line
@@ -51,6 +51,7 @@ 
#define SECCLASS_DCCP_SOCKET                             60

#define SECCLASS_MEMPROTECT                              61

#define SECCLASS_PEER                                    68

#define SECCLASS_CAPABILITY2                             69



/*

 * Security identifier indices for initial entities