summaryrefslogtreecommitdiff
path: root/security/selinux/include
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/classmap.h6
-rw-r--r--security/selinux/include/policycap.h1
-rw-r--r--security/selinux/include/policycap_names.h1
-rw-r--r--security/selinux/include/security.h8
4 files changed, 13 insertions, 3 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index f9b5ca92a825..04a9b480885e 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -63,7 +63,9 @@ const struct security_class_mapping secclass_map[] = {
{ "process2", { "nnp_transition", "nosuid_transition", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod", "syslog_console",
- "module_request", "module_load", NULL } },
+ "module_request", "module_load", "firmware_load",
+ "kexec_image_load", "kexec_initramfs_load", "policy_load",
+ "x509_certificate_load", NULL } },
{ "capability", { COMMON_CAP_PERMS, NULL } },
{ "filesystem",
{ "mount", "remount", "unmount", "getattr", "relabelfrom",
@@ -177,7 +179,7 @@ const struct security_class_mapping secclass_map[] = {
{ "perf_event",
{ "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
{ "anon_inode", { COMMON_FILE_PERMS, NULL } },
- { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } },
+ { "io_uring", { "override_creds", "sqpoll", "cmd", "allowed", NULL } },
{ "user_namespace", { "create", NULL } },
/* last one */ { NULL, {} }
};
diff --git a/security/selinux/include/policycap.h b/security/selinux/include/policycap.h
index 079679fe7254..bd402d3fd3ae 100644
--- a/security/selinux/include/policycap.h
+++ b/security/selinux/include/policycap.h
@@ -15,6 +15,7 @@ enum {
POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
POLICYDB_CAP_NETLINK_XPERM,
+ POLICYDB_CAP_NETIF_WILDCARD,
__POLICYDB_CAP_MAX
};
#define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
diff --git a/security/selinux/include/policycap_names.h b/security/selinux/include/policycap_names.h
index e080827408c4..ac1342d6d5bb 100644
--- a/security/selinux/include/policycap_names.h
+++ b/security/selinux/include/policycap_names.h
@@ -18,6 +18,7 @@ const char *const selinux_policycap_names[__POLICYDB_CAP_MAX] = {
"ioctl_skip_cloexec",
"userspace_initial_context",
"netlink_xperm",
+ "netif_wildcard",
};
/* clang-format on */
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index 8b4c2aa35839..e7827ed7be5f 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -202,6 +202,12 @@ static inline bool selinux_policycap_netlink_xperm(void)
selinux_state.policycap[POLICYDB_CAP_NETLINK_XPERM]);
}
+static inline bool selinux_policycap_netif_wildcard(void)
+{
+ return READ_ONCE(
+ selinux_state.policycap[POLICYDB_CAP_NETIF_WILDCARD]);
+}
+
struct selinux_policy_convert_data;
struct selinux_load_state {
@@ -301,7 +307,7 @@ int security_ib_pkey_sid(u64 subnet_prefix, u16 pkey_num, u32 *out_sid);
int security_ib_endport_sid(const char *dev_name, u8 port_num, u32 *out_sid);
-int security_netif_sid(char *name, u32 *if_sid);
+int security_netif_sid(const char *name, u32 *if_sid);
int security_node_sid(u16 domain, void *addr, u32 addrlen, u32 *out_sid);