| 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
|---|
| 2 | |
|---|
| 3 | #include <linux/capability.h> |
|---|
| 4 | #include <linux/socket.h> |
|---|
| 5 | |
|---|
| 6 | #define COMMON_FILE_SOCK_PERMS \ |
|---|
| 7 | "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ |
|---|
| 8 | "relabelfrom", "relabelto", "append", "map" |
|---|
| 9 | |
|---|
| 10 | #define COMMON_FILE_PERMS \ |
|---|
| 11 | COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute", \ |
|---|
| 12 | "quotaon", "mounton", "audit_access", "open", "execmod", \ |
|---|
| 13 | "watch", "watch_mount", "watch_sb", "watch_with_perm", \ |
|---|
| 14 | "watch_reads" |
|---|
| 15 | |
|---|
| 16 | #define COMMON_SOCK_PERMS \ |
|---|
| 17 | COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \ |
|---|
| 18 | "getopt", "setopt", "shutdown", "recvfrom", "sendto", \ |
|---|
| 19 | "name_bind" |
|---|
| 20 | |
|---|
| 21 | #define COMMON_IPC_PERMS \ |
|---|
| 22 | "create", "destroy", "getattr", "setattr", "read", "write", \ |
|---|
| 23 | "associate", "unix_read", "unix_write" |
|---|
| 24 | |
|---|
| 25 | #define COMMON_CAP_PERMS \ |
|---|
| 26 | "chown", "dac_override", "dac_read_search", "fowner", "fsetid", \ |
|---|
| 27 | "kill", "setgid", "setuid", "setpcap", "linux_immutable", \ |
|---|
| 28 | "net_bind_service", "net_broadcast", "net_admin", "net_raw", \ |
|---|
| 29 | "ipc_lock", "ipc_owner", "sys_module", "sys_rawio", \ |
|---|
| 30 | "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ |
|---|
| 31 | "sys_boot", "sys_nice", "sys_resource", "sys_time", \ |
|---|
| 32 | "sys_tty_config", "mknod", "lease", "audit_write", \ |
|---|
| 33 | "audit_control", "setfcap" |
|---|
| 34 | |
|---|
| 35 | #define COMMON_CAP2_PERMS \ |
|---|
| 36 | "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ |
|---|
| 37 | "audit_read", "perfmon", "bpf", "checkpoint_restore" |
|---|
| 38 | |
|---|
| 39 | #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE |
|---|
| 40 | #error New capability defined, please update COMMON_CAP2_PERMS. |
|---|
| 41 | #endif |
|---|
| 42 | |
|---|
| 43 | /* |
|---|
| 44 | * Note: The name for any socket class should be suffixed by "socket", |
|---|
| 45 | * and doesn't contain more than one substr of "socket". |
|---|
| 46 | */ |
|---|
| 47 | const struct security_class_mapping secclass_map[] = { |
|---|
| 48 | { "security" , |
|---|
| 49 | { "compute_av" , "compute_create" , "compute_member" , "check_context" , |
|---|
| 50 | "load_policy" , "compute_relabel" , "compute_user" , "setenforce" , |
|---|
| 51 | "setbool" , "setsecparam" , "setcheckreqprot" , "read_policy" , |
|---|
| 52 | "validate_trans" , NULL } }, |
|---|
| 53 | { "process" , |
|---|
| 54 | { "fork" , "transition" , "sigchld" , "sigkill" , |
|---|
| 55 | "sigstop" , "signull" , "signal" , "ptrace" , |
|---|
| 56 | "getsched" , "setsched" , "getsession" , "getpgid" , |
|---|
| 57 | "setpgid" , "getcap" , "setcap" , "share" , |
|---|
| 58 | "getattr" , "setexec" , "setfscreate" , "noatsecure" , |
|---|
| 59 | "siginh" , "setrlimit" , "rlimitinh" , "dyntransition" , |
|---|
| 60 | "setcurrent" , "execmem" , "execstack" , "execheap" , |
|---|
| 61 | "setkeycreate" , "setsockcreate" , "getrlimit" , NULL } }, |
|---|
| 62 | { "process2" , { "nnp_transition" , "nosuid_transition" , NULL } }, |
|---|
| 63 | { "system" , |
|---|
| 64 | { "ipc_info" , "syslog_read" , "syslog_mod" , "syslog_console" , |
|---|
| 65 | "module_request" , "module_load" , NULL } }, |
|---|
| 66 | { "capability" , { COMMON_CAP_PERMS, NULL } }, |
|---|
| 67 | { "filesystem" , |
|---|
| 68 | { "mount" , "remount" , "unmount" , "getattr" , "relabelfrom" , |
|---|
| 69 | "relabelto" , "associate" , "quotamod" , "quotaget" , "watch" , NULL } }, |
|---|
| 70 | { "file" , |
|---|
| 71 | { COMMON_FILE_PERMS, "execute_no_trans" , "entrypoint" , NULL } }, |
|---|
| 72 | { "dir" , |
|---|
| 73 | { COMMON_FILE_PERMS, "add_name" , "remove_name" , "reparent" , "search" , |
|---|
| 74 | "rmdir" , NULL } }, |
|---|
| 75 | { "fd" , { "use" , NULL } }, |
|---|
| 76 | { "lnk_file" , { COMMON_FILE_PERMS, NULL } }, |
|---|
| 77 | { "chr_file" , { COMMON_FILE_PERMS, NULL } }, |
|---|
| 78 | { "blk_file" , { COMMON_FILE_PERMS, NULL } }, |
|---|
| 79 | { "sock_file" , { COMMON_FILE_PERMS, NULL } }, |
|---|
| 80 | { "fifo_file" , { COMMON_FILE_PERMS, NULL } }, |
|---|
| 81 | { "socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 82 | { "tcp_socket" , |
|---|
| 83 | { COMMON_SOCK_PERMS, "node_bind" , "name_connect" , NULL } }, |
|---|
| 84 | { "udp_socket" , { COMMON_SOCK_PERMS, "node_bind" , NULL } }, |
|---|
| 85 | { "rawip_socket" , { COMMON_SOCK_PERMS, "node_bind" , NULL } }, |
|---|
| 86 | { "node" , { "recvfrom" , "sendto" , NULL } }, |
|---|
| 87 | { "netif" , { "ingress" , "egress" , NULL } }, |
|---|
| 88 | { "netlink_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 89 | { "packet_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 90 | { "key_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 91 | { "unix_stream_socket" , { COMMON_SOCK_PERMS, "connectto" , NULL } }, |
|---|
| 92 | { "unix_dgram_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 93 | { "sem" , { COMMON_IPC_PERMS, NULL } }, |
|---|
| 94 | { "msg" , { "send" , "receive" , NULL } }, |
|---|
| 95 | { "msgq" , { COMMON_IPC_PERMS, "enqueue" , NULL } }, |
|---|
| 96 | { "shm" , { COMMON_IPC_PERMS, "lock" , NULL } }, |
|---|
| 97 | { "ipc" , { COMMON_IPC_PERMS, NULL } }, |
|---|
| 98 | { "netlink_route_socket" , |
|---|
| 99 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , NULL } }, |
|---|
| 100 | { "netlink_tcpdiag_socket" , |
|---|
| 101 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , NULL } }, |
|---|
| 102 | { "netlink_nflog_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 103 | { "netlink_xfrm_socket" , |
|---|
| 104 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , NULL } }, |
|---|
| 105 | { "netlink_selinux_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 106 | { "netlink_iscsi_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 107 | { "netlink_audit_socket" , |
|---|
| 108 | { COMMON_SOCK_PERMS, "nlmsg_read" , "nlmsg_write" , "nlmsg_relay" , |
|---|
| 109 | "nlmsg_readpriv" , "nlmsg_tty_audit" , NULL } }, |
|---|
| 110 | { "netlink_fib_lookup_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 111 | { "netlink_connector_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 112 | { "netlink_netfilter_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 113 | { "netlink_dnrt_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 114 | { "association" , |
|---|
| 115 | { "sendto" , "recvfrom" , "setcontext" , "polmatch" , NULL } }, |
|---|
| 116 | { "netlink_kobject_uevent_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 117 | { "netlink_generic_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 118 | { "netlink_scsitransport_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 119 | { "netlink_rdma_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 120 | { "netlink_crypto_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 121 | { "appletalk_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 122 | { "packet" , |
|---|
| 123 | { "send" , "recv" , "relabelto" , "forward_in" , "forward_out" , NULL } }, |
|---|
| 124 | { "key" , |
|---|
| 125 | { "view" , "read" , "write" , "search" , "link" , "setattr" , "create" , |
|---|
| 126 | NULL } }, |
|---|
| 127 | { "dccp_socket" , |
|---|
| 128 | { COMMON_SOCK_PERMS, "node_bind" , "name_connect" , NULL } }, |
|---|
| 129 | { "memprotect" , { "mmap_zero" , NULL } }, |
|---|
| 130 | { "peer" , { "recv" , NULL } }, |
|---|
| 131 | { "capability2" , { COMMON_CAP2_PERMS, NULL } }, |
|---|
| 132 | { "kernel_service" , { "use_as_override" , "create_files_as" , NULL } }, |
|---|
| 133 | { "tun_socket" , { COMMON_SOCK_PERMS, "attach_queue" , NULL } }, |
|---|
| 134 | { "binder" , |
|---|
| 135 | { "impersonate" , "call" , "set_context_mgr" , "transfer" , NULL } }, |
|---|
| 136 | { "cap_userns" , { COMMON_CAP_PERMS, NULL } }, |
|---|
| 137 | { "cap2_userns" , { COMMON_CAP2_PERMS, NULL } }, |
|---|
| 138 | { "sctp_socket" , |
|---|
| 139 | { COMMON_SOCK_PERMS, "node_bind" , "name_connect" , "association" , |
|---|
| 140 | NULL } }, |
|---|
| 141 | { "icmp_socket" , { COMMON_SOCK_PERMS, "node_bind" , NULL } }, |
|---|
| 142 | { "ax25_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 143 | { "ipx_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 144 | { "netrom_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 145 | { "atmpvc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 146 | { "x25_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 147 | { "rose_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 148 | { "decnet_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 149 | { "atmsvc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 150 | { "rds_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 151 | { "irda_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 152 | { "pppox_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 153 | { "llc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 154 | { "can_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 155 | { "tipc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 156 | { "bluetooth_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 157 | { "iucv_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 158 | { "rxrpc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 159 | { "isdn_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 160 | { "phonet_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 161 | { "ieee802154_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 162 | { "caif_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 163 | { "alg_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 164 | { "nfc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 165 | { "vsock_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 166 | { "kcm_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 167 | { "qipcrtr_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 168 | { "smc_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 169 | { "infiniband_pkey" , { "access" , NULL } }, |
|---|
| 170 | { "infiniband_endport" , { "manage_subnet" , NULL } }, |
|---|
| 171 | { "bpf" , |
|---|
| 172 | { "map_create" , "map_read" , "map_write" , "prog_load" , "prog_run" , |
|---|
| 173 | NULL } }, |
|---|
| 174 | { "xdp_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 175 | { "mctp_socket" , { COMMON_SOCK_PERMS, NULL } }, |
|---|
| 176 | { "perf_event" , |
|---|
| 177 | { "open" , "cpu" , "kernel" , "tracepoint" , "read" , "write" , NULL } }, |
|---|
| 178 | { "anon_inode" , { COMMON_FILE_PERMS, NULL } }, |
|---|
| 179 | { "io_uring" , { "override_creds" , "sqpoll" , "cmd" , NULL } }, |
|---|
| 180 | { "user_namespace" , { "create" , NULL } }, |
|---|
| 181 | { NULL } |
|---|
| 182 | }; |
|---|
| 183 | |
|---|
| 184 | #if PF_MAX > 46 |
|---|
| 185 | #error New address family defined, please update secclass_map. |
|---|
| 186 | #endif |
|---|
| 187 | |
|---|
