On 11/20/2016 05:29 PM, Paul Moore wrote: > On Fri, Nov 18, 2016 at 10:23 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> When a new capability is defined, SELinux needs to be updated. >> Trigger a build error if a new capability is defined without >> corresponding update to security/selinux/include/classmap.h's >> COMMON_CAP2_PERMS. This is similar to BUILD_BUG_ON() guards >> in the SELinux nlmsgtab code to ensure that SELinux tracks >> new netlink message types as needed. >> >> Note that there is already a similar build guard in >> security/selinux/hooks.c to detect when more than 64 >> capabilities are defined, since that will require adding >> a third capability class to SELinux. >> >> A nicer way to do this would be to extend scripts/selinux/genheaders >> or a similar tool to auto-generate the necessary definitions and code >> for SELinux capability checking from include/uapi/linux/capability.h. >> AppArmor does something similar in its Makefile, although it only >> needs to generate a single table of names. That is left as future work. >> >> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> >> --- >> security/selinux/include/classmap.h | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h >> index 1f1f4b2..e2d4ad3a 100644 >> --- a/security/selinux/include/classmap.h >> +++ b/security/selinux/include/classmap.h >> @@ -24,6 +24,10 @@ >> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ >> "wake_alarm", "block_suspend", "audit_read" >> >> +#if CAP_LAST_CAP > CAP_AUDIT_READ >> +#error New capability defined, please update COMMON_CAP2_PERMS. >> +#endif > > I think the obvious question here is why not use BUILD_BUG_ON() here? > I understand that it can be disabled, but it seems like the "good > neighbor" option compared to the #error pragma. I wanted the error to be triggered in the file that needs to be updated, and preferably close to the line that needs to be updated. BUILD_BUG_ON() and friends can only be used within a function, and there is no function in view in classmap.h. We could put a BUILD_BUG_ON() in one of the functions that use secclass_map[], e.g. avc_dump_av(), but it will be less directly correlated to what needs to be updated - it won't be the correct file. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
