From 64931b784a8caed68b993e80170ad55dd39dc141 Mon Sep 17 00:00:00 2001
From: FlareCoding <albert.slepak@gmail.com>
Date: Mon, 24 Apr 2023 16:38:27 -0400
Subject: [PATCH 1/3] made elevate syscall available only to root users

---
 kernel/sys.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/sys.c b/kernel/sys.c
index f2a260990b2510..c04bd898b394d0 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1089,6 +1089,9 @@ void symbi_debug_entry(struct pt_regs *regs, struct SymbiReg *sreg){
 SYSCALL_DEFINE1(elevate, unsigned long, flags)
 {
 #ifdef CONFIG_SYMBIOTE
+  if (!capable(CAP_SYS_ADMIN))
+	return -EPERM;
+
   struct pt_regs *regs;
 
   /* local_irq_disable(); */

From 1d4351e502005ba260460173394071d486ae6fa2 Mon Sep 17 00:00:00 2001
From: FlareCoding <albert.slepak@gmail.com>
Date: Mon, 24 Apr 2023 16:56:17 -0400
Subject: [PATCH 2/3] fixed gcc warning about ISO standard

---
 kernel/sys.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index c04bd898b394d0..651bc9bf2d27f9 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1089,15 +1089,15 @@ void symbi_debug_entry(struct pt_regs *regs, struct SymbiReg *sreg){
 SYSCALL_DEFINE1(elevate, unsigned long, flags)
 {
 #ifdef CONFIG_SYMBIOTE
-  if (!capable(CAP_SYS_ADMIN))
-	return -EPERM;
-
   struct pt_regs *regs;
 
   /* local_irq_disable(); */
   struct SymbiReg sreg;
   sreg.raw = flags;
 
+  if (!capable(CAP_SYS_ADMIN))
+	return -EPERM;
+
   // User's registers
   regs = (struct pt_regs *)this_cpu_read(cpu_current_top_of_stack) - 1;
 

From 8454c29be938ded8ac2ca453570a6a11ca505b78 Mon Sep 17 00:00:00 2001
From: FlareCoding <albert.slepak@gmail.com>
Date: Tue, 25 Apr 2023 00:30:39 -0400
Subject: [PATCH 3/3] added a new CAP_SYMBI_ELEV capability

---
 include/uapi/linux/capability.h     | 6 +++++-
 kernel/sys.c                        | 2 +-
 security/selinux/include/classmap.h | 4 ++--
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
index 2ddb4226cd2311..e331a8b29ac34f 100644
--- a/include/uapi/linux/capability.h
+++ b/include/uapi/linux/capability.h
@@ -418,7 +418,11 @@ struct vfs_ns_cap_data {
 
 #define CAP_CHECKPOINT_RESTORE	40
 
-#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
+/* Allow performing the elevate syscall and make use of symbiote functionality */
+
+#define CAP_SYMBI_ELEV  41
+
+#define CAP_LAST_CAP         CAP_SYMBI_ELEV
 
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
 
diff --git a/kernel/sys.c b/kernel/sys.c
index 651bc9bf2d27f9..7ece9e167537c6 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1095,7 +1095,7 @@ SYSCALL_DEFINE1(elevate, unsigned long, flags)
   struct SymbiReg sreg;
   sreg.raw = flags;
 
-  if (!capable(CAP_SYS_ADMIN))
+  if (!capable(CAP_SYMBI_ELEV))
 	return -EPERM;
 
   // User's registers
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 62d19bccf3de1f..9d9a9f1b193985 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -28,9 +28,9 @@
 
 #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
 		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
-		"checkpoint_restore"
+		"checkpoint_restore", "symbi_elev"
 
-#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
+#if CAP_LAST_CAP > CAP_SYMBI_ELEV
 #error New capability defined, please update COMMON_CAP2_PERMS.
 #endif