added a new CAP_SYMBI_ELEV capability

FlareCoding · FlareCoding · commit 6c8616ad0fb1 · 2023-04-25T00:30:39.000-04:00
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
@@ -418,7 +418,11 @@ struct vfs_ns_cap_data {
 
 #define CAP_CHECKPOINT_RESTORE	40
 
-#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
+/* Allow performing the elevate syscall and make use of symbiote functionality */
+
+#define CAP_SYMBI_ELEV  41
+
+#define CAP_LAST_CAP         CAP_SYMBI_ELEV
 
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
 
diff --git a/kernel/sys.c b/kernel/sys.c
@@ -1095,7 +1095,7 @@ SYSCALL_DEFINE1(elevate, unsigned long, flags)
   struct SymbiReg sreg;
   sreg.raw = flags;
 
-  if (!capable(CAP_SYS_ADMIN))
+  if (!capable(CAP_SYMBI_ELEV))
 	return -EPERM;
 
   // User's registers
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
@@ -28,9 +28,9 @@
 
 #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
 		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
-		"checkpoint_restore"
+		"checkpoint_restore", "symbi_elev"
 
-#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
+#if CAP_LAST_CAP > CAP_SYMBI_ELEV
 #error New capability defined, please update COMMON_CAP2_PERMS.
 #endif
 
