1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | |
3 | #include <linux/capability.h> |
4 | #include <linux/socket.h> |
5 | |
6 | #define COMMON_FILE_SOCK_PERMS \ |
7 | "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ |
8 | "relabelfrom", "relabelto", "append", "map" |
9 | |
10 | #define COMMON_FILE_PERMS \ |
11 | COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute", \ |
12 | "quotaon", "mounton", "audit_access", "open", "execmod", \ |
13 | "watch", "watch_mount", "watch_sb", "watch_with_perm", \ |
14 | "watch_reads" |
15 | |
16 | #define COMMON_SOCK_PERMS \ |
17 | COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \ |
18 | "getopt", "setopt", "shutdown", "recvfrom", "sendto", \ |
19 | "name_bind" |
20 | |
21 | #define COMMON_IPC_PERMS \ |
22 | "create", "destroy", "getattr", "setattr", "read", "write", \ |
23 | "associate", "unix_read", "unix_write" |
24 | |
25 | #define COMMON_CAP_PERMS \ |
26 | "chown", "dac_override", "dac_read_search", "fowner", "fsetid", \ |
27 | "kill", "setgid", "setuid", "setpcap", "linux_immutable", \ |
28 | "net_bind_service", "net_broadcast", "net_admin", "net_raw", \ |
29 | "ipc_lock", "ipc_owner", "sys_module", "sys_rawio", \ |
30 | "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ |
31 | "sys_boot", "sys_nice", "sys_resource", "sys_time", \ |
32 | "sys_tty_config", "mknod", "lease", "audit_write", \ |
33 | "audit_control", "setfcap" |
34 | |
35 | #define COMMON_CAP2_PERMS \ |
36 | "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ |
37 | "audit_read", "perfmon", "bpf", "checkpoint_restore" |
38 | |
39 | #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE |
40 | #error New capability defined, please update COMMON_CAP2_PERMS. |
41 | #endif |
42 | |
43 | /* |
44 | * Note: The name for any socket class should be suffixed by "socket", |
45 | * and doesn't contain more than one substr of "socket". |
46 | */ |
47 | const struct security_class_mapping secclass_map[] = { |
48 | { "security" , |
49 | { "compute_av" , "compute_create" , "compute_member" , "check_context" , |
50 | "load_policy" , "compute_relabel" , "compute_user" , "setenforce" , |
51 | "setbool" , "setsecparam" , "setcheckreqprot" , "read_policy" , |
52 | "validate_trans" , NULL } }, |
53 | { "process" , |
54 | { "fork" , "transition" , "sigchld" , "sigkill" , |
55 | "sigstop" , "signull" , "signal" , "ptrace" , |
56 | "getsched" , "setsched" , "getsession" , "getpgid" , |
57 | "setpgid" , "getcap" , "setcap" , "share" , |
58 | "getattr" , "setexec" , "setfscreate" , "noatsecure" , |
59 | "siginh" , "setrlimit" , "rlimitinh" , "dyntransition" , |
60 | "setcurrent" , "execmem" , "execstack" , "execheap" , |
61 | "setkeycreate" , "setsockcreate" , "getrlimit" , NULL } }, |
62 | { "process2" , { "nnp_transition" , "nosuid_transition" , NULL } }, |
63 | { "system" , |
64 | { "ipc_info" , "syslog_read" , "syslog_mod" , "syslog_console" , |
65 | "module_request" , "module_load" , NULL } }, |
66 | { "capability" , { COMMON_CAP_PERMS, NULL } }, |
67 | { "filesystem" , |
68 | { "mount" , "remount" , "unmount" , "getattr" , "relabelfrom" , |
69 | "relabelto" , "associate" , "quotamod" , "quotaget" , "watch" , NULL } }, |
70 | { "file" , |
71 | { COMMON_FILE_PERMS, "execute_no_trans" , "entrypoint" , NULL } }, |
72 | { "dir" , |
73 | { COMMON_FILE_PERMS, "add_name" , "remove_name" , "reparent" , "search" , |
74 | "rmdir" , NULL } }, |
75 | { "fd" , { "use" , NULL } }, |
76 | { "lnk_file" , { COMMON_FILE_PERMS, NULL } }, |
77 | { "chr_file" , { COMMON_FILE_PERMS, NULL } }, |
78 | { "blk_file" , { COMMON_FILE_PERMS, NULL } }, |
79 | { "sock_file" , { COMMON_FILE_PERMS, NULL } }, |
80 | { "fifo_file" , { COMMON_FILE_PERMS, NULL } }, |
81 | { "socket" , { COMMON_SOCK_PERMS, NULL } }, |
82 | { "tcp_socket" , |
83 | { COMMON_SOCK_PERMS, "node_bind" , "name_connect" , NULL } }, |
84 | { "udp_socket" , { COMMON_SOCK_PERMS, "node_bind" , NULL } }, |
85 | { "rawip_socket" , { COMMON_SOCK_PERMS, "node_bind" , NULL } }, |
86 | { "node" , { "recvfrom" , "sendto" , NULL } }, |
87 | { "netif" , { "ingress" , "egress" , NULL } }, |
88 | { "netlink_socket" , { COMMON_SOCK_PERMS, NULL } }, |
89 | { "packet_socket" , { COMMON_SOCK_PERMS, NULL } }, |
90 | { "key_socket" , { COMMON_SOCK_PERMS, NULL } }, |
91 | { "unix_stream_socket" , { COMMON_SOCK_PERMS, "connectto" , NULL } }, |
92 | { "unix_dgram_socket" , { COMMON_SOCK_PERMS, NULL } }, |
93 | { "sem" , { COMMON_IPC_PERMS, NULL } }, |
94 | { "msg" , { "send" , "receive" , NULL } }, |
95 | { "msgq" , { COMMON_IPC_PERMS, "enqueue" , NULL } }, |
96 | { "shm" , { COMMON_IPC_PERMS, "lock" , NULL } }, |
97 | { "ipc" , { COMMON_IPC_PERMS, NULL } }, |
98 | { "netlink_route_socket" , |
99 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , NULL } }, |
100 | { "netlink_tcpdiag_socket" , |
101 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , NULL } }, |
102 | { "netlink_nflog_socket" , { COMMON_SOCK_PERMS, NULL } }, |
103 | { "netlink_xfrm_socket" , |
104 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , NULL } }, |
105 | { "netlink_selinux_socket" , { COMMON_SOCK_PERMS, NULL } }, |
106 | { "netlink_iscsi_socket" , { COMMON_SOCK_PERMS, NULL } }, |
107 | { "netlink_audit_socket" , |
108 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , "nlmsg_relay" , |
109 | "nlmsg_readpriv" , "nlmsg_tty_audit" , NULL } }, |
110 | { "netlink_fib_lookup_socket" , { COMMON_SOCK_PERMS, NULL } }, |
111 | { "netlink_connector_socket" , { COMMON_SOCK_PERMS, NULL } }, |
112 | { "netlink_netfilter_socket" , { COMMON_SOCK_PERMS, NULL } }, |
113 | { "netlink_dnrt_socket" , { COMMON_SOCK_PERMS, NULL } }, |
114 | { "association" , |
115 | { "sendto" , "recvfrom" , "setcontext" , "polmatch" , NULL } }, |
116 | { "netlink_kobject_uevent_socket" , { COMMON_SOCK_PERMS, NULL } }, |
117 | { "netlink_generic_socket" , { COMMON_SOCK_PERMS, NULL } }, |
118 | { "netlink_scsitransport_socket" , { COMMON_SOCK_PERMS, NULL } }, |
119 | { "netlink_rdma_socket" , { COMMON_SOCK_PERMS, NULL } }, |
120 | { "netlink_crypto_socket" , { COMMON_SOCK_PERMS, NULL } }, |
121 | { "appletalk_socket" , { COMMON_SOCK_PERMS, NULL } }, |
122 | { "packet" , |
123 | { "send" , "recv" , "relabelto" , "forward_in" , "forward_out" , NULL } }, |
124 | { "key" , |
125 | { "view" , "read" , "write" , "search" , "link" , "setattr" , "create" , |
126 | NULL } }, |
127 | { "dccp_socket" , |
128 | { COMMON_SOCK_PERMS, "node_bind" , "name_connect" , NULL } }, |
129 | { "memprotect" , { "mmap_zero" , NULL } }, |
130 | { "peer" , { "recv" , NULL } }, |
131 | { "capability2" , { COMMON_CAP2_PERMS, NULL } }, |
132 | { "kernel_service" , { "use_as_override" , "create_files_as" , NULL } }, |
133 | { "tun_socket" , { COMMON_SOCK_PERMS, "attach_queue" , NULL } }, |
134 | { "binder" , |
135 | { "impersonate" , "call" , "set_context_mgr" , "transfer" , NULL } }, |
136 | { "cap_userns" , { COMMON_CAP_PERMS, NULL } }, |
137 | { "cap2_userns" , { COMMON_CAP2_PERMS, NULL } }, |
138 | { "sctp_socket" , |
139 | { COMMON_SOCK_PERMS, "node_bind" , "name_connect" , "association" , |
140 | NULL } }, |
141 | { "icmp_socket" , { COMMON_SOCK_PERMS, "node_bind" , NULL } }, |
142 | { "ax25_socket" , { COMMON_SOCK_PERMS, NULL } }, |
143 | { "ipx_socket" , { COMMON_SOCK_PERMS, NULL } }, |
144 | { "netrom_socket" , { COMMON_SOCK_PERMS, NULL } }, |
145 | { "atmpvc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
146 | { "x25_socket" , { COMMON_SOCK_PERMS, NULL } }, |
147 | { "rose_socket" , { COMMON_SOCK_PERMS, NULL } }, |
148 | { "decnet_socket" , { COMMON_SOCK_PERMS, NULL } }, |
149 | { "atmsvc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
150 | { "rds_socket" , { COMMON_SOCK_PERMS, NULL } }, |
151 | { "irda_socket" , { COMMON_SOCK_PERMS, NULL } }, |
152 | { "pppox_socket" , { COMMON_SOCK_PERMS, NULL } }, |
153 | { "llc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
154 | { "can_socket" , { COMMON_SOCK_PERMS, NULL } }, |
155 | { "tipc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
156 | { "bluetooth_socket" , { COMMON_SOCK_PERMS, NULL } }, |
157 | { "iucv_socket" , { COMMON_SOCK_PERMS, NULL } }, |
158 | { "rxrpc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
159 | { "isdn_socket" , { COMMON_SOCK_PERMS, NULL } }, |
160 | { "phonet_socket" , { COMMON_SOCK_PERMS, NULL } }, |
161 | { "ieee802154_socket" , { COMMON_SOCK_PERMS, NULL } }, |
162 | { "caif_socket" , { COMMON_SOCK_PERMS, NULL } }, |
163 | { "alg_socket" , { COMMON_SOCK_PERMS, NULL } }, |
164 | { "nfc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
165 | { "vsock_socket" , { COMMON_SOCK_PERMS, NULL } }, |
166 | { "kcm_socket" , { COMMON_SOCK_PERMS, NULL } }, |
167 | { "qipcrtr_socket" , { COMMON_SOCK_PERMS, NULL } }, |
168 | { "smc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
169 | { "infiniband_pkey" , { "access" , NULL } }, |
170 | { "infiniband_endport" , { "manage_subnet" , NULL } }, |
171 | { "bpf" , |
172 | { "map_create" , "map_read" , "map_write" , "prog_load" , "prog_run" , |
173 | NULL } }, |
174 | { "xdp_socket" , { COMMON_SOCK_PERMS, NULL } }, |
175 | { "mctp_socket" , { COMMON_SOCK_PERMS, NULL } }, |
176 | { "perf_event" , |
177 | { "open" , "cpu" , "kernel" , "tracepoint" , "read" , "write" , NULL } }, |
178 | { "anon_inode" , { COMMON_FILE_PERMS, NULL } }, |
179 | { "io_uring" , { "override_creds" , "sqpoll" , "cmd" , NULL } }, |
180 | { "user_namespace" , { "create" , NULL } }, |
181 | { NULL } |
182 | }; |
183 | |
184 | #if PF_MAX > 46 |
185 | #error New address family defined, please update secclass_map. |
186 | #endif |
187 | |