libsepol: Add policy capability netlink_xperm

This capability can be enabled to change the kernel's behaviour and use
the extended permissions for netlink messages.

Signed-off-by: Thiébaud Weksteen <[email protected]>
Acked-by: Stephen Smalley <[email protected]>

Author: tweksteen

libsepol/include/sepol/policydb/polcaps.h

@@ -16,6 +16,7 @@ enum {
 	POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS,
 	POLICYDB_CAP_IOCTL_SKIP_CLOEXEC,
 	POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT,
+	POLICYDB_CAP_NETLINK_XPERM,
 	__POLICYDB_CAP_MAX
 };
 #define POLICYDB_CAP_MAX (__POLICYDB_CAP_MAX - 1)

libsepol/src/polcaps.c

@@ -15,6 +15,7 @@ static const char * const polcap_names[POLICYDB_CAP_MAX + 1] = {
 	[POLICYDB_CAP_GENFS_SECLABEL_SYMLINKS]		= "genfs_seclabel_symlinks",
 	[POLICYDB_CAP_IOCTL_SKIP_CLOEXEC]		= "ioctl_skip_cloexec",
 	[POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT]	= "userspace_initial_context",
+	[POLICYDB_CAP_NETLINK_XPERM]			= "netlink_xperm",
 };
 
 int sepol_polcap_getnum(const char *name)