From patchwork Fri Jul 14 16:48:01 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stephen Smalley X-Patchwork-Id: 9841443 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 629E2602D8 for ; Fri, 14 Jul 2017 16:44:20 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 52A6F2879E for ; Fri, 14 Jul 2017 16:44:20 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 47E6B287A8; Fri, 14 Jul 2017 16:44:20 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from ucol19pa14.eemsg.mail.mil (ucol19pa14.eemsg.mail.mil [214.24.24.87]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AADC3287A2 for ; Fri, 14 Jul 2017 16:44:19 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.40,359,1496102400"; d="scan'208";a="495137825" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by ucol19pa14.eemsg.mail.mil with ESMTP; 14 Jul 2017 16:44:18 +0000 IronPort-PHdr: =?us-ascii?q?9a23=3A6optaBFBuK9WMyg8Cf4Ahp1GYnF86YWxBRYc798d?= =?us-ascii?q?s5kLTJ76oc+wAkXT6L1XgUPTWs2DsrQf1LqQ7vurADFIyK3CmU5BWaQEbwUCh8?= =?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnZBUin4YBF4?= =?us-ascii?q?IuXzB576k9W81+f0/YbaJQpPmmmTe7R3eS6qoB3Ru89euo5rLqI821OduXdTU/?= =?us-ascii?q?hHzmNvY1SIllDz4dnmr80ryDhZp/90r50Iaq79ZaltFbE=3D?= X-IPAS-Result: =?us-ascii?q?A2GxAgDHTEFZ/wHyM5BeGwEBAQMBAQEJAQEBFgEBAQMBAQE?= =?us-ascii?q?JAQEBgwIrgV0SjwGiKIZmLYhUVwEBAQEBAQEBAgECaCiCMyKCSwJ2AwMJAhcxC?= =?us-ascii?q?AMBbAWIBk+BRQ2wTyYCi0eIQodncIUnBZ5Hk0UNiy2GWgJIlDJYgQonCQIfCCE?= =?us-ascii?q?PhRCCYlqHPII/AQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 14 Jul 2017 16:44:14 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6EGiA2m020130; Fri, 14 Jul 2017 12:44:12 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id v6EGhmt5104532 for ; Fri, 14 Jul 2017 12:43:48 -0400 Received: from moss-pluto.infosec.tycho.ncsc.mil (moss-pluto [192.168.25.131]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v6EGhkOu019870; Fri, 14 Jul 2017 12:43:46 -0400 From: Stephen Smalley To: selinux@tycho.nsa.gov Date: Fri, 14 Jul 2017 12:48:01 -0400 Message-Id: <20170714164801.6346-1-sds@tycho.nsa.gov> X-Mailer: git-send-email 2.9.4 Subject: [PATCH] libsepol: Define nnp_nosuid_transition policy capability X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: Stephen Smalley Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Define the nnp_nosuid_transition policy capability used to enable SELinux domain transitions under NNP or nosuid if the nnp_nosuid_transition permission is allowed between the old and new contexts. When this capability is not enabled, such transitions remain limited to bounded transitions as they were prior to the introduction of this capability. Signed-off-by: Stephen Smalley --- libsepol/include/sepol/policydb/polcaps.h | 1 + libsepol/src/polcaps.c | 1 + 2 files changed, 2 insertions(+) diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h index 087541d..dc9356a 100644 --- a/libsepol/include/sepol/policydb/polcaps.h +++ b/libsepol/include/sepol/policydb/polcaps.h @@ -12,6 +12,7 @@ enum { POLICYDB_CAPABILITY_EXTSOCKCLASS, POLICYDB_CAPABILITY_ALWAYSNETWORK, POLICYDB_CAPABILITY_CGROUPSECLABEL, + POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c index 06a868c..b9dc352 100644 --- a/libsepol/src/polcaps.c +++ b/libsepol/src/polcaps.c @@ -11,6 +11,7 @@ static const char *polcap_names[] = { "extended_socket_class", /* POLICYDB_CAPABILITY_EXTSOCKCLASS */ "always_check_network", /* POLICYDB_CAPABILITY_ALWAYSNETWORK */ "cgroup_seclabel", /* POLICYDB_CAPABILITY_SECLABEL */ + "nnp_nosuid_transition", /* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */ NULL };