On Mon, Nov 21, 2016 at 9:49 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 11/20/2016 05:29 PM, Paul Moore wrote: >> On Fri, Nov 18, 2016 at 10:23 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >>> When a new capability is defined, SELinux needs to be updated. >>> Trigger a build error if a new capability is defined without >>> corresponding update to security/selinux/include/classmap.h's >>> COMMON_CAP2_PERMS. This is similar to BUILD_BUG_ON() guards >>> in the SELinux nlmsgtab code to ensure that SELinux tracks >>> new netlink message types as needed. >>> >>> Note that there is already a similar build guard in >>> security/selinux/hooks.c to detect when more than 64 >>> capabilities are defined, since that will require adding >>> a third capability class to SELinux. >>> >>> A nicer way to do this would be to extend scripts/selinux/genheaders >>> or a similar tool to auto-generate the necessary definitions and code >>> for SELinux capability checking from include/uapi/linux/capability.h. >>> AppArmor does something similar in its Makefile, although it only >>> needs to generate a single table of names. That is left as future work. >>> >>> Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> >>> --- >>> security/selinux/include/classmap.h | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h >>> index 1f1f4b2..e2d4ad3a 100644 >>> --- a/security/selinux/include/classmap.h >>> +++ b/security/selinux/include/classmap.h >>> @@ -24,6 +24,10 @@ >>> #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ >>> "wake_alarm", "block_suspend", "audit_read" >>> >>> +#if CAP_LAST_CAP > CAP_AUDIT_READ >>> +#error New capability defined, please update COMMON_CAP2_PERMS. >>> +#endif >> >> I think the obvious question here is why not use BUILD_BUG_ON() here? >> I understand that it can be disabled, but it seems like the "good >> neighbor" option compared to the #error pragma. > > I wanted the error to be triggered in the file that needs to be updated, > and preferably close to the line that needs to be updated. > BUILD_BUG_ON() and friends can only be used within a function, and there > is no function in view in classmap.h. We could put a BUILD_BUG_ON() in > one of the functions that use secclass_map[], e.g. avc_dump_av(), but it > will be less directly correlated to what needs to be updated - it won't > be the correct file. Okay, I see the value in keeping the error close to the root cause. Merged. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
