libsepol: Define nnp_nosuid_transition policy capability

Define the nnp_nosuid_transition policy capability used to enable SELinux domain transitions under NNP or nosuid if the nnp_transition permission or nosuid_transition permission is allowed between the old and new contexts. When this capability is not enabled, such transitions remain limited to bounded transitions as they were prior to the introduction of this capability. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2025-02-27 15:00:39 +00:00 · 2017-07-14 12:11:40 -04:00 · 2017-07-14 12:11:40 -04:00 · ae1cd12076
commit ae1cd12076
parent f80ea84698
2 changed files with 2 additions and 0 deletions
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@ -12,6 +12,7 @@ enum {
 	POLICYDB_CAPABILITY_EXTSOCKCLASS,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
 	POLICYDB_CAPABILITY_CGROUPSECLABEL,
+	POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@ -11,6 +11,7 @@ static const char *polcap_names[] = {
 	"extended_socket_class",	/* POLICYDB_CAPABILITY_EXTSOCKCLASS */
 	"always_check_network",		/* POLICYDB_CAPABILITY_ALWAYSNETWORK */
 	"cgroup_seclabel",		/* POLICYDB_CAPABILITY_SECLABEL */
+	"nnp_nosuid_transition",	/* POLICYDB_CAPABILITY_NNP_NOSUID_TRANSITION */
 	NULL
 };