Symbi-OS · FlareCoding · Apr 24, 2023 · Apr 24, 2023 · Apr 25, 2023
diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h
@@ -418,7 +418,11 @@ struct vfs_ns_cap_data {
 
 #define CAP_CHECKPOINT_RESTORE	40
 
-#define CAP_LAST_CAP         CAP_CHECKPOINT_RESTORE
+/* Allow performing the elevate syscall and make use of symbiote functionality */
+
+#define CAP_SYMBI_ELEV  41
+
+#define CAP_LAST_CAP         CAP_SYMBI_ELEV
 
 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)
 

diff --git a/kernel/sys.c b/kernel/sys.c
@@ -1095,6 +1095,9 @@ SYSCALL_DEFINE1(elevate, unsigned long, flags)
   struct SymbiReg sreg;
   sreg.raw = flags;
 
+  if (!capable(CAP_SYMBI_ELEV))
+	return -EPERM;
+
   // User's registers
   regs = (struct pt_regs *)this_cpu_read(cpu_current_top_of_stack) - 1;
 

diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
@@ -28,9 +28,9 @@
 
 #define COMMON_CAP2_PERMS  "mac_override", "mac_admin", "syslog", \
 		"wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \
-		"checkpoint_restore"
+		"checkpoint_restore", "symbi_elev"
 
-#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
+#if CAP_LAST_CAP > CAP_SYMBI_ELEV
 #error New capability defined, please update COMMON_CAP2_PERMS.
 #endif