selinux: support 64-bit capabilities
Fix SELinux to handle 64-bit capabilities correctly, and to catch future extensions of capabilities beyond 64 bits to ensure that SELinux is properly updated. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
19af35546d
commit
b68e418c44
|
@ -1272,12 +1272,18 @@ static int task_has_perm(struct task_struct *tsk1,
|
|||
SECCLASS_PROCESS, perms, NULL);
|
||||
}
|
||||
|
||||
#if CAP_LAST_CAP > 63
|
||||
#error Fix SELinux to handle capabilities > 63.
|
||||
#endif
|
||||
|
||||
/* Check whether a task is allowed to use a capability. */
|
||||
static int task_has_capability(struct task_struct *tsk,
|
||||
int cap)
|
||||
{
|
||||
struct task_security_struct *tsec;
|
||||
struct avc_audit_data ad;
|
||||
u16 sclass;
|
||||
u32 av = CAP_TO_MASK(cap);
|
||||
|
||||
tsec = tsk->security;
|
||||
|
||||
|
@ -1285,8 +1291,19 @@ static int task_has_capability(struct task_struct *tsk,
|
|||
ad.tsk = tsk;
|
||||
ad.u.cap = cap;
|
||||
|
||||
return avc_has_perm(tsec->sid, tsec->sid,
|
||||
SECCLASS_CAPABILITY, CAP_TO_MASK(cap), &ad);
|
||||
switch (CAP_TO_INDEX(cap)) {
|
||||
case 0:
|
||||
sclass = SECCLASS_CAPABILITY;
|
||||
break;
|
||||
case 1:
|
||||
sclass = SECCLASS_CAPABILITY2;
|
||||
break;
|
||||
default:
|
||||
printk(KERN_ERR
|
||||
"SELinux: out of range capability %d\n", cap);
|
||||
BUG();
|
||||
}
|
||||
return avc_has_perm(tsec->sid, tsec->sid, sclass, av, &ad);
|
||||
}
|
||||
|
||||
/* Check whether a task is allowed to use a system operation. */
|
||||
|
|
|
@ -132,6 +132,9 @@
|
|||
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
|
||||
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
|
||||
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
|
||||
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
||||
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
|
|
|
@ -533,6 +533,9 @@
|
|||
#define CAPABILITY__LEASE 0x10000000UL
|
||||
#define CAPABILITY__AUDIT_WRITE 0x20000000UL
|
||||
#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
|
||||
#define CAPABILITY__SETFCAP 0x80000000UL
|
||||
#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
|
||||
#define CAPABILITY2__MAC_ADMIN 0x00000002UL
|
||||
#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
|
||||
|
|
|
@ -71,3 +71,4 @@
|
|||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_("peer")
|
||||
S_("capability2")
|
||||
|
|
|
@ -51,6 +51,7 @@
|
|||
#define SECCLASS_DCCP_SOCKET 60
|
||||
#define SECCLASS_MEMPROTECT 61
|
||||
#define SECCLASS_PEER 68
|
||||
#define SECCLASS_CAPABILITY2 69
|
||||
|
||||
/*
|
||||
* Security identifier indices for initial entities
|
||||
|
|
Loading…
Reference in New Issue