[RFC PATCH] libsepol: Add 'key_perms' policy capability

[RFC PATCH] libsepol: Add 'key_perms' policy capability

[Richard Haines]

Allow the new key class permissions 'inval, revoke, join and clear' to be
handled.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 libsepol/include/sepol/policydb/polcaps.h | 1 +
 libsepol/src/polcaps.c                    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
index dc9356a6..de0c67b6 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@@ -13,6 +13,7 @@ enum {
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
 	POLICYDB_CAPABILITY_CGROUPSECLABEL,
 	POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
+	POLICYDB_CAPABILITY_KEYPERMS,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
index b9dc3526..48213c54 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@@ -12,6 +12,7 @@ static const char *polcap_names[] = {
 	"always_check_network",		/* POLICYDB_CAPABILITY_ALWAYSNETWORK */
 	"cgroup_seclabel",		/* POLICYDB_CAPABILITY_SECLABEL */
 	"nnp_nosuid_transition",	/* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */
+	"key_perms",			/* POLICYDB_CAPABILITY_KEYPERMS */
 	NULL
 };
 
-- 
2.24.1

Re: [RFC PATCH] libsepol: Add 'key_perms' policy capability

[Stephen Smalley]

On 2/2/20 2:36 PM, Richard Haines wrote:
> Allow the new key class permissions 'inval, revoke, join and clear' to be
> handled.
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

Since the 'genfs_seclabel_symlinks' policy capability has already been 
queued for merge [1][2], I think this one will have to be bumped to the 
next policy capability bit after it.

[1] 
https://lore.kernel.org/selinux/20200124184221.322248-1-cgzones@googlemail.com/
[2] 
https://lore.kernel.org/selinux/20200131183900.3507-1-cgzones@googlemail.com/

> ---
>   libsepol/include/sepol/policydb/polcaps.h | 1 +
>   libsepol/src/polcaps.c                    | 1 +
>   2 files changed, 2 insertions(+)
> 
> diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
> index dc9356a6..de0c67b6 100644
> --- a/libsepol/include/sepol/policydb/polcaps.h
> +++ b/libsepol/include/sepol/policydb/polcaps.h
> @@ -13,6 +13,7 @@ enum {
>   	POLICYDB_CAPABILITY_ALWAYSNETWORK,
>   	POLICYDB_CAPABILITY_CGROUPSECLABEL,
>   	POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
> +	POLICYDB_CAPABILITY_KEYPERMS,
>   	__POLICYDB_CAPABILITY_MAX
>   };
>   #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
> diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
> index b9dc3526..48213c54 100644
> --- a/libsepol/src/polcaps.c
> +++ b/libsepol/src/polcaps.c
> @@ -12,6 +12,7 @@ static const char *polcap_names[] = {
>   	"always_check_network",		/* POLICYDB_CAPABILITY_ALWAYSNETWORK */
>   	"cgroup_seclabel",		/* POLICYDB_CAPABILITY_SECLABEL */
>   	"nnp_nosuid_transition",	/* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */
> +	"key_perms",			/* POLICYDB_CAPABILITY_KEYPERMS */
>   	NULL
>   };
>   
>