diff options
| author | Casey Schaufler <casey@schaufler-ca.com> | 2007-12-02 19:04:27 -0800 |
|---|---|---|
| committer | Andrew G. Morgan <morgan@pippin.localdomain> | 2007-12-02 19:05:31 -0800 |
| commit | fd10be5e86a19ef4ddd2f5a100ec520f7d404a34 (patch) | |
| tree | 4a89f5289b7e7d3aa6ebbf013a3e72191dfe88b3 | |
| parent | ea70bc20fc3b53cecba576eb042b563db864d069 (diff) | |
| download | libcap-fd10be5e86a19ef4ddd2f5a100ec520f7d404a34.tar.gz | |
Allocate next two capabilities for MAC security modules.
This is used by the SMACK LSM module in the kernel > 2.6.24-rc3-mm1.
| -rw-r--r-- | libcap/include/linux/capability.h | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/libcap/include/linux/capability.h b/libcap/include/linux/capability.h index 26de1e7..a4691a3 100644 --- a/libcap/include/linux/capability.h +++ b/libcap/include/linux/capability.h @@ -314,6 +314,23 @@ typedef struct kernel_cap_struct { #define CAP_SETFCAP 31 +/* Override MAC access. + The base kernel enforces no MAC policy. + An LSM may enforce a MAC policy, and if it does and it chooses + to implement capability based overrides of that policy, this is + the capability it should use to do so. */ + +#define CAP_MAC_OVERRIDE 32 + +/* Allow MAC configuration or state changes. + The base kernel requires no MAC configuration. + An LSM may enforce a MAC policy, and if it does and it chooses + to implement capability based checks on modifications to that + policy or the data required to maintain it, this is the + capability it should use to do so. */ + +#define CAP_MAC_ADMIN 33 + /* * Bit location of each capability (used by user-space library and kernel) */ @@ -336,6 +353,8 @@ typedef struct kernel_cap_struct { |CAP_TO_MASK(CAP_FOWNER) \ |CAP_TO_MASK(CAP_FSETID)) +# define CAP_FS_MASK_B1 (CAP_TO_MASK(CAP_MAC_OVERRIDE)) + #if _LINUX_CAPABILITY_U32S != 2 # error Fix up hand-coded capability macro initializers #else /* HAND-CODED capability initializers */ @@ -343,8 +362,9 @@ typedef struct kernel_cap_struct { # define CAP_EMPTY_SET {{ 0, 0 }} # define CAP_FULL_SET {{ ~0, ~0 }} # define CAP_INIT_EFF_SET {{ ~CAP_TO_MASK(CAP_SETPCAP), ~0 }} -# define CAP_FS_SET {{ CAP_FS_MASK_B0, 0 }} -# define CAP_NFSD_SET {{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), 0 }} +# define CAP_FS_SET {{ CAP_FS_MASK_B0, CAP_FS_MASK_B1 }} +# define CAP_NFSD_SET {{ CAP_FS_MASK_B0|CAP_TO_MASK(CAP_SYS_RESOURCE), \ + CAP_FS_MASK_B1 }} #endif /* _LINUX_CAPABILITY_U32S != 2 */ |