libsepol: Add 'ioctl_skip_cloexec' policy capability

If 'ioctl_skip_cloexec' set, kernel will always allow FIOCLEX and FIONCLEX
ioctls.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
This commit is contained in:
Richard Haines 2022-02-25 17:55:49 +00:00 committed by James Carter
parent c79d38ff0c
commit 71bcdcc943
2 changed files with 2 additions and 0 deletions

View File

@ -14,6 +14,7 @@ enum {
POLICYDB_CAPABILITY_CGROUPSECLABEL,
POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS,
POLICYDB_CAPABILITY_IOCTL_SKIP_CLOEXEC,
__POLICYDB_CAPABILITY_MAX
};
#define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)

View File

@ -13,6 +13,7 @@ static const char * const polcap_names[] = {
"cgroup_seclabel", /* POLICYDB_CAPABILITY_SECLABEL */
"nnp_nosuid_transition", /* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */
"genfs_seclabel_symlinks", /* POLICYDB_CAPABILITY_GENFS_SECLABEL_SYMLINKS */
"ioctl_skip_cloexec", /* POLICYDB_CAPABILITY_IOCTL_SKIP_CLOEXEC */
NULL
};