diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2020-10-13 16:29:55 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2020-10-13 16:29:55 -0700 |
| commit | 7b540812cc0635e6c7e508359115c7cb6886fd2f (patch) | |
| tree | a8e753d90bd36925a88dc9b86b5b1386bec6436c /scripts | |
| parent | 01fb1e2f42d607ef5eb7a7ca54a0f0901fb5856c (diff) | |
| parent | 0d50f059c4cdc9e436f6f4db8779ac0795bfdadf (diff) | |
Merge tag 'selinux-pr-20201012' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux
Pull selinux updates from Paul Moore:
"A decent number of SELinux patches for v5.10, twenty two in total. The
highlights are listed below, but all of the patches pass our test
suite and merge cleanly.
- A number of changes to how the SELinux policy is loaded and managed
inside the kernel with the goal of improving the atomicity of a
SELinux policy load operation.
These changes account for the bulk of the diffstat as well as the
patch count. A special thanks to everyone who contributed patches
and fixes for this work.
- Convert the SELinux policy read-write lock to RCU.
- A tracepoint was added for audited SELinux access control events;
this should help provide a more unified backtrace across kernel and
userspace.
- Allow the removal of security.selinux xattrs when a SELinux policy
is not loaded.
- Enable policy capabilities in SELinux policies created with the
scripts/selinux/mdp tool.
- Provide some "no sooner than" dates for the SELinux checkreqprot
sysfs deprecation"
* tag 'selinux-pr-20201012' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: (22 commits)
selinux: provide a "no sooner than" date for the checkreqprot removal
selinux: Add helper functions to get and set checkreqprot
selinux: access policycaps with READ_ONCE/WRITE_ONCE
selinux: simplify away security_policydb_len()
selinux: move policy mutex to selinux_state, use in lockdep checks
selinux: fix error handling bugs in security_load_policy()
selinux: convert policy read-write lock to RCU
selinux: delete repeated words in comments
selinux: add basic filtering for audit trace events
selinux: add tracepoint on audited events
selinux: Create new booleans and class dirs out of tree
selinux: Standardize string literal usage for selinuxfs directory names
selinux: Refactor selinuxfs directory populating functions
selinux: Create function for selinuxfs directory cleanup
selinux: permit removing security.selinux xattr before policy load
selinux: fix memdup.cocci warnings
selinux: avoid dereferencing the policy prior to initialization
selinux: fix allocation failure check on newpolicy->sidtab
selinux: refactor changing booleans
selinux: move policy commit after updating selinuxfs
...
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/selinux/mdp/mdp.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c index 6ceb88eb9b59..105c1c31a316 100644 --- a/scripts/selinux/mdp/mdp.c +++ b/scripts/selinux/mdp/mdp.c @@ -35,6 +35,9 @@ struct security_class_mapping { #include "classmap.h" #include "initial_sid_to_string.h" +#include "policycap_names.h" + +#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0])) int main(int argc, char *argv[]) { @@ -115,6 +118,10 @@ int main(int argc, char *argv[]) } } + /* enable all policy capabilities */ + for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++) + fprintf(fout, "policycap %s;\n", selinux_policycap_names[i]); + /* types, roles, and allows */ fprintf(fout, "type base_t;\n"); fprintf(fout, "role base_r;\n"); |