enable tun/tap/iptables

hc

2024-05-10 ee930fffee469d076998274a2ca55e13dc1efb67

 kernel/security/selinux/include/classmap.h
..
..
@@ -7,7 +7,8 @@
7
7
 
8
8
 #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
9
9
     "rename", "execute", "quotaon", "mounton", "audit_access", \
10
-    "open", "execmod"
10
+	"open", "execmod", "watch", "watch_mount", "watch_sb", \
11
+	"watch_with_perm", "watch_reads"
11
12
 
12
13
 #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
13
14
     "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom",  \
..
..
@@ -26,9 +27,10 @@
26
27
 	    "audit_control", "setfcap"
27
28
 
28
29
 #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
29
-		"wake_alarm", "block_suspend", "audit_read"
30
+		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
31
+		"checkpoint_restore"
30
32
 
31
-#if CAP_LAST_CAP > CAP_AUDIT_READ
33
+#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
32
34
 #error New capability defined, please update COMMON_CAP2_PERMS.
33
35
 #endif
34
36
 
..
..
@@ -60,7 +62,7 @@
60
62
 	{ "filesystem",
61
63
 	  { "mount", "remount", "unmount", "getattr",
62
64
 	    "relabelfrom", "relabelto", "associate", "quotamod",
63
-	    "quotaget", NULL } },
65
+	    "quotaget", "watch", NULL } },
64
66
 	{ "file",
65
67
 	  { COMMON_FILE_PERMS,
66
68
 	    "execute_no_trans", "entrypoint", NULL } },
..
..
@@ -241,11 +243,14 @@
241
243
 	{ "infiniband_endport",
242
244
 	  { "manage_subnet", NULL } },
243
245
 	{ "bpf",
244
-	  {"map_create", "map_read", "map_write", "prog_load", "prog_run"} },
246
+	  { "map_create", "map_read", "map_write", "prog_load", "prog_run",
247
+	    NULL } },
245
248
 	{ "xdp_socket",
246
249
 	  { COMMON_SOCK_PERMS, NULL } },
247
250
 	{ "perf_event",
248
-	  {"open", "cpu", "kernel", "tracepoint", "read", "write"} },
251
+	  { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
252
+	{ "anon_inode",
253
+	  { COMMON_FILE_PERMS, NULL } },
249
254
 	{ NULL }
250
255
   };
251
256