On Wed, Aug 21, 2024 at 8:39 PM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote:
>
> This capability can be enabled to change the kernel's behaviour and use
> the extended permissions for netlink messages.
>
> Signed-off-by: Thiébaud Weksteen <tweek@xxxxxxxxxx>
Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
> ---
> libsepol/include/sepol/policydb/polcaps.h | 1 +
> libsepol/src/polcaps.c | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
> index 14bcc6cb..1aa9b30a 100644
> --- a/libsepol/include/sepol/policydb/polcaps.h
> +++ b/libsepol/include/sepol/policydb/polcaps.h
> @@ -16,6 +16,7 @@ enum {
> POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
> POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
> POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
> + POLICYDB_CAP_NETLINK_XPERM,
> __POLICYDB_CAP_MAX
> };
> #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)
> diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
> index 8289443a..6b28c84e 100644
> --- a/libsepol/src/polcaps.c
> +++ b/libsepol/src/polcaps.c
> @@ -15,6 +15,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
> [POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS] = "genfs_seclabel_symlinks",
> [POLICYDB_CAP_IOCTL_SKIP_CLOEXEC] = "ioctl_skip_cloexec",
> [POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT] = "userspace_initial_context",
> + [POLICYDB_CAP_NETLINK_XPERM] = "netlink_xperm",
> };
>
> int sepol_polcap_getnum(const char *name)
> --
> 2.46.0.184.g6999bdac58-goog
>
