]> git.baikalelectronics.ru Git - kernel.git/commit
selinux: keep SELinux in sync with new capability definitions
authorStephen Smalley <sds@tycho.nsa.gov>
Fri, 18 Nov 2016 15:23:09 +0000 (10:23 -0500)
committerPaul Moore <paul@paul-moore.com>
Mon, 21 Nov 2016 20:37:24 +0000 (15:37 -0500)
commitcd09482cd31db2c7b6dfcc56c6427dbd3ed516b8
treec86bdc1084436be2cb25afe9f382764c091db6ee
parentb7762f08f1a8b1955c2570e6baf475be72f13e76
selinux: keep SELinux in sync with new capability definitions

When a new capability is defined, SELinux needs to be updated.
Trigger a build error if a new capability is defined without
corresponding update to security/selinux/include/classmap.h's
COMMON_CAP2_PERMS.  This is similar to BUILD_BUG_ON() guards
in the SELinux nlmsgtab code to ensure that SELinux tracks
new netlink message types as needed.

Note that there is already a similar build guard in
security/selinux/hooks.c to detect when more than 64
capabilities are defined, since that will require adding
a third capability class to SELinux.

A nicer way to do this would be to extend scripts/selinux/genheaders
or a similar tool to auto-generate the necessary definitions and code
for SELinux capability checking from include/uapi/linux/capability.h.
AppArmor does something similar in its Makefile, although it only
needs to generate a single table of names.  That is left as future
work.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: reformat the description to keep checkpatch.pl happy]
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/include/classmap.h