+3 -1

MAINTAINERS

reviewed

··· 2980 2980 M: sds@tycho.nsa.gov 2981 2981 P: James Morris 2982 2982 M: jmorris@namei.org 2983 2983 + P: Eric Paris 2984 2984 + M: eparis@parisplace.org 2983 2985 L: linux-kernel@vger.kernel.org (kernel issues) 2984 2984 - L: selinux@tycho.nsa.gov (general discussion) 2986 2986 + L: selinux@tycho.nsa.gov (subscribers-only, general discussion) 2985 2987 W: http://www.nsa.gov/selinux 2986 2988 S: Supported 2987 2989

+32 -9

net/ipv4/cipso_ipv4.c

reviewed

··· 92 92 int cipso_v4_rbm_strictvalid = 1; 93 93 94 94 /* 95 95 + * Protocol Constants 96 96 + */ 97 97 + 98 98 + /* Maximum size of the CIPSO IP option, derived from the fact that the maximum 99 99 + * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */ 100 100 + #define CIPSO_V4_OPT_LEN_MAX 40 101 101 + 102 102 + /* Length of the base CIPSO option, this includes the option type (1 byte), the 103 103 + * option length (1 byte), and the DOI (4 bytes). */ 104 104 + #define CIPSO_V4_HDR_LEN 6 105 105 + 106 106 + /* Base length of the restrictive category bitmap tag (tag #1). */ 107 107 + #define CIPSO_V4_TAG_RBM_BLEN 4 108 108 + 109 109 + /* Base length of the enumerated category tag (tag #2). */ 110 110 + #define CIPSO_V4_TAG_ENUM_BLEN 4 111 111 + 112 112 + /* Base length of the ranged categories bitmap tag (tag #5). */ 113 113 + #define CIPSO_V4_TAG_RNG_BLEN 4 114 114 + /* The maximum number of category ranges permitted in the ranged category tag 115 115 + * (tag #5). You may note that the IETF draft states that the maximum number 116 116 + * of category ranges is 7, but if the low end of the last category range is 117 117 + * zero then it is possibile to fit 8 category ranges because the zero should 118 118 + * be omitted. */ 119 119 + #define CIPSO_V4_TAG_RNG_CAT_MAX 8 120 120 + 121 121 + /* 95 122 * Helper Functions 96 123 */ 97 124 ··· 1136 1109 unsigned char *net_cat, 1137 1110 u32 net_cat_len) 1138 1111 { 1139 1139 - /* The constant '16' is not random, it is the maximum number of 1140 1140 - * high/low category range pairs as permitted by the CIPSO draft based 1141 1141 - * on a maximum IPv4 header length of 60 bytes - the BUG_ON() assertion 1142 1142 - * does a sanity check to make sure we don't overflow the array. */ 1143 1112 int iter = -1; 1144 1144 - u16 array[16]; 1113 1113 + u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2]; 1145 1114 u32 array_cnt = 0; 1146 1115 u32 cat_size = 0; 1147 1116 1148 1148 - BUG_ON(net_cat_len > 30); 1117 1117 + /* make sure we don't overflow the 'array[]' variable */ 1118 1118 + if (net_cat_len > 1119 1119 + (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN)) 1120 1120 + return -ENOSPC; 1149 1121 1150 1122 for (;;) { 1151 1123 iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1); ··· 1221 1195 /* 1222 1196 * Protocol Handling Functions 1223 1197 */ 1224 1224 - 1225 1225 - #define CIPSO_V4_OPT_LEN_MAX 40 1226 1226 - #define CIPSO_V4_HDR_LEN 6 1227 1198 1228 1199 /** 1229 1200 * cipso_v4_gentag_hdr - Generate a CIPSO option header

-3

net/netlabel/netlabel_kapi.c

reviewed

··· 263 263 int ret_val = -ENOENT; 264 264 struct netlbl_dom_map *dom_entry; 265 265 266 266 - if ((secattr->flags & NETLBL_SECATTR_DOMAIN) == 0) 267 267 - return -ENOENT; 268 268 - 269 266 rcu_read_lock(); 270 267 dom_entry = netlbl_domhsh_getentry(secattr->domain); 271 268 if (dom_entry == NULL)

+2

security/selinux/Makefile

reviewed

··· 8 8 9 9 selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o 10 10 11 11 + selinux-$(CONFIG_NETLABEL) += netlabel.o 12 12 + 11 13 EXTRA_CFLAGS += -Isecurity/selinux/include 12 14

+2

security/selinux/avc.c

reviewed

··· 217 217 audit_log_format(ab, " tcontext=%s", scontext); 218 218 kfree(scontext); 219 219 } 220 220 + 221 221 + BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); 220 222 audit_log_format(ab, " tclass=%s", class_to_string[tclass]); 221 223 } 222 224

+32 -6

security/selinux/hooks.c

reviewed

··· 77 77 #include "objsec.h" 78 78 #include "netif.h" 79 79 #include "xfrm.h" 80 80 - #include "selinux_netlabel.h" 80 80 + #include "netlabel.h" 81 81 82 82 #define XATTR_SELINUX_SUFFIX "selinux" 83 83 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX ··· 3123 3123 return ret; 3124 3124 } 3125 3125 3126 3126 + /** 3127 3127 + * selinux_skb_extlbl_sid - Determine the external label of a packet 3128 3128 + * @skb: the packet 3129 3129 + * @base_sid: the SELinux SID to use as a context for MLS only external labels 3130 3130 + * @sid: the packet's SID 3131 3131 + * 3132 3132 + * Description: 3133 3133 + * Check the various different forms of external packet labeling and determine 3134 3134 + * the external SID for the packet. 3135 3135 + * 3136 3136 + */ 3137 3137 + static void selinux_skb_extlbl_sid(struct sk_buff *skb, 3138 3138 + u32 base_sid, 3139 3139 + u32 *sid) 3140 3140 + { 3141 3141 + u32 xfrm_sid; 3142 3142 + u32 nlbl_sid; 3143 3143 + 3144 3144 + selinux_skb_xfrm_sid(skb, &xfrm_sid); 3145 3145 + if (selinux_netlbl_skbuff_getsid(skb, 3146 3146 + (xfrm_sid == SECSID_NULL ? 3147 3147 + base_sid : xfrm_sid), 3148 3148 + &nlbl_sid) != 0) 3149 3149 + nlbl_sid = SECSID_NULL; 3150 3150 + 3151 3151 + *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 3152 3152 + } 3153 3153 + 3126 3154 /* socket security operations */ 3127 3155 static int socket_has_perm(struct task_struct *task, struct socket *sock, 3128 3156 u32 perms) ··· 3692 3664 if (sock && sock->sk->sk_family == PF_UNIX) 3693 3665 selinux_get_inode_sid(SOCK_INODE(sock), &peer_secid); 3694 3666 else if (skb) 3695 3695 - security_skb_extlbl_sid(skb, 3696 3696 - SECINITSID_UNLABELED, 3697 3697 - &peer_secid); 3667 3667 + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peer_secid); 3698 3668 3699 3669 if (peer_secid == SECSID_NULL) 3700 3670 err = -EINVAL; ··· 3753 3727 u32 newsid; 3754 3728 u32 peersid; 3755 3729 3756 3756 - security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3730 3730 + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &peersid); 3757 3731 if (peersid == SECSID_NULL) { 3758 3732 req->secid = sksec->sid; 3759 3733 req->peer_secid = SECSID_NULL; ··· 3791 3765 { 3792 3766 struct sk_security_struct *sksec = sk->sk_security; 3793 3767 3794 3794 - security_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3768 3768 + selinux_skb_extlbl_sid(skb, SECINITSID_UNLABELED, &sksec->peer_sid); 3795 3769 } 3796 3770 3797 3771 static void selinux_req_classify_flow(const struct request_sock *req,

-102

security/selinux/include/av_perm_to_string.h

reviewed

··· 128 128 S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") 129 129 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") 130 130 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") 131 131 - S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd") 132 132 - S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn") 133 133 - S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh") 134 134 - S_(SECCLASS_PASSWD, PASSWD__ROOTOK, "rootok") 135 135 - S_(SECCLASS_PASSWD, PASSWD__CRONTAB, "crontab") 136 136 - S_(SECCLASS_DRAWABLE, DRAWABLE__CREATE, "create") 137 137 - S_(SECCLASS_DRAWABLE, DRAWABLE__DESTROY, "destroy") 138 138 - S_(SECCLASS_DRAWABLE, DRAWABLE__DRAW, "draw") 139 139 - S_(SECCLASS_DRAWABLE, DRAWABLE__COPY, "copy") 140 140 - S_(SECCLASS_DRAWABLE, DRAWABLE__GETATTR, "getattr") 141 141 - S_(SECCLASS_GC, GC__CREATE, "create") 142 142 - S_(SECCLASS_GC, GC__FREE, "free") 143 143 - S_(SECCLASS_GC, GC__GETATTR, "getattr") 144 144 - S_(SECCLASS_GC, GC__SETATTR, "setattr") 145 145 - S_(SECCLASS_WINDOW, WINDOW__ADDCHILD, "addchild") 146 146 - S_(SECCLASS_WINDOW, WINDOW__CREATE, "create") 147 147 - S_(SECCLASS_WINDOW, WINDOW__DESTROY, "destroy") 148 148 - S_(SECCLASS_WINDOW, WINDOW__MAP, "map") 149 149 - S_(SECCLASS_WINDOW, WINDOW__UNMAP, "unmap") 150 150 - S_(SECCLASS_WINDOW, WINDOW__CHSTACK, "chstack") 151 151 - S_(SECCLASS_WINDOW, WINDOW__CHPROPLIST, "chproplist") 152 152 - S_(SECCLASS_WINDOW, WINDOW__CHPROP, "chprop") 153 153 - S_(SECCLASS_WINDOW, WINDOW__LISTPROP, "listprop") 154 154 - S_(SECCLASS_WINDOW, WINDOW__GETATTR, "getattr") 155 155 - S_(SECCLASS_WINDOW, WINDOW__SETATTR, "setattr") 156 156 - S_(SECCLASS_WINDOW, WINDOW__SETFOCUS, "setfocus") 157 157 - S_(SECCLASS_WINDOW, WINDOW__MOVE, "move") 158 158 - S_(SECCLASS_WINDOW, WINDOW__CHSELECTION, "chselection") 159 159 - S_(SECCLASS_WINDOW, WINDOW__CHPARENT, "chparent") 160 160 - S_(SECCLASS_WINDOW, WINDOW__CTRLLIFE, "ctrllife") 161 161 - S_(SECCLASS_WINDOW, WINDOW__ENUMERATE, "enumerate") 162 162 - S_(SECCLASS_WINDOW, WINDOW__TRANSPARENT, "transparent") 163 163 - S_(SECCLASS_WINDOW, WINDOW__MOUSEMOTION, "mousemotion") 164 164 - S_(SECCLASS_WINDOW, WINDOW__CLIENTCOMEVENT, "clientcomevent") 165 165 - S_(SECCLASS_WINDOW, WINDOW__INPUTEVENT, "inputevent") 166 166 - S_(SECCLASS_WINDOW, WINDOW__DRAWEVENT, "drawevent") 167 167 - S_(SECCLASS_WINDOW, WINDOW__WINDOWCHANGEEVENT, "windowchangeevent") 168 168 - S_(SECCLASS_WINDOW, WINDOW__WINDOWCHANGEREQUEST, "windowchangerequest") 169 169 - S_(SECCLASS_WINDOW, WINDOW__SERVERCHANGEEVENT, "serverchangeevent") 170 170 - S_(SECCLASS_WINDOW, WINDOW__EXTENSIONEVENT, "extensionevent") 171 171 - S_(SECCLASS_FONT, FONT__LOAD, "load") 172 172 - S_(SECCLASS_FONT, FONT__FREE, "free") 173 173 - S_(SECCLASS_FONT, FONT__GETATTR, "getattr") 174 174 - S_(SECCLASS_FONT, FONT__USE, "use") 175 175 - S_(SECCLASS_COLORMAP, COLORMAP__CREATE, "create") 176 176 - S_(SECCLASS_COLORMAP, COLORMAP__FREE, "free") 177 177 - S_(SECCLASS_COLORMAP, COLORMAP__INSTALL, "install") 178 178 - S_(SECCLASS_COLORMAP, COLORMAP__UNINSTALL, "uninstall") 179 179 - S_(SECCLASS_COLORMAP, COLORMAP__LIST, "list") 180 180 - S_(SECCLASS_COLORMAP, COLORMAP__READ, "read") 181 181 - S_(SECCLASS_COLORMAP, COLORMAP__STORE, "store") 182 182 - S_(SECCLASS_COLORMAP, COLORMAP__GETATTR, "getattr") 183 183 - S_(SECCLASS_COLORMAP, COLORMAP__SETATTR, "setattr") 184 184 - S_(SECCLASS_PROPERTY, PROPERTY__CREATE, "create") 185 185 - S_(SECCLASS_PROPERTY, PROPERTY__FREE, "free") 186 186 - S_(SECCLASS_PROPERTY, PROPERTY__READ, "read") 187 187 - S_(SECCLASS_PROPERTY, PROPERTY__WRITE, "write") 188 188 - S_(SECCLASS_CURSOR, CURSOR__CREATE, "create") 189 189 - S_(SECCLASS_CURSOR, CURSOR__CREATEGLYPH, "createglyph") 190 190 - S_(SECCLASS_CURSOR, CURSOR__FREE, "free") 191 191 - S_(SECCLASS_CURSOR, CURSOR__ASSIGN, "assign") 192 192 - S_(SECCLASS_CURSOR, CURSOR__SETATTR, "setattr") 193 193 - S_(SECCLASS_XCLIENT, XCLIENT__KILL, "kill") 194 194 - S_(SECCLASS_XINPUT, XINPUT__LOOKUP, "lookup") 195 195 - S_(SECCLASS_XINPUT, XINPUT__GETATTR, "getattr") 196 196 - S_(SECCLASS_XINPUT, XINPUT__SETATTR, "setattr") 197 197 - S_(SECCLASS_XINPUT, XINPUT__SETFOCUS, "setfocus") 198 198 - S_(SECCLASS_XINPUT, XINPUT__WARPPOINTER, "warppointer") 199 199 - S_(SECCLASS_XINPUT, XINPUT__ACTIVEGRAB, "activegrab") 200 200 - S_(SECCLASS_XINPUT, XINPUT__PASSIVEGRAB, "passivegrab") 201 201 - S_(SECCLASS_XINPUT, XINPUT__UNGRAB, "ungrab") 202 202 - S_(SECCLASS_XINPUT, XINPUT__BELL, "bell") 203 203 - S_(SECCLASS_XINPUT, XINPUT__MOUSEMOTION, "mousemotion") 204 204 - S_(SECCLASS_XINPUT, XINPUT__RELABELINPUT, "relabelinput") 205 205 - S_(SECCLASS_XSERVER, XSERVER__SCREENSAVER, "screensaver") 206 206 - S_(SECCLASS_XSERVER, XSERVER__GETHOSTLIST, "gethostlist") 207 207 - S_(SECCLASS_XSERVER, XSERVER__SETHOSTLIST, "sethostlist") 208 208 - S_(SECCLASS_XSERVER, XSERVER__GETFONTPATH, "getfontpath") 209 209 - S_(SECCLASS_XSERVER, XSERVER__SETFONTPATH, "setfontpath") 210 210 - S_(SECCLASS_XSERVER, XSERVER__GETATTR, "getattr") 211 211 - S_(SECCLASS_XSERVER, XSERVER__GRAB, "grab") 212 212 - S_(SECCLASS_XSERVER, XSERVER__UNGRAB, "ungrab") 213 213 - S_(SECCLASS_XEXTENSION, XEXTENSION__QUERY, "query") 214 214 - S_(SECCLASS_XEXTENSION, XEXTENSION__USE, "use") 215 215 - S_(SECCLASS_PAX, PAX__PAGEEXEC, "pageexec") 216 216 - S_(SECCLASS_PAX, PAX__EMUTRAMP, "emutramp") 217 217 - S_(SECCLASS_PAX, PAX__MPROTECT, "mprotect") 218 218 - S_(SECCLASS_PAX, PAX__RANDMMAP, "randmmap") 219 219 - S_(SECCLASS_PAX, PAX__RANDEXEC, "randexec") 220 220 - S_(SECCLASS_PAX, PAX__SEGMEXEC, "segmexec") 221 131 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read") 222 132 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write") 223 133 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read") ··· 142 232 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv") 143 233 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read") 144 234 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write") 145 145 - S_(SECCLASS_DBUS, DBUS__ACQUIRE_SVC, "acquire_svc") 146 146 - S_(SECCLASS_DBUS, DBUS__SEND_MSG, "send_msg") 147 147 - S_(SECCLASS_NSCD, NSCD__GETPWD, "getpwd") 148 148 - S_(SECCLASS_NSCD, NSCD__GETGRP, "getgrp") 149 149 - S_(SECCLASS_NSCD, NSCD__GETHOST, "gethost") 150 150 - S_(SECCLASS_NSCD, NSCD__GETSTAT, "getstat") 151 151 - S_(SECCLASS_NSCD, NSCD__ADMIN, "admin") 152 152 - S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd") 153 153 - S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp") 154 154 - S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") 155 235 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") 156 236 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") 157 237 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext") ··· 156 256 S_(SECCLASS_KEY, KEY__LINK, "link") 157 257 S_(SECCLASS_KEY, KEY__SETATTR, "setattr") 158 258 S_(SECCLASS_KEY, KEY__CREATE, "create") 159 159 - S_(SECCLASS_CONTEXT, CONTEXT__TRANSLATE, "translate") 160 160 - S_(SECCLASS_CONTEXT, CONTEXT__CONTAINS, "contains") 161 259 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind") 162 260 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")

-179

security/selinux/include/av_permissions.h

reviewed

··· 16 16 #define COMMON_FILE__SWAPON 0x00004000UL 17 17 #define COMMON_FILE__QUOTAON 0x00008000UL 18 18 #define COMMON_FILE__MOUNTON 0x00010000UL 19 19 - 20 19 #define COMMON_SOCKET__IOCTL 0x00000001UL 21 20 #define COMMON_SOCKET__READ 0x00000002UL 22 21 #define COMMON_SOCKET__WRITE 0x00000004UL ··· 38 39 #define COMMON_SOCKET__RECV_MSG 0x00080000UL 39 40 #define COMMON_SOCKET__SEND_MSG 0x00100000UL 40 41 #define COMMON_SOCKET__NAME_BIND 0x00200000UL 41 41 - 42 42 #define COMMON_IPC__CREATE 0x00000001UL 43 43 #define COMMON_IPC__DESTROY 0x00000002UL 44 44 #define COMMON_IPC__GETATTR 0x00000004UL ··· 47 49 #define COMMON_IPC__ASSOCIATE 0x00000040UL 48 50 #define COMMON_IPC__UNIX_READ 0x00000080UL 49 51 #define COMMON_IPC__UNIX_WRITE 0x00000100UL 50 50 - 51 52 #define FILESYSTEM__MOUNT 0x00000001UL 52 53 #define FILESYSTEM__REMOUNT 0x00000002UL 53 54 #define FILESYSTEM__UNMOUNT 0x00000004UL ··· 57 60 #define FILESYSTEM__ASSOCIATE 0x00000080UL 58 61 #define FILESYSTEM__QUOTAMOD 0x00000100UL 59 62 #define FILESYSTEM__QUOTAGET 0x00000200UL 60 60 - 61 63 #define DIR__IOCTL 0x00000001UL 62 64 #define DIR__READ 0x00000002UL 63 65 #define DIR__WRITE 0x00000004UL ··· 74 78 #define DIR__SWAPON 0x00004000UL 75 79 #define DIR__QUOTAON 0x00008000UL 76 80 #define DIR__MOUNTON 0x00010000UL 77 77 - 78 81 #define DIR__ADD_NAME 0x00020000UL 79 82 #define DIR__REMOVE_NAME 0x00040000UL 80 83 #define DIR__REPARENT 0x00080000UL 81 84 #define DIR__SEARCH 0x00100000UL 82 85 #define DIR__RMDIR 0x00200000UL 83 83 - 84 86 #define FILE__IOCTL 0x00000001UL 85 87 #define FILE__READ 0x00000002UL 86 88 #define FILE__WRITE 0x00000004UL ··· 96 102 #define FILE__SWAPON 0x00004000UL 97 103 #define FILE__QUOTAON 0x00008000UL 98 104 #define FILE__MOUNTON 0x00010000UL 99 99 - 100 105 #define FILE__EXECUTE_NO_TRANS 0x00020000UL 101 106 #define FILE__ENTRYPOINT 0x00040000UL 102 107 #define FILE__EXECMOD 0x00080000UL 103 103 - 104 108 #define LNK_FILE__IOCTL 0x00000001UL 105 109 #define LNK_FILE__READ 0x00000002UL 106 110 #define LNK_FILE__WRITE 0x00000004UL ··· 116 124 #define LNK_FILE__SWAPON 0x00004000UL 117 125 #define LNK_FILE__QUOTAON 0x00008000UL 118 126 #define LNK_FILE__MOUNTON 0x00010000UL 119 119 - 120 127 #define CHR_FILE__IOCTL 0x00000001UL 121 128 #define CHR_FILE__READ 0x00000002UL 122 129 #define CHR_FILE__WRITE 0x00000004UL ··· 133 142 #define CHR_FILE__SWAPON 0x00004000UL 134 143 #define CHR_FILE__QUOTAON 0x00008000UL 135 144 #define CHR_FILE__MOUNTON 0x00010000UL 136 136 - 137 145 #define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL 138 146 #define CHR_FILE__ENTRYPOINT 0x00040000UL 139 147 #define CHR_FILE__EXECMOD 0x00080000UL 140 140 - 141 148 #define BLK_FILE__IOCTL 0x00000001UL 142 149 #define BLK_FILE__READ 0x00000002UL 143 150 #define BLK_FILE__WRITE 0x00000004UL ··· 153 164 #define BLK_FILE__SWAPON 0x00004000UL 154 165 #define BLK_FILE__QUOTAON 0x00008000UL 155 166 #define BLK_FILE__MOUNTON 0x00010000UL 156 156 - 157 167 #define SOCK_FILE__IOCTL 0x00000001UL 158 168 #define SOCK_FILE__READ 0x00000002UL 159 169 #define SOCK_FILE__WRITE 0x00000004UL ··· 170 182 #define SOCK_FILE__SWAPON 0x00004000UL 171 183 #define SOCK_FILE__QUOTAON 0x00008000UL 172 184 #define SOCK_FILE__MOUNTON 0x00010000UL 173 173 - 174 185 #define FIFO_FILE__IOCTL 0x00000001UL 175 186 #define FIFO_FILE__READ 0x00000002UL 176 187 #define FIFO_FILE__WRITE 0x00000004UL ··· 187 200 #define FIFO_FILE__SWAPON 0x00004000UL 188 201 #define FIFO_FILE__QUOTAON 0x00008000UL 189 202 #define FIFO_FILE__MOUNTON 0x00010000UL 190 190 - 191 203 #define FD__USE 0x00000001UL 192 192 - 193 204 #define SOCKET__IOCTL 0x00000001UL 194 205 #define SOCKET__READ 0x00000002UL 195 206 #define SOCKET__WRITE 0x00000004UL ··· 210 225 #define SOCKET__RECV_MSG 0x00080000UL 211 226 #define SOCKET__SEND_MSG 0x00100000UL 212 227 #define SOCKET__NAME_BIND 0x00200000UL 213 213 - 214 228 #define TCP_SOCKET__IOCTL 0x00000001UL 215 229 #define TCP_SOCKET__READ 0x00000002UL 216 230 #define TCP_SOCKET__WRITE 0x00000004UL ··· 232 248 #define TCP_SOCKET__RECV_MSG 0x00080000UL 233 249 #define TCP_SOCKET__SEND_MSG 0x00100000UL 234 250 #define TCP_SOCKET__NAME_BIND 0x00200000UL 235 235 - 236 251 #define TCP_SOCKET__CONNECTTO 0x00400000UL 237 252 #define TCP_SOCKET__NEWCONN 0x00800000UL 238 253 #define TCP_SOCKET__ACCEPTFROM 0x01000000UL 239 254 #define TCP_SOCKET__NODE_BIND 0x02000000UL 240 255 #define TCP_SOCKET__NAME_CONNECT 0x04000000UL 241 241 - 242 256 #define UDP_SOCKET__IOCTL 0x00000001UL 243 257 #define UDP_SOCKET__READ 0x00000002UL 244 258 #define UDP_SOCKET__WRITE 0x00000004UL ··· 259 277 #define UDP_SOCKET__RECV_MSG 0x00080000UL 260 278 #define UDP_SOCKET__SEND_MSG 0x00100000UL 261 279 #define UDP_SOCKET__NAME_BIND 0x00200000UL 262 262 - 263 280 #define UDP_SOCKET__NODE_BIND 0x00400000UL 264 264 - 265 281 #define RAWIP_SOCKET__IOCTL 0x00000001UL 266 282 #define RAWIP_SOCKET__READ 0x00000002UL 267 283 #define RAWIP_SOCKET__WRITE 0x00000004UL ··· 282 302 #define RAWIP_SOCKET__RECV_MSG 0x00080000UL 283 303 #define RAWIP_SOCKET__SEND_MSG 0x00100000UL 284 304 #define RAWIP_SOCKET__NAME_BIND 0x00200000UL 285 285 - 286 305 #define RAWIP_SOCKET__NODE_BIND 0x00400000UL 287 287 - 288 306 #define NODE__TCP_RECV 0x00000001UL 289 307 #define NODE__TCP_SEND 0x00000002UL 290 308 #define NODE__UDP_RECV 0x00000004UL ··· 292 314 #define NODE__ENFORCE_DEST 0x00000040UL 293 315 #define NODE__DCCP_RECV 0x00000080UL 294 316 #define NODE__DCCP_SEND 0x00000100UL 295 295 - 296 317 #define NETIF__TCP_RECV 0x00000001UL 297 318 #define NETIF__TCP_SEND 0x00000002UL 298 319 #define NETIF__UDP_RECV 0x00000004UL ··· 300 323 #define NETIF__RAWIP_SEND 0x00000020UL 301 324 #define NETIF__DCCP_RECV 0x00000040UL 302 325 #define NETIF__DCCP_SEND 0x00000080UL 303 303 - 304 326 #define NETLINK_SOCKET__IOCTL 0x00000001UL 305 327 #define NETLINK_SOCKET__READ 0x00000002UL 306 328 #define NETLINK_SOCKET__WRITE 0x00000004UL ··· 322 346 #define NETLINK_SOCKET__RECV_MSG 0x00080000UL 323 347 #define NETLINK_SOCKET__SEND_MSG 0x00100000UL 324 348 #define NETLINK_SOCKET__NAME_BIND 0x00200000UL 325 325 - 326 349 #define PACKET_SOCKET__IOCTL 0x00000001UL 327 350 #define PACKET_SOCKET__READ 0x00000002UL 328 351 #define PACKET_SOCKET__WRITE 0x00000004UL ··· 344 369 #define PACKET_SOCKET__RECV_MSG 0x00080000UL 345 370 #define PACKET_SOCKET__SEND_MSG 0x00100000UL 346 371 #define PACKET_SOCKET__NAME_BIND 0x00200000UL 347 347 - 348 372 #define KEY_SOCKET__IOCTL 0x00000001UL 349 373 #define KEY_SOCKET__READ 0x00000002UL 350 374 #define KEY_SOCKET__WRITE 0x00000004UL ··· 366 392 #define KEY_SOCKET__RECV_MSG 0x00080000UL 367 393 #define KEY_SOCKET__SEND_MSG 0x00100000UL 368 394 #define KEY_SOCKET__NAME_BIND 0x00200000UL 369 369 - 370 395 #define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL 371 396 #define UNIX_STREAM_SOCKET__READ 0x00000002UL 372 397 #define UNIX_STREAM_SOCKET__WRITE 0x00000004UL ··· 388 415 #define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL 389 416 #define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL 390 417 #define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL 391 391 - 392 418 #define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL 393 419 #define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL 394 420 #define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL 395 395 - 396 421 #define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL 397 422 #define UNIX_DGRAM_SOCKET__READ 0x00000002UL 398 423 #define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL ··· 413 442 #define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL 414 443 #define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL 415 444 #define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL 416 416 - 417 445 #define PROCESS__FORK 0x00000001UL 418 446 #define PROCESS__TRANSITION 0x00000002UL 419 447 #define PROCESS__SIGCHLD 0x00000004UL ··· 443 473 #define PROCESS__EXECHEAP 0x08000000UL 444 474 #define PROCESS__SETKEYCREATE 0x10000000UL 445 475 #define PROCESS__SETSOCKCREATE 0x20000000UL 446 446 - 447 476 #define IPC__CREATE 0x00000001UL 448 477 #define IPC__DESTROY 0x00000002UL 449 478 #define IPC__GETATTR 0x00000004UL ··· 452 483 #define IPC__ASSOCIATE 0x00000040UL 453 484 #define IPC__UNIX_READ 0x00000080UL 454 485 #define IPC__UNIX_WRITE 0x00000100UL 455 455 - 456 486 #define SEM__CREATE 0x00000001UL 457 487 #define SEM__DESTROY 0x00000002UL 458 488 #define SEM__GETATTR 0x00000004UL ··· 461 493 #define SEM__ASSOCIATE 0x00000040UL 462 494 #define SEM__UNIX_READ 0x00000080UL 463 495 #define SEM__UNIX_WRITE 0x00000100UL 464 464 - 465 496 #define MSGQ__CREATE 0x00000001UL 466 497 #define MSGQ__DESTROY 0x00000002UL 467 498 #define MSGQ__GETATTR 0x00000004UL ··· 470 503 #define MSGQ__ASSOCIATE 0x00000040UL 471 504 #define MSGQ__UNIX_READ 0x00000080UL 472 505 #define MSGQ__UNIX_WRITE 0x00000100UL 473 473 - 474 506 #define MSGQ__ENQUEUE 0x00000200UL 475 475 - 476 507 #define MSG__SEND 0x00000001UL 477 508 #define MSG__RECEIVE 0x00000002UL 478 478 - 479 509 #define SHM__CREATE 0x00000001UL 480 510 #define SHM__DESTROY 0x00000002UL 481 511 #define SHM__GETATTR 0x00000004UL ··· 482 518 #define SHM__ASSOCIATE 0x00000040UL 483 519 #define SHM__UNIX_READ 0x00000080UL 484 520 #define SHM__UNIX_WRITE 0x00000100UL 485 485 - 486 521 #define SHM__LOCK 0x00000200UL 487 487 - 488 522 #define SECURITY__COMPUTE_AV 0x00000001UL 489 523 #define SECURITY__COMPUTE_CREATE 0x00000002UL 490 524 #define SECURITY__COMPUTE_MEMBER 0x00000004UL ··· 494 532 #define SECURITY__SETBOOL 0x00000100UL 495 533 #define SECURITY__SETSECPARAM 0x00000200UL 496 534 #define SECURITY__SETCHECKREQPROT 0x00000400UL 497 497 - 498 535 #define SYSTEM__IPC_INFO 0x00000001UL 499 536 #define SYSTEM__SYSLOG_READ 0x00000002UL 500 537 #define SYSTEM__SYSLOG_MOD 0x00000004UL 501 538 #define SYSTEM__SYSLOG_CONSOLE 0x00000008UL 502 502 - 503 539 #define CAPABILITY__CHOWN 0x00000001UL 504 540 #define CAPABILITY__DAC_OVERRIDE 0x00000002UL 505 541 #define CAPABILITY__DAC_READ_SEARCH 0x00000004UL ··· 529 569 #define CAPABILITY__LEASE 0x10000000UL 530 570 #define CAPABILITY__AUDIT_WRITE 0x20000000UL 531 571 #define CAPABILITY__AUDIT_CONTROL 0x40000000UL 532 532 - 533 533 - #define PASSWD__PASSWD 0x00000001UL 534 534 - #define PASSWD__CHFN 0x00000002UL 535 535 - #define PASSWD__CHSH 0x00000004UL 536 536 - #define PASSWD__ROOTOK 0x00000008UL 537 537 - #define PASSWD__CRONTAB 0x00000010UL 538 538 - 539 539 - #define DRAWABLE__CREATE 0x00000001UL 540 540 - #define DRAWABLE__DESTROY 0x00000002UL 541 541 - #define DRAWABLE__DRAW 0x00000004UL 542 542 - #define DRAWABLE__COPY 0x00000008UL 543 543 - #define DRAWABLE__GETATTR 0x00000010UL 544 544 - 545 545 - #define GC__CREATE 0x00000001UL 546 546 - #define GC__FREE 0x00000002UL 547 547 - #define GC__GETATTR 0x00000004UL 548 548 - #define GC__SETATTR 0x00000008UL 549 549 - 550 550 - #define WINDOW__ADDCHILD 0x00000001UL 551 551 - #define WINDOW__CREATE 0x00000002UL 552 552 - #define WINDOW__DESTROY 0x00000004UL 553 553 - #define WINDOW__MAP 0x00000008UL 554 554 - #define WINDOW__UNMAP 0x00000010UL 555 555 - #define WINDOW__CHSTACK 0x00000020UL 556 556 - #define WINDOW__CHPROPLIST 0x00000040UL 557 557 - #define WINDOW__CHPROP 0x00000080UL 558 558 - #define WINDOW__LISTPROP 0x00000100UL 559 559 - #define WINDOW__GETATTR 0x00000200UL 560 560 - #define WINDOW__SETATTR 0x00000400UL 561 561 - #define WINDOW__SETFOCUS 0x00000800UL 562 562 - #define WINDOW__MOVE 0x00001000UL 563 563 - #define WINDOW__CHSELECTION 0x00002000UL 564 564 - #define WINDOW__CHPARENT 0x00004000UL 565 565 - #define WINDOW__CTRLLIFE 0x00008000UL 566 566 - #define WINDOW__ENUMERATE 0x00010000UL 567 567 - #define WINDOW__TRANSPARENT 0x00020000UL 568 568 - #define WINDOW__MOUSEMOTION 0x00040000UL 569 569 - #define WINDOW__CLIENTCOMEVENT 0x00080000UL 570 570 - #define WINDOW__INPUTEVENT 0x00100000UL 571 571 - #define WINDOW__DRAWEVENT 0x00200000UL 572 572 - #define WINDOW__WINDOWCHANGEEVENT 0x00400000UL 573 573 - #define WINDOW__WINDOWCHANGEREQUEST 0x00800000UL 574 574 - #define WINDOW__SERVERCHANGEEVENT 0x01000000UL 575 575 - #define WINDOW__EXTENSIONEVENT 0x02000000UL 576 576 - 577 577 - #define FONT__LOAD 0x00000001UL 578 578 - #define FONT__FREE 0x00000002UL 579 579 - #define FONT__GETATTR 0x00000004UL 580 580 - #define FONT__USE 0x00000008UL 581 581 - 582 582 - #define COLORMAP__CREATE 0x00000001UL 583 583 - #define COLORMAP__FREE 0x00000002UL 584 584 - #define COLORMAP__INSTALL 0x00000004UL 585 585 - #define COLORMAP__UNINSTALL 0x00000008UL 586 586 - #define COLORMAP__LIST 0x00000010UL 587 587 - #define COLORMAP__READ 0x00000020UL 588 588 - #define COLORMAP__STORE 0x00000040UL 589 589 - #define COLORMAP__GETATTR 0x00000080UL 590 590 - #define COLORMAP__SETATTR 0x00000100UL 591 591 - 592 592 - #define PROPERTY__CREATE 0x00000001UL 593 593 - #define PROPERTY__FREE 0x00000002UL 594 594 - #define PROPERTY__READ 0x00000004UL 595 595 - #define PROPERTY__WRITE 0x00000008UL 596 596 - 597 597 - #define CURSOR__CREATE 0x00000001UL 598 598 - #define CURSOR__CREATEGLYPH 0x00000002UL 599 599 - #define CURSOR__FREE 0x00000004UL 600 600 - #define CURSOR__ASSIGN 0x00000008UL 601 601 - #define CURSOR__SETATTR 0x00000010UL 602 602 - 603 603 - #define XCLIENT__KILL 0x00000001UL 604 604 - 605 605 - #define XINPUT__LOOKUP 0x00000001UL 606 606 - #define XINPUT__GETATTR 0x00000002UL 607 607 - #define XINPUT__SETATTR 0x00000004UL 608 608 - #define XINPUT__SETFOCUS 0x00000008UL 609 609 - #define XINPUT__WARPPOINTER 0x00000010UL 610 610 - #define XINPUT__ACTIVEGRAB 0x00000020UL 611 611 - #define XINPUT__PASSIVEGRAB 0x00000040UL 612 612 - #define XINPUT__UNGRAB 0x00000080UL 613 613 - #define XINPUT__BELL 0x00000100UL 614 614 - #define XINPUT__MOUSEMOTION 0x00000200UL 615 615 - #define XINPUT__RELABELINPUT 0x00000400UL 616 616 - 617 617 - #define XSERVER__SCREENSAVER 0x00000001UL 618 618 - #define XSERVER__GETHOSTLIST 0x00000002UL 619 619 - #define XSERVER__SETHOSTLIST 0x00000004UL 620 620 - #define XSERVER__GETFONTPATH 0x00000008UL 621 621 - #define XSERVER__SETFONTPATH 0x00000010UL 622 622 - #define XSERVER__GETATTR 0x00000020UL 623 623 - #define XSERVER__GRAB 0x00000040UL 624 624 - #define XSERVER__UNGRAB 0x00000080UL 625 625 - 626 626 - #define XEXTENSION__QUERY 0x00000001UL 627 627 - #define XEXTENSION__USE 0x00000002UL 628 628 - 629 629 - #define PAX__PAGEEXEC 0x00000001UL 630 630 - #define PAX__EMUTRAMP 0x00000002UL 631 631 - #define PAX__MPROTECT 0x00000004UL 632 632 - #define PAX__RANDMMAP 0x00000008UL 633 633 - #define PAX__RANDEXEC 0x00000010UL 634 634 - #define PAX__SEGMEXEC 0x00000020UL 635 635 - 636 572 #define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL 637 573 #define NETLINK_ROUTE_SOCKET__READ 0x00000002UL 638 574 #define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL ··· 551 695 #define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL 552 696 #define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL 553 697 #define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL 554 554 - 555 698 #define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL 556 699 #define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL 557 557 - 558 700 #define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL 559 701 #define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL 560 702 #define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL ··· 575 721 #define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL 576 722 #define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL 577 723 #define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL 578 578 - 579 724 #define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL 580 725 #define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL 581 581 - 582 726 #define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL 583 727 #define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL 584 728 #define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL ··· 599 747 #define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL 600 748 #define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL 601 749 #define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL 602 602 - 603 750 #define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL 604 751 #define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL 605 605 - 606 752 #define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL 607 753 #define NETLINK_NFLOG_SOCKET__READ 0x00000002UL 608 754 #define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL ··· 623 773 #define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL 624 774 #define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL 625 775 #define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL 626 626 - 627 776 #define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL 628 777 #define NETLINK_XFRM_SOCKET__READ 0x00000002UL 629 778 #define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL ··· 645 796 #define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL 646 797 #define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL 647 798 #define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL 648 648 - 649 799 #define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL 650 800 #define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL 651 651 - 652 801 #define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL 653 802 #define NETLINK_SELINUX_SOCKET__READ 0x00000002UL 654 803 #define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL ··· 669 822 #define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL 670 823 #define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL 671 824 #define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL 672 672 - 673 825 #define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL 674 826 #define NETLINK_AUDIT_SOCKET__READ 0x00000002UL 675 827 #define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL ··· 691 845 #define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL 692 846 #define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL 693 847 #define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL 694 694 - 695 848 #define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL 696 849 #define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL 697 850 #define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL 698 851 #define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL 699 699 - 700 852 #define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL 701 853 #define NETLINK_IP6FW_SOCKET__READ 0x00000002UL 702 854 #define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL ··· 717 873 #define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL 718 874 #define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL 719 875 #define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL 720 720 - 721 876 #define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL 722 877 #define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL 723 723 - 724 878 #define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL 725 879 #define NETLINK_DNRT_SOCKET__READ 0x00000002UL 726 880 #define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL ··· 741 899 #define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL 742 900 #define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL 743 901 #define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL 744 744 - 745 745 - #define DBUS__ACQUIRE_SVC 0x00000001UL 746 746 - #define DBUS__SEND_MSG 0x00000002UL 747 747 - 748 748 - #define NSCD__GETPWD 0x00000001UL 749 749 - #define NSCD__GETGRP 0x00000002UL 750 750 - #define NSCD__GETHOST 0x00000004UL 751 751 - #define NSCD__GETSTAT 0x00000008UL 752 752 - #define NSCD__ADMIN 0x00000010UL 753 753 - #define NSCD__SHMEMPWD 0x00000020UL 754 754 - #define NSCD__SHMEMGRP 0x00000040UL 755 755 - #define NSCD__SHMEMHOST 0x00000080UL 756 756 - 757 902 #define ASSOCIATION__SENDTO 0x00000001UL 758 903 #define ASSOCIATION__RECVFROM 0x00000002UL 759 904 #define ASSOCIATION__SETCONTEXT 0x00000004UL 760 905 #define ASSOCIATION__POLMATCH 0x00000008UL 761 761 - 762 906 #define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL 763 907 #define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL 764 908 #define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL ··· 767 939 #define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL 768 940 #define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL 769 941 #define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL 770 770 - 771 942 #define APPLETALK_SOCKET__IOCTL 0x00000001UL 772 943 #define APPLETALK_SOCKET__READ 0x00000002UL 773 944 #define APPLETALK_SOCKET__WRITE 0x00000004UL ··· 789 962 #define APPLETALK_SOCKET__RECV_MSG 0x00080000UL 790 963 #define APPLETALK_SOCKET__SEND_MSG 0x00100000UL 791 964 #define APPLETALK_SOCKET__NAME_BIND 0x00200000UL 792 792 - 793 965 #define PACKET__SEND 0x00000001UL 794 966 #define PACKET__RECV 0x00000002UL 795 967 #define PACKET__RELABELTO 0x00000004UL 796 796 - 797 968 #define KEY__VIEW 0x00000001UL 798 969 #define KEY__READ 0x00000002UL 799 970 #define KEY__WRITE 0x00000004UL ··· 799 974 #define KEY__LINK 0x00000010UL 800 975 #define KEY__SETATTR 0x00000020UL 801 976 #define KEY__CREATE 0x00000040UL 802 802 - 803 803 - #define CONTEXT__TRANSLATE 0x00000001UL 804 804 - #define CONTEXT__CONTAINS 0x00000002UL 805 805 - 806 977 #define DCCP_SOCKET__IOCTL 0x00000001UL 807 978 #define DCCP_SOCKET__READ 0x00000002UL 808 979 #define DCCP_SOCKET__WRITE 0x00000004UL

+17 -17

security/selinux/include/class_to_string.h

reviewed

··· 2 2 /* 3 3 * Security object class definitions 4 4 */ 5 5 - S_("null") 5 5 + S_(NULL) 6 6 S_("security") 7 7 S_("process") 8 8 S_("system") ··· 32 32 S_("msgq") 33 33 S_("shm") 34 34 S_("ipc") 35 35 - S_("passwd") 36 36 - S_("drawable") 37 37 - S_("window") 38 38 - S_("gc") 39 39 - S_("font") 40 40 - S_("colormap") 41 41 - S_("property") 42 42 - S_("cursor") 43 43 - S_("xclient") 44 44 - S_("xinput") 45 45 - S_("xserver") 46 46 - S_("xextension") 47 47 - S_("pax") 35 35 + S_(NULL) 36 36 + S_(NULL) 37 37 + S_(NULL) 38 38 + S_(NULL) 39 39 + S_(NULL) 40 40 + S_(NULL) 41 41 + S_(NULL) 42 42 + S_(NULL) 43 43 + S_(NULL) 44 44 + S_(NULL) 45 45 + S_(NULL) 46 46 + S_(NULL) 47 47 + S_(NULL) 48 48 S_("netlink_route_socket") 49 49 S_("netlink_firewall_socket") 50 50 S_("netlink_tcpdiag_socket") ··· 54 54 S_("netlink_audit_socket") 55 55 S_("netlink_ip6fw_socket") 56 56 S_("netlink_dnrt_socket") 57 57 - S_("dbus") 58 58 - S_("nscd") 57 57 + S_(NULL) 58 58 + S_(NULL) 59 59 S_("association") 60 60 S_("netlink_kobject_uevent_socket") 61 61 S_("appletalk_socket") 62 62 S_("packet") 63 63 S_("key") 64 64 - S_("context") 64 64 + S_(NULL) 65 65 S_("dccp_socket")

-16

security/selinux/include/flask.h

reviewed

··· 34 34 #define SECCLASS_MSGQ 27 35 35 #define SECCLASS_SHM 28 36 36 #define SECCLASS_IPC 29 37 37 - #define SECCLASS_PASSWD 30 38 38 - #define SECCLASS_DRAWABLE 31 39 39 - #define SECCLASS_WINDOW 32 40 40 - #define SECCLASS_GC 33 41 41 - #define SECCLASS_FONT 34 42 42 - #define SECCLASS_COLORMAP 35 43 43 - #define SECCLASS_PROPERTY 36 44 44 - #define SECCLASS_CURSOR 37 45 45 - #define SECCLASS_XCLIENT 38 46 46 - #define SECCLASS_XINPUT 39 47 47 - #define SECCLASS_XSERVER 40 48 48 - #define SECCLASS_XEXTENSION 41 49 49 - #define SECCLASS_PAX 42 50 37 #define SECCLASS_NETLINK_ROUTE_SOCKET 43 51 38 #define SECCLASS_NETLINK_FIREWALL_SOCKET 44 52 39 #define SECCLASS_NETLINK_TCPDIAG_SOCKET 45 ··· 43 56 #define SECCLASS_NETLINK_AUDIT_SOCKET 49 44 57 #define SECCLASS_NETLINK_IP6FW_SOCKET 50 45 58 #define SECCLASS_NETLINK_DNRT_SOCKET 51 46 46 - #define SECCLASS_DBUS 52 47 47 - #define SECCLASS_NSCD 53 48 59 #define SECCLASS_ASSOCIATION 54 49 60 #define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 50 61 #define SECCLASS_APPLETALK_SOCKET 56 51 62 #define SECCLASS_PACKET 57 52 63 #define SECCLASS_KEY 58 53 53 - #define SECCLASS_CONTEXT 59 54 64 #define SECCLASS_DCCP_SOCKET 60 55 65 56 66 /*

+26 -3

security/selinux/include/security.h

reviewed

··· 34 34 #define POLICYDB_VERSION_MAX POLICYDB_VERSION_RANGETRANS 35 35 #endif 36 36 37 37 - struct sk_buff; 37 37 + struct netlbl_lsm_secattr; 38 38 39 39 extern int selinux_enabled; 40 40 extern int selinux_mls_enabled; ··· 82 82 int security_node_sid(u16 domain, void *addr, u32 addrlen, 83 83 u32 *out_sid); 84 84 85 85 - void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid); 86 86 - 87 85 int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 88 86 u16 tclass); 89 87 ··· 99 101 100 102 int security_genfs_sid(const char *fstype, char *name, u16 sclass, 101 103 u32 *sid); 104 104 + 105 105 + #ifdef CONFIG_NETLABEL 106 106 + int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 107 107 + u32 base_sid, 108 108 + u32 *sid); 109 109 + 110 110 + int security_netlbl_sid_to_secattr(u32 sid, 111 111 + struct netlbl_lsm_secattr *secattr); 112 112 + #else 113 113 + static inline int security_netlbl_secattr_to_sid( 114 114 + struct netlbl_lsm_secattr *secattr, 115 115 + u32 base_sid, 116 116 + u32 *sid) 117 117 + { 118 118 + return -EIDRM; 119 119 + } 120 120 + 121 121 + static inline int security_netlbl_sid_to_secattr(u32 sid, 122 122 + struct netlbl_lsm_secattr *secattr) 123 123 + { 124 124 + return -ENOENT; 125 125 + } 126 126 + #endif /* CONFIG_NETLABEL */ 127 127 + 128 128 + const char *security_get_initial_sid_context(u32 sid); 102 129 103 130 #endif /* _SELINUX_SECURITY_H_ */ 104 131

+37 -40

security/selinux/include/selinux_netlabel.h security/selinux/include/netlabel.h

reviewed

··· 38 38 39 39 #ifdef CONFIG_NETLABEL 40 40 void selinux_netlbl_cache_invalidate(void); 41 41 - int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid); 42 42 - int selinux_netlbl_socket_post_create(struct socket *sock); 43 43 - void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); 44 44 - int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 45 45 - struct sk_buff *skb, 46 46 - struct avc_audit_data *ad); 41 41 + 47 42 void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 48 43 int family); 49 44 void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, 50 45 int family); 51 46 void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, 52 47 struct sk_security_struct *newssec); 48 48 + 49 49 + int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid); 50 50 + 51 51 + void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock); 52 52 + int selinux_netlbl_socket_post_create(struct socket *sock); 53 53 int selinux_netlbl_inode_permission(struct inode *inode, int mask); 54 54 + int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 55 55 + struct sk_buff *skb, 56 56 + struct avc_audit_data *ad); 54 57 int selinux_netlbl_socket_setsockopt(struct socket *sock, 55 58 int level, 56 59 int optname); 57 60 #else 58 61 static inline void selinux_netlbl_cache_invalidate(void) 62 62 + { 63 63 + return; 64 64 + } 65 65 + 66 66 + static inline void selinux_netlbl_sk_security_reset( 67 67 + struct sk_security_struct *ssec, 68 68 + int family) 69 69 + { 70 70 + return; 71 71 + } 72 72 + static inline void selinux_netlbl_sk_security_init( 73 73 + struct sk_security_struct *ssec, 74 74 + int family) 75 75 + { 76 76 + return; 77 77 + } 78 78 + static inline void selinux_netlbl_sk_security_clone( 79 79 + struct sk_security_struct *ssec, 80 80 + struct sk_security_struct *newssec) 59 81 { 60 82 return; 61 83 } ··· 90 68 return 0; 91 69 } 92 70 93 93 - static inline int selinux_netlbl_socket_post_create(struct socket *sock) 94 94 - { 95 95 - return 0; 96 96 - } 97 97 - 98 71 static inline void selinux_netlbl_sock_graft(struct sock *sk, 99 72 struct socket *sock) 100 73 { 101 74 return; 102 75 } 103 103 - 76 76 + static inline int selinux_netlbl_socket_post_create(struct socket *sock) 77 77 + { 78 78 + return 0; 79 79 + } 80 80 + static inline int selinux_netlbl_inode_permission(struct inode *inode, 81 81 + int mask) 82 82 + { 83 83 + return 0; 84 84 + } 104 85 static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 105 86 struct sk_buff *skb, 106 87 struct avc_audit_data *ad) 107 88 { 108 89 return 0; 109 90 } 110 110 - 111 111 - static inline void selinux_netlbl_sk_security_reset( 112 112 - struct sk_security_struct *ssec, 113 113 - int family) 114 114 - { 115 115 - return; 116 116 - } 117 117 - 118 118 - static inline void selinux_netlbl_sk_security_init( 119 119 - struct sk_security_struct *ssec, 120 120 - int family) 121 121 - { 122 122 - return; 123 123 - } 124 124 - 125 125 - static inline void selinux_netlbl_sk_security_clone( 126 126 - struct sk_security_struct *ssec, 127 127 - struct sk_security_struct *newssec) 128 128 - { 129 129 - return; 130 130 - } 131 131 - 132 132 - static inline int selinux_netlbl_inode_permission(struct inode *inode, 133 133 - int mask) 134 134 - { 135 135 - return 0; 136 136 - } 137 137 - 138 91 static inline int selinux_netlbl_socket_setsockopt(struct socket *sock, 139 92 int level, 140 93 int optname)

+363

security/selinux/netlabel.c

reviewed

··· 1 1 + /* 2 2 + * SELinux NetLabel Support 3 3 + * 4 4 + * This file provides the necessary glue to tie NetLabel into the SELinux 5 5 + * subsystem. 6 6 + * 7 7 + * Author: Paul Moore <paul.moore@hp.com> 8 8 + * 9 9 + */ 10 10 + 11 11 + /* 12 12 + * (c) Copyright Hewlett-Packard Development Company, L.P., 2007 13 13 + * 14 14 + * This program is free software; you can redistribute it and/or modify 15 15 + * it under the terms of the GNU General Public License as published by 16 16 + * the Free Software Foundation; either version 2 of the License, or 17 17 + * (at your option) any later version. 18 18 + * 19 19 + * This program is distributed in the hope that it will be useful, 20 20 + * but WITHOUT ANY WARRANTY; without even the implied warranty of 21 21 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See 22 22 + * the GNU General Public License for more details. 23 23 + * 24 24 + * You should have received a copy of the GNU General Public License 25 25 + * along with this program; if not, write to the Free Software 26 26 + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 27 27 + * 28 28 + */ 29 29 + 30 30 + #include <linux/spinlock.h> 31 31 + #include <linux/rcupdate.h> 32 32 + #include <net/sock.h> 33 33 + #include <net/netlabel.h> 34 34 + 35 35 + #include "objsec.h" 36 36 + #include "security.h" 37 37 + 38 38 + /** 39 39 + * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism 40 40 + * @sock: the socket to label 41 41 + * @sid: the SID to use 42 42 + * 43 43 + * Description: 44 44 + * Attempt to label a socket using the NetLabel mechanism using the given 45 45 + * SID. Returns zero values on success, negative values on failure. The 46 46 + * caller is responsibile for calling rcu_read_lock() before calling this 47 47 + * this function and rcu_read_unlock() after this function returns. 48 48 + * 49 49 + */ 50 50 + static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) 51 51 + { 52 52 + int rc; 53 53 + struct sk_security_struct *sksec = sock->sk->sk_security; 54 54 + struct netlbl_lsm_secattr secattr; 55 55 + 56 56 + rc = security_netlbl_sid_to_secattr(sid, &secattr); 57 57 + if (rc != 0) 58 58 + return rc; 59 59 + 60 60 + rc = netlbl_socket_setattr(sock, &secattr); 61 61 + if (rc == 0) { 62 62 + spin_lock_bh(&sksec->nlbl_lock); 63 63 + sksec->nlbl_state = NLBL_LABELED; 64 64 + spin_unlock_bh(&sksec->nlbl_lock); 65 65 + } 66 66 + 67 67 + return rc; 68 68 + } 69 69 + 70 70 + /** 71 71 + * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache 72 72 + * 73 73 + * Description: 74 74 + * Invalidate the NetLabel security attribute mapping cache. 75 75 + * 76 76 + */ 77 77 + void selinux_netlbl_cache_invalidate(void) 78 78 + { 79 79 + netlbl_cache_invalidate(); 80 80 + } 81 81 + 82 82 + /** 83 83 + * selinux_netlbl_sk_security_reset - Reset the NetLabel fields 84 84 + * @ssec: the sk_security_struct 85 85 + * @family: the socket family 86 86 + * 87 87 + * Description: 88 88 + * Called when the NetLabel state of a sk_security_struct needs to be reset. 89 89 + * The caller is responsibile for all the NetLabel sk_security_struct locking. 90 90 + * 91 91 + */ 92 92 + void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 93 93 + int family) 94 94 + { 95 95 + if (family == PF_INET) 96 96 + ssec->nlbl_state = NLBL_REQUIRE; 97 97 + else 98 98 + ssec->nlbl_state = NLBL_UNSET; 99 99 + } 100 100 + 101 101 + /** 102 102 + * selinux_netlbl_sk_security_init - Setup the NetLabel fields 103 103 + * @ssec: the sk_security_struct 104 104 + * @family: the socket family 105 105 + * 106 106 + * Description: 107 107 + * Called when a new sk_security_struct is allocated to initialize the NetLabel 108 108 + * fields. 109 109 + * 110 110 + */ 111 111 + void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, 112 112 + int family) 113 113 + { 114 114 + /* No locking needed, we are the only one who has access to ssec */ 115 115 + selinux_netlbl_sk_security_reset(ssec, family); 116 116 + spin_lock_init(&ssec->nlbl_lock); 117 117 + } 118 118 + 119 119 + /** 120 120 + * selinux_netlbl_sk_security_clone - Copy the NetLabel fields 121 121 + * @ssec: the original sk_security_struct 122 122 + * @newssec: the cloned sk_security_struct 123 123 + * 124 124 + * Description: 125 125 + * Clone the NetLabel specific sk_security_struct fields from @ssec to 126 126 + * @newssec. 127 127 + * 128 128 + */ 129 129 + void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, 130 130 + struct sk_security_struct *newssec) 131 131 + { 132 132 + /* We don't need to take newssec->nlbl_lock because we are the only 133 133 + * thread with access to newssec, but we do need to take the RCU read 134 134 + * lock as other threads could have access to ssec */ 135 135 + rcu_read_lock(); 136 136 + selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family); 137 137 + newssec->sclass = ssec->sclass; 138 138 + rcu_read_unlock(); 139 139 + } 140 140 + 141 141 + /** 142 142 + * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel 143 143 + * @skb: the packet 144 144 + * @base_sid: the SELinux SID to use as a context for MLS only attributes 145 145 + * @sid: the SID 146 146 + * 147 147 + * Description: 148 148 + * Call the NetLabel mechanism to get the security attributes of the given 149 149 + * packet and use those attributes to determine the correct context/SID to 150 150 + * assign to the packet. Returns zero on success, negative values on failure. 151 151 + * 152 152 + */ 153 153 + int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) 154 154 + { 155 155 + int rc; 156 156 + struct netlbl_lsm_secattr secattr; 157 157 + 158 158 + netlbl_secattr_init(&secattr); 159 159 + rc = netlbl_skbuff_getattr(skb, &secattr); 160 160 + if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 161 161 + rc = security_netlbl_secattr_to_sid(&secattr, 162 162 + base_sid, 163 163 + sid); 164 164 + else 165 165 + *sid = SECSID_NULL; 166 166 + netlbl_secattr_destroy(&secattr); 167 167 + 168 168 + return rc; 169 169 + } 170 170 + 171 171 + /** 172 172 + * selinux_netlbl_sock_graft - Netlabel the new socket 173 173 + * @sk: the new connection 174 174 + * @sock: the new socket 175 175 + * 176 176 + * Description: 177 177 + * The connection represented by @sk is being grafted onto @sock so set the 178 178 + * socket's NetLabel to match the SID of @sk. 179 179 + * 180 180 + */ 181 181 + void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) 182 182 + { 183 183 + struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 184 184 + struct sk_security_struct *sksec = sk->sk_security; 185 185 + struct netlbl_lsm_secattr secattr; 186 186 + u32 nlbl_peer_sid; 187 187 + 188 188 + sksec->sclass = isec->sclass; 189 189 + 190 190 + rcu_read_lock(); 191 191 + 192 192 + if (sksec->nlbl_state != NLBL_REQUIRE) { 193 193 + rcu_read_unlock(); 194 194 + return; 195 195 + } 196 196 + 197 197 + netlbl_secattr_init(&secattr); 198 198 + if (netlbl_sock_getattr(sk, &secattr) == 0 && 199 199 + secattr.flags != NETLBL_SECATTR_NONE && 200 200 + security_netlbl_secattr_to_sid(&secattr, 201 201 + SECINITSID_UNLABELED, 202 202 + &nlbl_peer_sid) == 0) 203 203 + sksec->peer_sid = nlbl_peer_sid; 204 204 + netlbl_secattr_destroy(&secattr); 205 205 + 206 206 + /* Try to set the NetLabel on the socket to save time later, if we fail 207 207 + * here we will pick up the pieces in later calls to 208 208 + * selinux_netlbl_inode_permission(). */ 209 209 + selinux_netlbl_socket_setsid(sock, sksec->sid); 210 210 + 211 211 + rcu_read_unlock(); 212 212 + } 213 213 + 214 214 + /** 215 215 + * selinux_netlbl_socket_post_create - Label a socket using NetLabel 216 216 + * @sock: the socket to label 217 217 + * 218 218 + * Description: 219 219 + * Attempt to label a socket using the NetLabel mechanism using the given 220 220 + * SID. Returns zero values on success, negative values on failure. 221 221 + * 222 222 + */ 223 223 + int selinux_netlbl_socket_post_create(struct socket *sock) 224 224 + { 225 225 + int rc = 0; 226 226 + struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 227 227 + struct sk_security_struct *sksec = sock->sk->sk_security; 228 228 + 229 229 + sksec->sclass = isec->sclass; 230 230 + 231 231 + rcu_read_lock(); 232 232 + if (sksec->nlbl_state == NLBL_REQUIRE) 233 233 + rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 234 234 + rcu_read_unlock(); 235 235 + 236 236 + return rc; 237 237 + } 238 238 + 239 239 + /** 240 240 + * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 241 241 + * @inode: the file descriptor's inode 242 242 + * @mask: the permission mask 243 243 + * 244 244 + * Description: 245 245 + * Looks at a file's inode and if it is marked as a socket protected by 246 246 + * NetLabel then verify that the socket has been labeled, if not try to label 247 247 + * the socket now with the inode's SID. Returns zero on success, negative 248 248 + * values on failure. 249 249 + * 250 250 + */ 251 251 + int selinux_netlbl_inode_permission(struct inode *inode, int mask) 252 252 + { 253 253 + int rc; 254 254 + struct sk_security_struct *sksec; 255 255 + struct socket *sock; 256 256 + 257 257 + if (!S_ISSOCK(inode->i_mode) || 258 258 + ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) 259 259 + return 0; 260 260 + sock = SOCKET_I(inode); 261 261 + sksec = sock->sk->sk_security; 262 262 + 263 263 + rcu_read_lock(); 264 264 + if (sksec->nlbl_state != NLBL_REQUIRE) { 265 265 + rcu_read_unlock(); 266 266 + return 0; 267 267 + } 268 268 + local_bh_disable(); 269 269 + bh_lock_sock_nested(sock->sk); 270 270 + rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 271 271 + bh_unlock_sock(sock->sk); 272 272 + local_bh_enable(); 273 273 + rcu_read_unlock(); 274 274 + 275 275 + return rc; 276 276 + } 277 277 + 278 278 + /** 279 279 + * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel 280 280 + * @sksec: the sock's sk_security_struct 281 281 + * @skb: the packet 282 282 + * @ad: the audit data 283 283 + * 284 284 + * Description: 285 285 + * Fetch the NetLabel security attributes from @skb and perform an access check 286 286 + * against the receiving socket. Returns zero on success, negative values on 287 287 + * error. 288 288 + * 289 289 + */ 290 290 + int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 291 291 + struct sk_buff *skb, 292 292 + struct avc_audit_data *ad) 293 293 + { 294 294 + int rc; 295 295 + u32 netlbl_sid; 296 296 + u32 recv_perm; 297 297 + 298 298 + rc = selinux_netlbl_skbuff_getsid(skb, 299 299 + SECINITSID_UNLABELED, 300 300 + &netlbl_sid); 301 301 + if (rc != 0) 302 302 + return rc; 303 303 + 304 304 + if (netlbl_sid == SECSID_NULL) 305 305 + return 0; 306 306 + 307 307 + switch (sksec->sclass) { 308 308 + case SECCLASS_UDP_SOCKET: 309 309 + recv_perm = UDP_SOCKET__RECVFROM; 310 310 + break; 311 311 + case SECCLASS_TCP_SOCKET: 312 312 + recv_perm = TCP_SOCKET__RECVFROM; 313 313 + break; 314 314 + default: 315 315 + recv_perm = RAWIP_SOCKET__RECVFROM; 316 316 + } 317 317 + 318 318 + rc = avc_has_perm(sksec->sid, 319 319 + netlbl_sid, 320 320 + sksec->sclass, 321 321 + recv_perm, 322 322 + ad); 323 323 + if (rc == 0) 324 324 + return 0; 325 325 + 326 326 + netlbl_skbuff_err(skb, rc); 327 327 + return rc; 328 328 + } 329 329 + 330 330 + /** 331 331 + * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 332 332 + * @sock: the socket 333 333 + * @level: the socket level or protocol 334 334 + * @optname: the socket option name 335 335 + * 336 336 + * Description: 337 337 + * Check the setsockopt() call and if the user is trying to replace the IP 338 338 + * options on a socket and a NetLabel is in place for the socket deny the 339 339 + * access; otherwise allow the access. Returns zero when the access is 340 340 + * allowed, -EACCES when denied, and other negative values on error. 341 341 + * 342 342 + */ 343 343 + int selinux_netlbl_socket_setsockopt(struct socket *sock, 344 344 + int level, 345 345 + int optname) 346 346 + { 347 347 + int rc = 0; 348 348 + struct sk_security_struct *sksec = sock->sk->sk_security; 349 349 + struct netlbl_lsm_secattr secattr; 350 350 + 351 351 + rcu_read_lock(); 352 352 + if (level == IPPROTO_IP && optname == IP_OPTIONS && 353 353 + sksec->nlbl_state == NLBL_LABELED) { 354 354 + netlbl_secattr_init(&secattr); 355 355 + rc = netlbl_socket_getattr(sock, &secattr); 356 356 + if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 357 357 + rc = -EACCES; 358 358 + netlbl_secattr_destroy(&secattr); 359 359 + } 360 360 + rcu_read_unlock(); 361 361 + 362 362 + return rc; 363 363 + }

+78 -7

security/selinux/selinuxfs.c

reviewed

··· 96 96 SEL_COMMIT_BOOLS, /* commit new boolean values */ 97 97 SEL_MLS, /* return if MLS policy is enabled */ 98 98 SEL_DISABLE, /* disable SELinux until next reboot */ 99 99 - SEL_AVC, /* AVC management directory */ 100 99 SEL_MEMBER, /* compute polyinstantiation membership decision */ 101 100 SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */ 102 101 SEL_COMPAT_NET, /* whether to use old compat network packet controls */ 102 102 + SEL_INO_NEXT, /* The next inode number to use */ 103 103 }; 104 104 + 105 105 + static unsigned long sel_last_ino = SEL_INO_NEXT - 1; 106 106 + 107 107 + #define SEL_INITCON_INO_OFFSET 0x01000000 108 108 + #define SEL_BOOL_INO_OFFSET 0x02000000 109 109 + #define SEL_INO_MASK 0x00ffffff 104 110 105 111 #define TMPBUFLEN 12 106 112 static ssize_t sel_read_enforce(struct file *filp, char __user *buf, ··· 783 777 return ret; 784 778 } 785 779 786 786 - #define BOOL_INO_OFFSET 30 787 787 - 788 780 static ssize_t sel_read_bool(struct file *filep, char __user *buf, 789 781 size_t count, loff_t *ppos) 790 782 { ··· 810 806 } 811 807 812 808 inode = filep->f_path.dentry->d_inode; 813 813 - cur_enforcing = security_get_bool_value(inode->i_ino - BOOL_INO_OFFSET); 809 809 + cur_enforcing = security_get_bool_value(inode->i_ino&SEL_INO_MASK); 814 810 if (cur_enforcing < 0) { 815 811 ret = cur_enforcing; 816 812 goto out; 817 813 } 818 814 819 815 length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing, 820 820 - bool_pending_values[inode->i_ino - BOOL_INO_OFFSET]); 816 816 + bool_pending_values[inode->i_ino&SEL_INO_MASK]); 821 817 ret = simple_read_from_buffer(buf, count, ppos, page, length); 822 818 out: 823 819 mutex_unlock(&sel_mutex); ··· 869 865 new_value = 1; 870 866 871 867 inode = filep->f_path.dentry->d_inode; 872 872 - bool_pending_values[inode->i_ino - BOOL_INO_OFFSET] = new_value; 868 868 + bool_pending_values[inode->i_ino&SEL_INO_MASK] = new_value; 873 869 length = count; 874 870 875 871 out: ··· 1033 1029 isec->sid = sid; 1034 1030 isec->initialized = 1; 1035 1031 inode->i_fop = &sel_bool_ops; 1036 1036 - inode->i_ino = i + BOOL_INO_OFFSET; 1032 1032 + inode->i_ino = i|SEL_BOOL_INO_OFFSET; 1037 1033 d_add(dentry, inode); 1038 1034 } 1039 1035 bool_num = num; ··· 1238 1234 goto out; 1239 1235 } 1240 1236 inode->i_fop = files[i].ops; 1237 1237 + inode->i_ino = ++sel_last_ino; 1238 1238 + d_add(dentry, inode); 1239 1239 + } 1240 1240 + out: 1241 1241 + return ret; 1242 1242 + } 1243 1243 + 1244 1244 + static ssize_t sel_read_initcon(struct file * file, char __user *buf, 1245 1245 + size_t count, loff_t *ppos) 1246 1246 + { 1247 1247 + struct inode *inode; 1248 1248 + char *con; 1249 1249 + u32 sid, len; 1250 1250 + ssize_t ret; 1251 1251 + 1252 1252 + inode = file->f_path.dentry->d_inode; 1253 1253 + sid = inode->i_ino&SEL_INO_MASK; 1254 1254 + ret = security_sid_to_context(sid, &con, &len); 1255 1255 + if (ret < 0) 1256 1256 + return ret; 1257 1257 + 1258 1258 + ret = simple_read_from_buffer(buf, count, ppos, con, len); 1259 1259 + kfree(con); 1260 1260 + return ret; 1261 1261 + } 1262 1262 + 1263 1263 + static const struct file_operations sel_initcon_ops = { 1264 1264 + .read = sel_read_initcon, 1265 1265 + }; 1266 1266 + 1267 1267 + static int sel_make_initcon_files(struct dentry *dir) 1268 1268 + { 1269 1269 + int i, ret = 0; 1270 1270 + 1271 1271 + for (i = 1; i <= SECINITSID_NUM; i++) { 1272 1272 + struct inode *inode; 1273 1273 + struct dentry *dentry; 1274 1274 + dentry = d_alloc_name(dir, security_get_initial_sid_context(i)); 1275 1275 + if (!dentry) { 1276 1276 + ret = -ENOMEM; 1277 1277 + goto out; 1278 1278 + } 1279 1279 + 1280 1280 + inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1281 1281 + if (!inode) { 1282 1282 + ret = -ENOMEM; 1283 1283 + goto out; 1284 1284 + } 1285 1285 + inode->i_fop = &sel_initcon_ops; 1286 1286 + inode->i_ino = i|SEL_INITCON_INO_OFFSET; 1241 1287 d_add(dentry, inode); 1242 1288 } 1243 1289 out: ··· 1306 1252 } 1307 1253 inode->i_op = &simple_dir_inode_operations; 1308 1254 inode->i_fop = &simple_dir_operations; 1255 1255 + inode->i_ino = ++sel_last_ino; 1309 1256 /* directory inodes start off with i_nlink == 2 (for "." entry) */ 1310 1257 inc_nlink(inode); 1311 1258 d_add(dentry, inode); ··· 1369 1314 ret = -ENOMEM; 1370 1315 goto err; 1371 1316 } 1317 1317 + inode->i_ino = ++sel_last_ino; 1372 1318 isec = (struct inode_security_struct*)inode->i_security; 1373 1319 isec->sid = SECINITSID_DEVNULL; 1374 1320 isec->sclass = SECCLASS_CHR_FILE; ··· 1392 1336 ret = sel_make_avc_files(dentry); 1393 1337 if (ret) 1394 1338 goto err; 1339 1339 + 1340 1340 + dentry = d_alloc_name(sb->s_root, "initial_contexts"); 1341 1341 + if (!dentry) { 1342 1342 + ret = -ENOMEM; 1343 1343 + goto err; 1344 1344 + } 1345 1345 + 1346 1346 + ret = sel_make_dir(root_inode, dentry); 1347 1347 + if (ret) 1348 1348 + goto err; 1349 1349 + 1350 1350 + ret = sel_make_initcon_files(dentry); 1351 1351 + if (ret) 1352 1352 + goto err; 1353 1353 + 1395 1354 out: 1396 1355 return ret; 1397 1356 err:

+106 -393

security/selinux/ss/services.c

reviewed

··· 39 39 #include <linux/sched.h> 40 40 #include <linux/audit.h> 41 41 #include <linux/mutex.h> 42 42 - #include <net/sock.h> 43 42 #include <net/netlabel.h> 44 43 45 44 #include "flask.h" ··· 52 53 #include "conditional.h" 53 54 #include "mls.h" 54 55 #include "objsec.h" 55 55 - #include "selinux_netlabel.h" 56 56 + #include "netlabel.h" 56 57 #include "xfrm.h" 57 58 #include "ebitmap.h" 58 59 ··· 593 594 594 595 #include "initial_sid_to_string.h" 595 596 597 597 + const char *security_get_initial_sid_context(u32 sid) 598 598 + { 599 599 + if (unlikely(sid > SECINITSID_NUM)) 600 600 + return NULL; 601 601 + return initial_sid_to_string[sid]; 602 602 + } 603 603 + 596 604 /** 597 605 * security_sid_to_context - Obtain a context for a given SID. 598 606 * @sid: security identifier, SID ··· 1056 1050 1057 1051 for (i = 1; i < kdefs->cts_len; i++) { 1058 1052 def_class = kdefs->class_to_string[i]; 1053 1053 + if (!def_class) 1054 1054 + continue; 1059 1055 if (i > p->p_classes.nprim) { 1060 1056 printk(KERN_INFO 1061 1057 "security: class %s not defined in policy\n", ··· 1257 1249 } 1258 1250 1259 1251 extern void selinux_complete_init(void); 1252 1252 + static int security_preserve_bools(struct policydb *p); 1260 1253 1261 1254 /** 1262 1255 * security_load_policy - Load a security policy configuration. ··· 1331 1322 printk(KERN_ERR 1332 1323 "security: the definition of a class is incorrect\n"); 1333 1324 rc = -EINVAL; 1325 1325 + goto err; 1326 1326 + } 1327 1327 + 1328 1328 + rc = security_preserve_bools(&newpolicydb); 1329 1329 + if (rc) { 1330 1330 + printk(KERN_ERR "security: unable to preserve booleans\n"); 1334 1331 goto err; 1335 1332 } 1336 1333 ··· 1897 1882 return rc; 1898 1883 } 1899 1884 1885 1885 + static int security_preserve_bools(struct policydb *p) 1886 1886 + { 1887 1887 + int rc, nbools = 0, *bvalues = NULL, i; 1888 1888 + char **bnames = NULL; 1889 1889 + struct cond_bool_datum *booldatum; 1890 1890 + struct cond_node *cur; 1891 1891 + 1892 1892 + rc = security_get_bools(&nbools, &bnames, &bvalues); 1893 1893 + if (rc) 1894 1894 + goto out; 1895 1895 + for (i = 0; i < nbools; i++) { 1896 1896 + booldatum = hashtab_search(p->p_bools.table, bnames[i]); 1897 1897 + if (booldatum) 1898 1898 + booldatum->state = bvalues[i]; 1899 1899 + } 1900 1900 + for (cur = p->cond_list; cur != NULL; cur = cur->next) { 1901 1901 + rc = evaluate_cond_node(p, cur); 1902 1902 + if (rc) 1903 1903 + goto out; 1904 1904 + } 1905 1905 + 1906 1906 + out: 1907 1907 + if (bnames) { 1908 1908 + for (i = 0; i < nbools; i++) 1909 1909 + kfree(bnames[i]); 1910 1910 + } 1911 1911 + kfree(bnames); 1912 1912 + kfree(bvalues); 1913 1913 + return rc; 1914 1914 + } 1915 1915 + 1900 1916 /* 1901 1917 * security_sid_mls_copy() - computes a new sid based on the given 1902 1918 * sid and the mls portion of mls_sid. ··· 2244 2198 aurule_callback = callback; 2245 2199 } 2246 2200 2247 2247 - /** 2248 2248 - * security_skb_extlbl_sid - Determine the external label of a packet 2249 2249 - * @skb: the packet 2250 2250 - * @base_sid: the SELinux SID to use as a context for MLS only external labels 2251 2251 - * @sid: the packet's SID 2252 2252 - * 2253 2253 - * Description: 2254 2254 - * Check the various different forms of external packet labeling and determine 2255 2255 - * the external SID for the packet. 2256 2256 - * 2257 2257 - */ 2258 2258 - void security_skb_extlbl_sid(struct sk_buff *skb, u32 base_sid, u32 *sid) 2259 2259 - { 2260 2260 - u32 xfrm_sid; 2261 2261 - u32 nlbl_sid; 2262 2262 - 2263 2263 - selinux_skb_xfrm_sid(skb, &xfrm_sid); 2264 2264 - if (selinux_netlbl_skbuff_getsid(skb, 2265 2265 - (xfrm_sid == SECSID_NULL ? 2266 2266 - base_sid : xfrm_sid), 2267 2267 - &nlbl_sid) != 0) 2268 2268 - nlbl_sid = SECSID_NULL; 2269 2269 - 2270 2270 - *sid = (nlbl_sid == SECSID_NULL ? xfrm_sid : nlbl_sid); 2271 2271 - } 2272 2272 - 2273 2201 #ifdef CONFIG_NETLABEL 2274 2202 /* 2275 2275 - * This is the structure we store inside the NetLabel cache block. 2203 2203 + * NetLabel cache structure 2276 2204 */ 2277 2277 - #define NETLBL_CACHE(x) ((struct netlbl_cache *)(x)) 2205 2205 + #define NETLBL_CACHE(x) ((struct selinux_netlbl_cache *)(x)) 2278 2206 #define NETLBL_CACHE_T_NONE 0 2279 2207 #define NETLBL_CACHE_T_SID 1 2280 2208 #define NETLBL_CACHE_T_MLS 2 2281 2281 - struct netlbl_cache { 2209 2209 + struct selinux_netlbl_cache { 2282 2210 u32 type; 2283 2211 union { 2284 2212 u32 sid; ··· 2261 2241 }; 2262 2242 2263 2243 /** 2264 2264 - * selinux_netlbl_cache_free - Free the NetLabel cached data 2244 2244 + * security_netlbl_cache_free - Free the NetLabel cached data 2265 2245 * @data: the data to free 2266 2246 * 2267 2247 * Description: ··· 2269 2249 * netlbl_lsm_cache structure. 2270 2250 * 2271 2251 */ 2272 2272 - static void selinux_netlbl_cache_free(const void *data) 2252 2252 + static void security_netlbl_cache_free(const void *data) 2273 2253 { 2274 2274 - struct netlbl_cache *cache; 2254 2254 + struct selinux_netlbl_cache *cache; 2275 2255 2276 2256 if (data == NULL) 2277 2257 return; ··· 2286 2266 } 2287 2267 2288 2268 /** 2289 2289 - * selinux_netlbl_cache_add - Add an entry to the NetLabel cache 2290 2290 - * @skb: the packet 2269 2269 + * security_netlbl_cache_add - Add an entry to the NetLabel cache 2270 2270 + * @secattr: the NetLabel packet security attributes 2291 2271 * @ctx: the SELinux context 2292 2272 * 2293 2273 * Description: 2294 2274 * Attempt to cache the context in @ctx, which was derived from the packet in 2295 2295 - * @skb, in the NetLabel subsystem cache. 2275 2275 + * @skb, in the NetLabel subsystem cache. This function assumes @secattr has 2276 2276 + * already been initialized. 2296 2277 * 2297 2278 */ 2298 2298 - static void selinux_netlbl_cache_add(struct sk_buff *skb, struct context *ctx) 2279 2279 + static void security_netlbl_cache_add(struct netlbl_lsm_secattr *secattr, 2280 2280 + struct context *ctx) 2299 2281 { 2300 2300 - struct netlbl_cache *cache = NULL; 2301 2301 - struct netlbl_lsm_secattr secattr; 2282 2282 + struct selinux_netlbl_cache *cache = NULL; 2302 2283 2303 2303 - netlbl_secattr_init(&secattr); 2304 2304 - secattr.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2305 2305 - if (secattr.cache == NULL) 2306 2306 - goto netlbl_cache_add_return; 2284 2284 + secattr->cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 2285 2285 + if (secattr->cache == NULL) 2286 2286 + return; 2307 2287 2308 2288 cache = kzalloc(sizeof(*cache), GFP_ATOMIC); 2309 2289 if (cache == NULL) 2310 2310 - goto netlbl_cache_add_return; 2290 2290 + return; 2311 2291 2312 2292 cache->type = NETLBL_CACHE_T_MLS; 2313 2293 if (ebitmap_cpy(&cache->data.mls_label.level[0].cat, 2314 2294 &ctx->range.level[0].cat) != 0) 2315 2315 - goto netlbl_cache_add_return; 2295 2295 + return; 2316 2296 cache->data.mls_label.level[1].cat.highbit = 2317 2297 cache->data.mls_label.level[0].cat.highbit; 2318 2298 cache->data.mls_label.level[1].cat.node = ··· 2320 2300 cache->data.mls_label.level[0].sens = ctx->range.level[0].sens; 2321 2301 cache->data.mls_label.level[1].sens = ctx->range.level[0].sens; 2322 2302 2323 2323 - secattr.cache->free = selinux_netlbl_cache_free; 2324 2324 - secattr.cache->data = (void *)cache; 2325 2325 - secattr.flags = NETLBL_SECATTR_CACHE; 2326 2326 - 2327 2327 - netlbl_cache_add(skb, &secattr); 2328 2328 - 2329 2329 - netlbl_cache_add_return: 2330 2330 - netlbl_secattr_destroy(&secattr); 2303 2303 + secattr->cache->free = security_netlbl_cache_free; 2304 2304 + secattr->cache->data = (void *)cache; 2305 2305 + secattr->flags |= NETLBL_SECATTR_CACHE; 2331 2306 } 2332 2307 2333 2308 /** 2334 2334 - * selinux_netlbl_cache_invalidate - Invalidate the NetLabel cache 2335 2335 - * 2336 2336 - * Description: 2337 2337 - * Invalidate the NetLabel security attribute mapping cache. 2338 2338 - * 2339 2339 - */ 2340 2340 - void selinux_netlbl_cache_invalidate(void) 2341 2341 - { 2342 2342 - netlbl_cache_invalidate(); 2343 2343 - } 2344 2344 - 2345 2345 - /** 2346 2346 - * selinux_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2347 2347 - * @skb: the network packet 2309 2309 + * security_netlbl_secattr_to_sid - Convert a NetLabel secattr to a SELinux SID 2348 2310 * @secattr: the NetLabel packet security attributes 2349 2311 * @base_sid: the SELinux SID to use as a context for MLS only attributes 2350 2312 * @sid: the SELinux SID 2351 2313 * 2352 2314 * Description: 2353 2353 - * Convert the given NetLabel packet security attributes in @secattr into a 2315 2315 + * Convert the given NetLabel security attributes in @secattr into a 2354 2316 * SELinux SID. If the @secattr field does not contain a full SELinux 2355 2355 - * SID/context then use the context in @base_sid as the foundation. If @skb 2356 2356 - * is not NULL attempt to cache as much data as possibile. Returns zero on 2357 2357 - * success, negative values on failure. 2317 2317 + * SID/context then use the context in @base_sid as the foundation. If 2318 2318 + * possibile the 'cache' field of @secattr is set and the CACHE flag is set; 2319 2319 + * this is to allow the @secattr to be used by NetLabel to cache the secattr to 2320 2320 + * SID conversion for future lookups. Returns zero on success, negative 2321 2321 + * values on failure. 2358 2322 * 2359 2323 */ 2360 2360 - static int selinux_netlbl_secattr_to_sid(struct sk_buff *skb, 2361 2361 - struct netlbl_lsm_secattr *secattr, 2362 2362 - u32 base_sid, 2363 2363 - u32 *sid) 2324 2324 + int security_netlbl_secattr_to_sid(struct netlbl_lsm_secattr *secattr, 2325 2325 + u32 base_sid, 2326 2326 + u32 *sid) 2364 2327 { 2365 2328 int rc = -EIDRM; 2366 2329 struct context *ctx; 2367 2330 struct context ctx_new; 2368 2368 - struct netlbl_cache *cache; 2331 2331 + struct selinux_netlbl_cache *cache; 2332 2332 + 2333 2333 + if (!ss_initialized) { 2334 2334 + *sid = SECSID_NULL; 2335 2335 + return 0; 2336 2336 + } 2369 2337 2370 2338 POLICY_RDLOCK; 2371 2339 ··· 2418 2410 if (rc != 0) 2419 2411 goto netlbl_secattr_to_sid_return_cleanup; 2420 2412 2421 2421 - if (skb != NULL) 2422 2422 - selinux_netlbl_cache_add(skb, &ctx_new); 2413 2413 + security_netlbl_cache_add(secattr, &ctx_new); 2414 2414 + 2423 2415 ebitmap_destroy(&ctx_new.range.level[0].cat); 2424 2416 } else { 2425 2417 *sid = SECSID_NULL; ··· 2435 2427 } 2436 2428 2437 2429 /** 2438 2438 - * selinux_netlbl_skbuff_getsid - Get the sid of a packet using NetLabel 2439 2439 - * @skb: the packet 2440 2440 - * @base_sid: the SELinux SID to use as a context for MLS only attributes 2441 2441 - * @sid: the SID 2430 2430 + * security_netlbl_sid_to_secattr - Convert a SELinux SID to a NetLabel secattr 2431 2431 + * @sid: the SELinux SID 2432 2432 + * @secattr: the NetLabel packet security attributes 2442 2433 * 2443 2434 * Description: 2444 2444 - * Call the NetLabel mechanism to get the security attributes of the given 2445 2445 - * packet and use those attributes to determine the correct context/SID to 2446 2446 - * assign to the packet. Returns zero on success, negative values on failure. 2435 2435 + * Convert the given SELinux SID in @sid into a NetLabel security attribute. 2436 2436 + * Returns zero on success, negative values on failure. 2447 2437 * 2448 2438 */ 2449 2449 - int selinux_netlbl_skbuff_getsid(struct sk_buff *skb, u32 base_sid, u32 *sid) 2450 2450 - { 2451 2451 - int rc; 2452 2452 - struct netlbl_lsm_secattr secattr; 2453 2453 - 2454 2454 - netlbl_secattr_init(&secattr); 2455 2455 - rc = netlbl_skbuff_getattr(skb, &secattr); 2456 2456 - if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2457 2457 - rc = selinux_netlbl_secattr_to_sid(skb, 2458 2458 - &secattr, 2459 2459 - base_sid, 2460 2460 - sid); 2461 2461 - else 2462 2462 - *sid = SECSID_NULL; 2463 2463 - netlbl_secattr_destroy(&secattr); 2464 2464 - 2465 2465 - return rc; 2466 2466 - } 2467 2467 - 2468 2468 - /** 2469 2469 - * selinux_netlbl_socket_setsid - Label a socket using the NetLabel mechanism 2470 2470 - * @sock: the socket to label 2471 2471 - * @sid: the SID to use 2472 2472 - * 2473 2473 - * Description: 2474 2474 - * Attempt to label a socket using the NetLabel mechanism using the given 2475 2475 - * SID. Returns zero values on success, negative values on failure. The 2476 2476 - * caller is responsibile for calling rcu_read_lock() before calling this 2477 2477 - * this function and rcu_read_unlock() after this function returns. 2478 2478 - * 2479 2479 - */ 2480 2480 - static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) 2439 2439 + int security_netlbl_sid_to_secattr(u32 sid, struct netlbl_lsm_secattr *secattr) 2481 2440 { 2482 2441 int rc = -ENOENT; 2483 2483 - struct sk_security_struct *sksec = sock->sk->sk_security; 2484 2484 - struct netlbl_lsm_secattr secattr; 2485 2442 struct context *ctx; 2443 2443 + 2444 2444 + netlbl_secattr_init(secattr); 2486 2445 2487 2446 if (!ss_initialized) 2488 2447 return 0; 2489 2448 2490 2490 - netlbl_secattr_init(&secattr); 2491 2491 - 2492 2449 POLICY_RDLOCK; 2493 2493 - 2494 2450 ctx = sidtab_search(&sidtab, sid); 2495 2451 if (ctx == NULL) 2496 2496 - goto netlbl_socket_setsid_return; 2497 2497 - 2498 2498 - secattr.domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2499 2499 - GFP_ATOMIC); 2500 2500 - secattr.flags |= NETLBL_SECATTR_DOMAIN; 2501 2501 - mls_export_netlbl_lvl(ctx, &secattr); 2502 2502 - rc = mls_export_netlbl_cat(ctx, &secattr); 2452 2452 + goto netlbl_sid_to_secattr_failure; 2453 2453 + secattr->domain = kstrdup(policydb.p_type_val_to_name[ctx->type - 1], 2454 2454 + GFP_ATOMIC); 2455 2455 + secattr->flags |= NETLBL_SECATTR_DOMAIN; 2456 2456 + mls_export_netlbl_lvl(ctx, secattr); 2457 2457 + rc = mls_export_netlbl_cat(ctx, secattr); 2503 2458 if (rc != 0) 2504 2504 - goto netlbl_socket_setsid_return; 2505 2505 - 2506 2506 - rc = netlbl_socket_setattr(sock, &secattr); 2507 2507 - if (rc == 0) { 2508 2508 - spin_lock_bh(&sksec->nlbl_lock); 2509 2509 - sksec->nlbl_state = NLBL_LABELED; 2510 2510 - spin_unlock_bh(&sksec->nlbl_lock); 2511 2511 - } 2512 2512 - 2513 2513 - netlbl_socket_setsid_return: 2459 2459 + goto netlbl_sid_to_secattr_failure; 2514 2460 POLICY_RDUNLOCK; 2515 2515 - netlbl_secattr_destroy(&secattr); 2516 2516 - return rc; 2517 2517 - } 2518 2461 2519 2519 - /** 2520 2520 - * selinux_netlbl_sk_security_reset - Reset the NetLabel fields 2521 2521 - * @ssec: the sk_security_struct 2522 2522 - * @family: the socket family 2523 2523 - * 2524 2524 - * Description: 2525 2525 - * Called when the NetLabel state of a sk_security_struct needs to be reset. 2526 2526 - * The caller is responsibile for all the NetLabel sk_security_struct locking. 2527 2527 - * 2528 2528 - */ 2529 2529 - void selinux_netlbl_sk_security_reset(struct sk_security_struct *ssec, 2530 2530 - int family) 2531 2531 - { 2532 2532 - if (family == PF_INET) 2533 2533 - ssec->nlbl_state = NLBL_REQUIRE; 2534 2534 - else 2535 2535 - ssec->nlbl_state = NLBL_UNSET; 2536 2536 - } 2462 2462 + return 0; 2537 2463 2538 2538 - /** 2539 2539 - * selinux_netlbl_sk_security_init - Setup the NetLabel fields 2540 2540 - * @ssec: the sk_security_struct 2541 2541 - * @family: the socket family 2542 2542 - * 2543 2543 - * Description: 2544 2544 - * Called when a new sk_security_struct is allocated to initialize the NetLabel 2545 2545 - * fields. 2546 2546 - * 2547 2547 - */ 2548 2548 - void selinux_netlbl_sk_security_init(struct sk_security_struct *ssec, 2549 2549 - int family) 2550 2550 - { 2551 2551 - /* No locking needed, we are the only one who has access to ssec */ 2552 2552 - selinux_netlbl_sk_security_reset(ssec, family); 2553 2553 - spin_lock_init(&ssec->nlbl_lock); 2554 2554 - } 2555 2555 - 2556 2556 - /** 2557 2557 - * selinux_netlbl_sk_security_clone - Copy the NetLabel fields 2558 2558 - * @ssec: the original sk_security_struct 2559 2559 - * @newssec: the cloned sk_security_struct 2560 2560 - * 2561 2561 - * Description: 2562 2562 - * Clone the NetLabel specific sk_security_struct fields from @ssec to 2563 2563 - * @newssec. 2564 2564 - * 2565 2565 - */ 2566 2566 - void selinux_netlbl_sk_security_clone(struct sk_security_struct *ssec, 2567 2567 - struct sk_security_struct *newssec) 2568 2568 - { 2569 2569 - /* We don't need to take newssec->nlbl_lock because we are the only 2570 2570 - * thread with access to newssec, but we do need to take the RCU read 2571 2571 - * lock as other threads could have access to ssec */ 2572 2572 - rcu_read_lock(); 2573 2573 - selinux_netlbl_sk_security_reset(newssec, ssec->sk->sk_family); 2574 2574 - newssec->sclass = ssec->sclass; 2575 2575 - rcu_read_unlock(); 2576 2576 - } 2577 2577 - 2578 2578 - /** 2579 2579 - * selinux_netlbl_socket_post_create - Label a socket using NetLabel 2580 2580 - * @sock: the socket to label 2581 2581 - * 2582 2582 - * Description: 2583 2583 - * Attempt to label a socket using the NetLabel mechanism using the given 2584 2584 - * SID. Returns zero values on success, negative values on failure. 2585 2585 - * 2586 2586 - */ 2587 2587 - int selinux_netlbl_socket_post_create(struct socket *sock) 2588 2588 - { 2589 2589 - int rc = 0; 2590 2590 - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2591 2591 - struct sk_security_struct *sksec = sock->sk->sk_security; 2592 2592 - 2593 2593 - sksec->sclass = isec->sclass; 2594 2594 - 2595 2595 - rcu_read_lock(); 2596 2596 - if (sksec->nlbl_state == NLBL_REQUIRE) 2597 2597 - rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 2598 2598 - rcu_read_unlock(); 2599 2599 - 2600 2600 - return rc; 2601 2601 - } 2602 2602 - 2603 2603 - /** 2604 2604 - * selinux_netlbl_sock_graft - Netlabel the new socket 2605 2605 - * @sk: the new connection 2606 2606 - * @sock: the new socket 2607 2607 - * 2608 2608 - * Description: 2609 2609 - * The connection represented by @sk is being grafted onto @sock so set the 2610 2610 - * socket's NetLabel to match the SID of @sk. 2611 2611 - * 2612 2612 - */ 2613 2613 - void selinux_netlbl_sock_graft(struct sock *sk, struct socket *sock) 2614 2614 - { 2615 2615 - struct inode_security_struct *isec = SOCK_INODE(sock)->i_security; 2616 2616 - struct sk_security_struct *sksec = sk->sk_security; 2617 2617 - struct netlbl_lsm_secattr secattr; 2618 2618 - u32 nlbl_peer_sid; 2619 2619 - 2620 2620 - sksec->sclass = isec->sclass; 2621 2621 - 2622 2622 - rcu_read_lock(); 2623 2623 - 2624 2624 - if (sksec->nlbl_state != NLBL_REQUIRE) { 2625 2625 - rcu_read_unlock(); 2626 2626 - return; 2627 2627 - } 2628 2628 - 2629 2629 - netlbl_secattr_init(&secattr); 2630 2630 - if (netlbl_sock_getattr(sk, &secattr) == 0 && 2631 2631 - secattr.flags != NETLBL_SECATTR_NONE && 2632 2632 - selinux_netlbl_secattr_to_sid(NULL, 2633 2633 - &secattr, 2634 2634 - SECINITSID_UNLABELED, 2635 2635 - &nlbl_peer_sid) == 0) 2636 2636 - sksec->peer_sid = nlbl_peer_sid; 2637 2637 - netlbl_secattr_destroy(&secattr); 2638 2638 - 2639 2639 - /* Try to set the NetLabel on the socket to save time later, if we fail 2640 2640 - * here we will pick up the pieces in later calls to 2641 2641 - * selinux_netlbl_inode_permission(). */ 2642 2642 - selinux_netlbl_socket_setsid(sock, sksec->sid); 2643 2643 - 2644 2644 - rcu_read_unlock(); 2645 2645 - } 2646 2646 - 2647 2647 - /** 2648 2648 - * selinux_netlbl_inode_permission - Verify the socket is NetLabel labeled 2649 2649 - * @inode: the file descriptor's inode 2650 2650 - * @mask: the permission mask 2651 2651 - * 2652 2652 - * Description: 2653 2653 - * Looks at a file's inode and if it is marked as a socket protected by 2654 2654 - * NetLabel then verify that the socket has been labeled, if not try to label 2655 2655 - * the socket now with the inode's SID. Returns zero on success, negative 2656 2656 - * values on failure. 2657 2657 - * 2658 2658 - */ 2659 2659 - int selinux_netlbl_inode_permission(struct inode *inode, int mask) 2660 2660 - { 2661 2661 - int rc; 2662 2662 - struct sk_security_struct *sksec; 2663 2663 - struct socket *sock; 2664 2664 - 2665 2665 - if (!S_ISSOCK(inode->i_mode) || 2666 2666 - ((mask & (MAY_WRITE | MAY_APPEND)) == 0)) 2667 2667 - return 0; 2668 2668 - sock = SOCKET_I(inode); 2669 2669 - sksec = sock->sk->sk_security; 2670 2670 - 2671 2671 - rcu_read_lock(); 2672 2672 - if (sksec->nlbl_state != NLBL_REQUIRE) { 2673 2673 - rcu_read_unlock(); 2674 2674 - return 0; 2675 2675 - } 2676 2676 - local_bh_disable(); 2677 2677 - bh_lock_sock_nested(sock->sk); 2678 2678 - rc = selinux_netlbl_socket_setsid(sock, sksec->sid); 2679 2679 - bh_unlock_sock(sock->sk); 2680 2680 - local_bh_enable(); 2681 2681 - rcu_read_unlock(); 2682 2682 - 2683 2683 - return rc; 2684 2684 - } 2685 2685 - 2686 2686 - /** 2687 2687 - * selinux_netlbl_sock_rcv_skb - Do an inbound access check using NetLabel 2688 2688 - * @sksec: the sock's sk_security_struct 2689 2689 - * @skb: the packet 2690 2690 - * @ad: the audit data 2691 2691 - * 2692 2692 - * Description: 2693 2693 - * Fetch the NetLabel security attributes from @skb and perform an access check 2694 2694 - * against the receiving socket. Returns zero on success, negative values on 2695 2695 - * error. 2696 2696 - * 2697 2697 - */ 2698 2698 - int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 2699 2699 - struct sk_buff *skb, 2700 2700 - struct avc_audit_data *ad) 2701 2701 - { 2702 2702 - int rc; 2703 2703 - u32 netlbl_sid; 2704 2704 - u32 recv_perm; 2705 2705 - 2706 2706 - rc = selinux_netlbl_skbuff_getsid(skb, 2707 2707 - SECINITSID_UNLABELED, 2708 2708 - &netlbl_sid); 2709 2709 - if (rc != 0) 2710 2710 - return rc; 2711 2711 - 2712 2712 - if (netlbl_sid == SECSID_NULL) 2713 2713 - return 0; 2714 2714 - 2715 2715 - switch (sksec->sclass) { 2716 2716 - case SECCLASS_UDP_SOCKET: 2717 2717 - recv_perm = UDP_SOCKET__RECVFROM; 2718 2718 - break; 2719 2719 - case SECCLASS_TCP_SOCKET: 2720 2720 - recv_perm = TCP_SOCKET__RECVFROM; 2721 2721 - break; 2722 2722 - default: 2723 2723 - recv_perm = RAWIP_SOCKET__RECVFROM; 2724 2724 - } 2725 2725 - 2726 2726 - rc = avc_has_perm(sksec->sid, 2727 2727 - netlbl_sid, 2728 2728 - sksec->sclass, 2729 2729 - recv_perm, 2730 2730 - ad); 2731 2731 - if (rc == 0) 2732 2732 - return 0; 2733 2733 - 2734 2734 - netlbl_skbuff_err(skb, rc); 2735 2735 - return rc; 2736 2736 - } 2737 2737 - 2738 2738 - /** 2739 2739 - * selinux_netlbl_socket_setsockopt - Do not allow users to remove a NetLabel 2740 2740 - * @sock: the socket 2741 2741 - * @level: the socket level or protocol 2742 2742 - * @optname: the socket option name 2743 2743 - * 2744 2744 - * Description: 2745 2745 - * Check the setsockopt() call and if the user is trying to replace the IP 2746 2746 - * options on a socket and a NetLabel is in place for the socket deny the 2747 2747 - * access; otherwise allow the access. Returns zero when the access is 2748 2748 - * allowed, -EACCES when denied, and other negative values on error. 2749 2749 - * 2750 2750 - */ 2751 2751 - int selinux_netlbl_socket_setsockopt(struct socket *sock, 2752 2752 - int level, 2753 2753 - int optname) 2754 2754 - { 2755 2755 - int rc = 0; 2756 2756 - struct sk_security_struct *sksec = sock->sk->sk_security; 2757 2757 - struct netlbl_lsm_secattr secattr; 2758 2758 - 2759 2759 - rcu_read_lock(); 2760 2760 - if (level == IPPROTO_IP && optname == IP_OPTIONS && 2761 2761 - sksec->nlbl_state == NLBL_LABELED) { 2762 2762 - netlbl_secattr_init(&secattr); 2763 2763 - rc = netlbl_socket_getattr(sock, &secattr); 2764 2764 - if (rc == 0 && secattr.flags != NETLBL_SECATTR_NONE) 2765 2765 - rc = -EACCES; 2766 2766 - netlbl_secattr_destroy(&secattr); 2767 2767 - } 2768 2768 - rcu_read_unlock(); 2769 2769 - 2464 2464 + netlbl_sid_to_secattr_failure: 2465 2465 + POLICY_RDUNLOCK; 2466 2466 + netlbl_secattr_destroy(secattr); 2770 2467 return rc; 2771 2468 } 2772 2469 #endif /* CONFIG_NETLABEL */