On Fri, Nov 18, 2016 at 10:23 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > When a new capability is defined, SELinux needs to be updated. > Trigger a build error if a new capability is defined without > corresponding update to security/selinux/include/classmap.h's > COMMON_CAP2_PERMS. This is similar to BUILD_BUG_ON() guards > in the SELinux nlmsgtab code to ensure that SELinux tracks > new netlink message types as needed. > > Note that there is already a similar build guard in > security/selinux/hooks.c to detect when more than 64 > capabilities are defined, since that will require adding > a third capability class to SELinux. > > A nicer way to do this would be to extend scripts/selinux/genheaders > or a similar tool to auto-generate the necessary definitions and code > for SELinux capability checking from include/uapi/linux/capability.h. > AppArmor does something similar in its Makefile, although it only > needs to generate a single table of names. That is left as future work. > > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > --- > security/selinux/include/classmap.h | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h > index 1f1f4b2..e2d4ad3a 100644 > --- a/security/selinux/include/classmap.h > +++ b/security/selinux/include/classmap.h > @@ -24,6 +24,10 @@ > #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ > "wake_alarm", "block_suspend", "audit_read" > > +#if CAP_LAST_CAP > CAP_AUDIT_READ > +#error New capability defined, please update COMMON_CAP2_PERMS. > +#endif I think the obvious question here is why not use BUILD_BUG_ON() here? I understand that it can be disabled, but it seems like the "good neighbor" option compared to the #error pragma. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
