summaryrefslogtreecommitdiff
path: root/security/selinux/include
diff options
context:
space:
mode:
authorChristian Göttsche <cgzones@googlemail.com>2024-10-23 17:27:10 +0200
committerPaul Moore <paul@paul-moore.com>2024-12-13 16:35:38 -0500
commit4aa176193475d37441cc52b84088542f3a59899a (patch)
treea7db1ea0ce0e051b8b08e07833db31888fd5f8b1 /security/selinux/include
parent034294fbfdf0ded4f931f9503d2ca5bbf8b9aebd (diff)
selinux: add support for xperms in conditional policies
Add support for extended permission rules in conditional policies. Currently the kernel accepts such rules already, but evaluating a security decision will hit a BUG() in services_compute_xperms_decision(). Thus reject extended permission rules in conditional policies for current policy versions. Add a new policy version for this feature. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/security.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index c7f2731abd03..10949df22fa4 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -46,10 +46,11 @@
#define POLICYDB_VERSION_INFINIBAND 31
#define POLICYDB_VERSION_GLBLUB 32
#define POLICYDB_VERSION_COMP_FTRANS 33 /* compressed filename transitions */
+#define POLICYDB_VERSION_COND_XPERMS 34 /* extended permissions in conditional policies */
/* Range of policy versions we understand*/
#define POLICYDB_VERSION_MIN POLICYDB_VERSION_BASE
-#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COMP_FTRANS
+#define POLICYDB_VERSION_MAX POLICYDB_VERSION_COND_XPERMS
/* Mask for just the mount related flags */
#define SE_MNTMASK 0x0f
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-09 15:50:34 +0000