mirror of
https://github.com/edk2-porting/linux-next.git
synced 2024-12-18 18:23:53 +08:00
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (30 commits)
TOMOYO: Add recursive directory matching operator support.
remove CONFIG_SECURITY_FILE_CAPABILITIES compile option
SELinux: print denials for buggy kernel with unknown perms
Silence the existing API for capability version compatibility check.
LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock().
SELinux: header generation may hit infinite loop
selinux: Fix warnings
security: report the module name to security_module_request
Config option to set a default LSM
sysctl: require CAP_SYS_RAWIO to set mmap_min_addr
tpm: autoload tpm_tis based on system PnP IDs
tpm_tis: TPM_STS_DATA_EXPECT workaround
define convenient securebits masks for prctl users (v2)
tpm: fix header for modular build
tomoyo: improve hash bucket dispersion
tpm add default function definitions
LSM: imbed ima calls in the security hooks
SELinux: add .gitignore files for dynamic classes
security: remove root_plug
SELinux: fix locking issue introduced with c6d3aaa4e3
...
This commit is contained in:
commit
83fdbfbfe6
@ -65,6 +65,7 @@ aicdb.h*
|
||||
asm-offsets.h
|
||||
asm_offsets.h
|
||||
autoconf.h*
|
||||
av_permissions.h
|
||||
bbootsect
|
||||
bin2c
|
||||
binkernel.spec
|
||||
@ -95,12 +96,14 @@ docproc
|
||||
elf2ecoff
|
||||
elfconfig.h*
|
||||
fixdep
|
||||
flask.h
|
||||
fore200e_mkfirm
|
||||
fore200e_pca_fw.c*
|
||||
gconf
|
||||
gen-devlist
|
||||
gen_crc32table
|
||||
gen_init_cpio
|
||||
genheaders
|
||||
genksyms
|
||||
*_gray256.c
|
||||
ihex2fw
|
||||
|
@ -85,7 +85,6 @@ parameter is applicable:
|
||||
PPT Parallel port support is enabled.
|
||||
PS2 Appropriate PS/2 support is enabled.
|
||||
RAM RAM disk support is enabled.
|
||||
ROOTPLUG The example Root Plug LSM is enabled.
|
||||
S390 S390 architecture is enabled.
|
||||
SCSI Appropriate SCSI support is enabled.
|
||||
A lot of drivers has their options described inside of
|
||||
@ -2164,15 +2163,6 @@ and is between 256 and 4096 characters. It is defined in the file
|
||||
Useful for devices that are detected asynchronously
|
||||
(e.g. USB and MMC devices).
|
||||
|
||||
root_plug.vendor_id=
|
||||
[ROOTPLUG] Override the default vendor ID
|
||||
|
||||
root_plug.product_id=
|
||||
[ROOTPLUG] Override the default product ID
|
||||
|
||||
root_plug.debug=
|
||||
[ROOTPLUG] Enable debugging output
|
||||
|
||||
rw [KNL] Mount root device read-write on boot
|
||||
|
||||
S [KNL] Run init in single mode
|
||||
|
@ -31,7 +31,7 @@
|
||||
|
||||
enum tpm_const {
|
||||
TPM_MINOR = 224, /* officially assigned */
|
||||
TPM_BUFSIZE = 2048,
|
||||
TPM_BUFSIZE = 4096,
|
||||
TPM_NUM_DEVICES = 256,
|
||||
};
|
||||
|
||||
|
@ -257,6 +257,10 @@ out:
|
||||
return size;
|
||||
}
|
||||
|
||||
static int itpm;
|
||||
module_param(itpm, bool, 0444);
|
||||
MODULE_PARM_DESC(itpm, "Force iTPM workarounds (found on some Lenovo laptops)");
|
||||
|
||||
/*
|
||||
* If interrupts are used (signaled by an irq set in the vendor structure)
|
||||
* tpm.c can skip polling for the data to be available as the interrupt is
|
||||
@ -293,7 +297,7 @@ static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len)
|
||||
wait_for_stat(chip, TPM_STS_VALID, chip->vendor.timeout_c,
|
||||
&chip->vendor.int_queue);
|
||||
status = tpm_tis_status(chip);
|
||||
if ((status & TPM_STS_DATA_EXPECT) == 0) {
|
||||
if (!itpm && (status & TPM_STS_DATA_EXPECT) == 0) {
|
||||
rc = -EIO;
|
||||
goto out_err;
|
||||
}
|
||||
@ -467,6 +471,10 @@ static int tpm_tis_init(struct device *dev, resource_size_t start,
|
||||
"1.2 TPM (device-id 0x%X, rev-id %d)\n",
|
||||
vendor >> 16, ioread8(chip->vendor.iobase + TPM_RID(0)));
|
||||
|
||||
if (itpm)
|
||||
dev_info(dev, "Intel iTPM workaround enabled\n");
|
||||
|
||||
|
||||
/* Figure out the capabilities */
|
||||
intfcaps =
|
||||
ioread32(chip->vendor.iobase +
|
||||
@ -629,6 +637,7 @@ static struct pnp_device_id tpm_pnp_tbl[] __devinitdata = {
|
||||
{"", 0}, /* User Specified */
|
||||
{"", 0} /* Terminator */
|
||||
};
|
||||
MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl);
|
||||
|
||||
static __devexit void tpm_tis_pnp_remove(struct pnp_dev *dev)
|
||||
{
|
||||
|
@ -46,7 +46,6 @@
|
||||
#include <linux/proc_fs.h>
|
||||
#include <linux/mount.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/ima.h>
|
||||
#include <linux/syscalls.h>
|
||||
#include <linux/tsacct_kern.h>
|
||||
#include <linux/cn_proc.h>
|
||||
@ -1207,9 +1206,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
|
||||
struct linux_binfmt *fmt;
|
||||
|
||||
retval = security_bprm_check(bprm);
|
||||
if (retval)
|
||||
return retval;
|
||||
retval = ima_bprm_check(bprm);
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
|
@ -13,7 +13,6 @@
|
||||
#include <linux/module.h>
|
||||
#include <linux/fs.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/ima.h>
|
||||
#include <linux/eventpoll.h>
|
||||
#include <linux/rcupdate.h>
|
||||
#include <linux/mount.h>
|
||||
@ -280,7 +279,6 @@ void __fput(struct file *file)
|
||||
if (file->f_op && file->f_op->release)
|
||||
file->f_op->release(inode, file);
|
||||
security_file_free(file);
|
||||
ima_file_free(file);
|
||||
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
|
||||
cdev_put(inode->i_cdev);
|
||||
fops_put(file->f_op);
|
||||
|
10
fs/inode.c
10
fs/inode.c
@ -18,7 +18,6 @@
|
||||
#include <linux/hash.h>
|
||||
#include <linux/swap.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/ima.h>
|
||||
#include <linux/pagemap.h>
|
||||
#include <linux/cdev.h>
|
||||
#include <linux/bootmem.h>
|
||||
@ -157,11 +156,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
|
||||
|
||||
if (security_inode_alloc(inode))
|
||||
goto out;
|
||||
|
||||
/* allocate and initialize an i_integrity */
|
||||
if (ima_inode_alloc(inode))
|
||||
goto out_free_security;
|
||||
|
||||
spin_lock_init(&inode->i_lock);
|
||||
lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
|
||||
|
||||
@ -201,9 +195,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
|
||||
out_free_security:
|
||||
security_inode_free(inode);
|
||||
out:
|
||||
return -ENOMEM;
|
||||
}
|
||||
@ -235,7 +226,6 @@ static struct inode *alloc_inode(struct super_block *sb)
|
||||
void __destroy_inode(struct inode *inode)
|
||||
{
|
||||
BUG_ON(inode_has_buffers(inode));
|
||||
ima_inode_free(inode);
|
||||
security_inode_free(inode);
|
||||
fsnotify_inode_delete(inode);
|
||||
#ifdef CONFIG_FS_POSIX_ACL
|
||||
|
@ -1921,6 +1921,16 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
|
||||
if (data_page)
|
||||
((char *)data_page)[PAGE_SIZE - 1] = 0;
|
||||
|
||||
/* ... and get the mountpoint */
|
||||
retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
retval = security_sb_mount(dev_name, &path,
|
||||
type_page, flags, data_page);
|
||||
if (retval)
|
||||
goto dput_out;
|
||||
|
||||
/* Default to relatime unless overriden */
|
||||
if (!(flags & MS_NOATIME))
|
||||
mnt_flags |= MNT_RELATIME;
|
||||
@ -1945,16 +1955,6 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
|
||||
MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
|
||||
MS_STRICTATIME);
|
||||
|
||||
/* ... and get the mountpoint */
|
||||
retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
|
||||
if (retval)
|
||||
return retval;
|
||||
|
||||
retval = security_sb_mount(dev_name, &path,
|
||||
type_page, flags, data_page);
|
||||
if (retval)
|
||||
goto dput_out;
|
||||
|
||||
if (flags & MS_REMOUNT)
|
||||
retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
|
||||
data_page);
|
||||
|
27
fs/open.c
27
fs/open.c
@ -587,6 +587,9 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
|
||||
error = -EPERM;
|
||||
if (!capable(CAP_SYS_CHROOT))
|
||||
goto dput_and_out;
|
||||
error = security_path_chroot(&path);
|
||||
if (error)
|
||||
goto dput_and_out;
|
||||
|
||||
set_fs_root(current->fs, &path);
|
||||
error = 0;
|
||||
@ -617,11 +620,15 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode)
|
||||
if (err)
|
||||
goto out_putf;
|
||||
mutex_lock(&inode->i_mutex);
|
||||
err = security_path_chmod(dentry, file->f_vfsmnt, mode);
|
||||
if (err)
|
||||
goto out_unlock;
|
||||
if (mode == (mode_t) -1)
|
||||
mode = inode->i_mode;
|
||||
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
|
||||
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
|
||||
err = notify_change(dentry, &newattrs);
|
||||
out_unlock:
|
||||
mutex_unlock(&inode->i_mutex);
|
||||
mnt_drop_write(file->f_path.mnt);
|
||||
out_putf:
|
||||
@ -646,11 +653,15 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode)
|
||||
if (error)
|
||||
goto dput_and_out;
|
||||
mutex_lock(&inode->i_mutex);
|
||||
error = security_path_chmod(path.dentry, path.mnt, mode);
|
||||
if (error)
|
||||
goto out_unlock;
|
||||
if (mode == (mode_t) -1)
|
||||
mode = inode->i_mode;
|
||||
newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
|
||||
newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
|
||||
error = notify_change(path.dentry, &newattrs);
|
||||
out_unlock:
|
||||
mutex_unlock(&inode->i_mutex);
|
||||
mnt_drop_write(path.mnt);
|
||||
dput_and_out:
|
||||
@ -664,9 +675,9 @@ SYSCALL_DEFINE2(chmod, const char __user *, filename, mode_t, mode)
|
||||
return sys_fchmodat(AT_FDCWD, filename, mode);
|
||||
}
|
||||
|
||||
static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
|
||||
static int chown_common(struct path *path, uid_t user, gid_t group)
|
||||
{
|
||||
struct inode *inode = dentry->d_inode;
|
||||
struct inode *inode = path->dentry->d_inode;
|
||||
int error;
|
||||
struct iattr newattrs;
|
||||
|
||||
@ -683,7 +694,9 @@ static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
|
||||
newattrs.ia_valid |=
|
||||
ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
|
||||
mutex_lock(&inode->i_mutex);
|
||||
error = notify_change(dentry, &newattrs);
|
||||
error = security_path_chown(path, user, group);
|
||||
if (!error)
|
||||
error = notify_change(path->dentry, &newattrs);
|
||||
mutex_unlock(&inode->i_mutex);
|
||||
|
||||
return error;
|
||||
@ -700,7 +713,7 @@ SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
|
||||
error = mnt_want_write(path.mnt);
|
||||
if (error)
|
||||
goto out_release;
|
||||
error = chown_common(path.dentry, user, group);
|
||||
error = chown_common(&path, user, group);
|
||||
mnt_drop_write(path.mnt);
|
||||
out_release:
|
||||
path_put(&path);
|
||||
@ -725,7 +738,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
|
||||
error = mnt_want_write(path.mnt);
|
||||
if (error)
|
||||
goto out_release;
|
||||
error = chown_common(path.dentry, user, group);
|
||||
error = chown_common(&path, user, group);
|
||||
mnt_drop_write(path.mnt);
|
||||
out_release:
|
||||
path_put(&path);
|
||||
@ -744,7 +757,7 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
|
||||
error = mnt_want_write(path.mnt);
|
||||
if (error)
|
||||
goto out_release;
|
||||
error = chown_common(path.dentry, user, group);
|
||||
error = chown_common(&path, user, group);
|
||||
mnt_drop_write(path.mnt);
|
||||
out_release:
|
||||
path_put(&path);
|
||||
@ -767,7 +780,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
|
||||
goto out_fput;
|
||||
dentry = file->f_path.dentry;
|
||||
audit_inode(NULL, dentry);
|
||||
error = chown_common(dentry, user, group);
|
||||
error = chown_common(&file->f_path, user, group);
|
||||
mnt_drop_write(file->f_path.mnt);
|
||||
out_fput:
|
||||
fput(file);
|
||||
|
@ -330,6 +330,7 @@ unifdef-y += scc.h
|
||||
unifdef-y += sched.h
|
||||
unifdef-y += screen_info.h
|
||||
unifdef-y += sdla.h
|
||||
unifdef-y += securebits.h
|
||||
unifdef-y += selinux_netlink.h
|
||||
unifdef-y += sem.h
|
||||
unifdef-y += serial_core.h
|
||||
|
@ -92,9 +92,7 @@ struct vfs_cap_data {
|
||||
#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
|
||||
#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
|
||||
|
||||
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
extern int file_caps_enabled;
|
||||
#endif
|
||||
|
||||
typedef struct kernel_cap_struct {
|
||||
__u32 cap[_KERNEL_CAPABILITY_U32S];
|
||||
|
@ -83,16 +83,12 @@ extern struct group_info init_groups;
|
||||
#define INIT_IDS
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
/*
|
||||
* Because of the reduced scope of CAP_SETPCAP when filesystem
|
||||
* capabilities are in effect, it is safe to allow CAP_SETPCAP to
|
||||
* be available in the default configuration.
|
||||
*/
|
||||
# define CAP_INIT_BSET CAP_FULL_SET
|
||||
#else
|
||||
# define CAP_INIT_BSET CAP_INIT_EFF_SET
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_TREE_PREEMPT_RCU
|
||||
#define INIT_TASK_RCU_PREEMPT(tsk) \
|
||||
|
@ -26,14 +26,15 @@
|
||||
|
||||
/* Auxiliary data to use in generating the audit record. */
|
||||
struct common_audit_data {
|
||||
char type;
|
||||
#define LSM_AUDIT_DATA_FS 1
|
||||
#define LSM_AUDIT_DATA_NET 2
|
||||
#define LSM_AUDIT_DATA_CAP 3
|
||||
#define LSM_AUDIT_DATA_IPC 4
|
||||
#define LSM_AUDIT_DATA_TASK 5
|
||||
#define LSM_AUDIT_DATA_KEY 6
|
||||
#define LSM_AUDIT_NO_AUDIT 7
|
||||
char type;
|
||||
#define LSM_AUDIT_DATA_FS 1
|
||||
#define LSM_AUDIT_DATA_NET 2
|
||||
#define LSM_AUDIT_DATA_CAP 3
|
||||
#define LSM_AUDIT_DATA_IPC 4
|
||||
#define LSM_AUDIT_DATA_TASK 5
|
||||
#define LSM_AUDIT_DATA_KEY 6
|
||||
#define LSM_AUDIT_NO_AUDIT 7
|
||||
#define LSM_AUDIT_DATA_KMOD 8
|
||||
struct task_struct *tsk;
|
||||
union {
|
||||
struct {
|
||||
@ -66,6 +67,7 @@ struct common_audit_data {
|
||||
char *key_desc;
|
||||
} key_struct;
|
||||
#endif
|
||||
char *kmod_name;
|
||||
} u;
|
||||
/* this union contains LSM specific data */
|
||||
union {
|
||||
|
@ -1,6 +1,15 @@
|
||||
#ifndef _LINUX_SECUREBITS_H
|
||||
#define _LINUX_SECUREBITS_H 1
|
||||
|
||||
/* Each securesetting is implemented using two bits. One bit specifies
|
||||
whether the setting is on or off. The other bit specify whether the
|
||||
setting is locked or not. A setting which is locked cannot be
|
||||
changed from user-level. */
|
||||
#define issecure_mask(X) (1 << (X))
|
||||
#ifdef __KERNEL__
|
||||
#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
|
||||
#endif
|
||||
|
||||
#define SECUREBITS_DEFAULT 0x00000000
|
||||
|
||||
/* When set UID 0 has no special privileges. When unset, we support
|
||||
@ -12,6 +21,9 @@
|
||||
#define SECURE_NOROOT 0
|
||||
#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */
|
||||
|
||||
#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT))
|
||||
#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED))
|
||||
|
||||
/* When set, setuid to/from uid 0 does not trigger capability-"fixup".
|
||||
When unset, to provide compatiblility with old programs relying on
|
||||
set*uid to gain/lose privilege, transitions to/from uid 0 cause
|
||||
@ -19,6 +31,10 @@
|
||||
#define SECURE_NO_SETUID_FIXUP 2
|
||||
#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
|
||||
|
||||
#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP))
|
||||
#define SECBIT_NO_SETUID_FIXUP_LOCKED \
|
||||
(issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
|
||||
|
||||
/* When set, a process can retain its capabilities even after
|
||||
transitioning to a non-root user (the set-uid fixup suppressed by
|
||||
bit 2). Bit-4 is cleared when a process calls exec(); setting both
|
||||
@ -27,12 +43,8 @@
|
||||
#define SECURE_KEEP_CAPS 4
|
||||
#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */
|
||||
|
||||
/* Each securesetting is implemented using two bits. One bit specifies
|
||||
whether the setting is on or off. The other bit specify whether the
|
||||
setting is locked or not. A setting which is locked cannot be
|
||||
changed from user-level. */
|
||||
#define issecure_mask(X) (1 << (X))
|
||||
#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
|
||||
#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS))
|
||||
#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
|
||||
|
||||
#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
|
||||
issecure_mask(SECURE_NO_SETUID_FIXUP) | \
|
||||
|
@ -447,6 +447,22 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
|
||||
* @new_dir contains the path structure for parent of the new link.
|
||||
* @new_dentry contains the dentry structure of the new link.
|
||||
* Return 0 if permission is granted.
|
||||
* @path_chmod:
|
||||
* Check for permission to change DAC's permission of a file or directory.
|
||||
* @dentry contains the dentry structure.
|
||||
* @mnt contains the vfsmnt structure.
|
||||
* @mode contains DAC's mode.
|
||||
* Return 0 if permission is granted.
|
||||
* @path_chown:
|
||||
* Check for permission to change owner/group of a file or directory.
|
||||
* @path contains the path structure.
|
||||
* @uid contains new owner's ID.
|
||||
* @gid contains new group's ID.
|
||||
* Return 0 if permission is granted.
|
||||
* @path_chroot:
|
||||
* Check for permission to change root directory.
|
||||
* @path contains the path structure.
|
||||
* Return 0 if permission is granted.
|
||||
* @inode_readlink:
|
||||
* Check the permission to read the symbolic link.
|
||||
* @dentry contains the dentry structure for the file link.
|
||||
@ -690,6 +706,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
|
||||
* @kernel_module_request:
|
||||
* Ability to trigger the kernel to automatically upcall to userspace for
|
||||
* userspace to load a kernel module with the given name.
|
||||
* @kmod_name name of the module requested by the kernel
|
||||
* Return 0 if successful.
|
||||
* @task_setuid:
|
||||
* Check permission before setting one or more of the user identity
|
||||
@ -1488,6 +1505,10 @@ struct security_operations {
|
||||
struct dentry *new_dentry);
|
||||
int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
|
||||
struct path *new_dir, struct dentry *new_dentry);
|
||||
int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
|
||||
mode_t mode);
|
||||
int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
|
||||
int (*path_chroot) (struct path *path);
|
||||
#endif
|
||||
|
||||
int (*inode_alloc_security) (struct inode *inode);
|
||||
@ -1557,7 +1578,7 @@ struct security_operations {
|
||||
void (*cred_transfer)(struct cred *new, const struct cred *old);
|
||||
int (*kernel_act_as)(struct cred *new, u32 secid);
|
||||
int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
|
||||
int (*kernel_module_request)(void);
|
||||
int (*kernel_module_request)(char *kmod_name);
|
||||
int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
|
||||
int (*task_fix_setuid) (struct cred *new, const struct cred *old,
|
||||
int flags);
|
||||
@ -1822,7 +1843,7 @@ void security_commit_creds(struct cred *new, const struct cred *old);
|
||||
void security_transfer_creds(struct cred *new, const struct cred *old);
|
||||
int security_kernel_act_as(struct cred *new, u32 secid);
|
||||
int security_kernel_create_files_as(struct cred *new, struct inode *inode);
|
||||
int security_kernel_module_request(void);
|
||||
int security_kernel_module_request(char *kmod_name);
|
||||
int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
|
||||
int security_task_fix_setuid(struct cred *new, const struct cred *old,
|
||||
int flags);
|
||||
@ -2387,7 +2408,7 @@ static inline int security_kernel_create_files_as(struct cred *cred,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_kernel_module_request(void)
|
||||
static inline int security_kernel_module_request(char *kmod_name)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
@ -2952,6 +2973,10 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
|
||||
struct dentry *new_dentry);
|
||||
int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
|
||||
struct path *new_dir, struct dentry *new_dentry);
|
||||
int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
|
||||
mode_t mode);
|
||||
int security_path_chown(struct path *path, uid_t uid, gid_t gid);
|
||||
int security_path_chroot(struct path *path);
|
||||
#else /* CONFIG_SECURITY_PATH */
|
||||
static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
|
||||
{
|
||||
@ -3001,6 +3026,23 @@ static inline int security_path_rename(struct path *old_dir,
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_path_chmod(struct dentry *dentry,
|
||||
struct vfsmount *mnt,
|
||||
mode_t mode)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline int security_path_chroot(struct path *path)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
#endif /* CONFIG_SECURITY_PATH */
|
||||
|
||||
#ifdef CONFIG_KEYS
|
||||
|
@ -27,9 +27,16 @@
|
||||
*/
|
||||
#define TPM_ANY_NUM 0xFFFF
|
||||
|
||||
#if defined(CONFIG_TCG_TPM)
|
||||
#if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
|
||||
|
||||
extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
|
||||
extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
|
||||
#else
|
||||
static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
|
||||
return -ENODEV;
|
||||
}
|
||||
static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
|
||||
return -ENODEV;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
@ -29,7 +29,6 @@ EXPORT_SYMBOL(__cap_empty_set);
|
||||
EXPORT_SYMBOL(__cap_full_set);
|
||||
EXPORT_SYMBOL(__cap_init_eff_set);
|
||||
|
||||
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
int file_caps_enabled = 1;
|
||||
|
||||
static int __init file_caps_disable(char *str)
|
||||
@ -38,7 +37,6 @@ static int __init file_caps_disable(char *str)
|
||||
return 1;
|
||||
}
|
||||
__setup("no_file_caps", file_caps_disable);
|
||||
#endif
|
||||
|
||||
/*
|
||||
* More recent versions of libcap are available from:
|
||||
@ -169,8 +167,8 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
|
||||
kernel_cap_t pE, pI, pP;
|
||||
|
||||
ret = cap_validate_magic(header, &tocopy);
|
||||
if (ret != 0)
|
||||
return ret;
|
||||
if ((dataptr == NULL) || (ret != 0))
|
||||
return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
|
||||
|
||||
if (get_user(pid, &header->pid))
|
||||
return -EFAULT;
|
||||
@ -238,7 +236,7 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
|
||||
SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
|
||||
{
|
||||
struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
|
||||
unsigned i, tocopy;
|
||||
unsigned i, tocopy, copybytes;
|
||||
kernel_cap_t inheritable, permitted, effective;
|
||||
struct cred *new;
|
||||
int ret;
|
||||
@ -255,8 +253,11 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
|
||||
if (pid != 0 && pid != task_pid_vnr(current))
|
||||
return -EPERM;
|
||||
|
||||
if (copy_from_user(&kdata, data,
|
||||
tocopy * sizeof(struct __user_cap_data_struct)))
|
||||
copybytes = tocopy * sizeof(struct __user_cap_data_struct);
|
||||
if (copybytes > sizeof(kdata))
|
||||
return -EFAULT;
|
||||
|
||||
if (copy_from_user(&kdata, data, copybytes))
|
||||
return -EFAULT;
|
||||
|
||||
for (i = 0; i < tocopy; i++) {
|
||||
|
@ -80,16 +80,16 @@ int __request_module(bool wait, const char *fmt, ...)
|
||||
#define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
|
||||
static int kmod_loop_msg;
|
||||
|
||||
ret = security_kernel_module_request();
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
va_start(args, fmt);
|
||||
ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
|
||||
va_end(args);
|
||||
if (ret >= MODULE_NAME_LEN)
|
||||
return -ENAMETOOLONG;
|
||||
|
||||
ret = security_kernel_module_request(module_name);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
/* If modprobe needs a service that is in a module, we get a recursive
|
||||
* loop. Limit the number of running kmod threads to max_threads/2 or
|
||||
* MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
|
||||
|
@ -20,7 +20,6 @@
|
||||
#include <linux/fs.h>
|
||||
#include <linux/personality.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/ima.h>
|
||||
#include <linux/hugetlb.h>
|
||||
#include <linux/profile.h>
|
||||
#include <linux/module.h>
|
||||
@ -1059,9 +1058,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
|
||||
}
|
||||
|
||||
error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
|
||||
if (error)
|
||||
return error;
|
||||
error = ima_file_mmap(file, prot);
|
||||
if (error)
|
||||
return error;
|
||||
|
||||
|
@ -1,2 +1,2 @@
|
||||
subdir-y := mdp
|
||||
subdir- += mdp
|
||||
subdir-y := mdp genheaders
|
||||
subdir- += mdp genheaders
|
||||
|
1
scripts/selinux/genheaders/.gitignore
vendored
Normal file
1
scripts/selinux/genheaders/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
genheaders
|
5
scripts/selinux/genheaders/Makefile
Normal file
5
scripts/selinux/genheaders/Makefile
Normal file
@ -0,0 +1,5 @@
|
||||
hostprogs-y := genheaders
|
||||
HOST_EXTRACFLAGS += -Isecurity/selinux/include
|
||||
|
||||
always := $(hostprogs-y)
|
||||
clean-files := $(hostprogs-y)
|
118
scripts/selinux/genheaders/genheaders.c
Normal file
118
scripts/selinux/genheaders/genheaders.c
Normal file
@ -0,0 +1,118 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
#include <ctype.h>
|
||||
|
||||
struct security_class_mapping {
|
||||
const char *name;
|
||||
const char *perms[sizeof(unsigned) * 8 + 1];
|
||||
};
|
||||
|
||||
#include "classmap.h"
|
||||
#include "initial_sid_to_string.h"
|
||||
|
||||
#define max(x, y) (((int)(x) > (int)(y)) ? x : y)
|
||||
|
||||
const char *progname;
|
||||
|
||||
static void usage(void)
|
||||
{
|
||||
printf("usage: %s flask.h av_permissions.h\n", progname);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
static char *stoupperx(const char *s)
|
||||
{
|
||||
char *s2 = strdup(s);
|
||||
char *p;
|
||||
|
||||
if (!s2) {
|
||||
fprintf(stderr, "%s: out of memory\n", progname);
|
||||
exit(3);
|
||||
}
|
||||
|
||||
for (p = s2; *p; p++)
|
||||
*p = toupper(*p);
|
||||
return s2;
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int i, j, k;
|
||||
int isids_len;
|
||||
FILE *fout;
|
||||
|
||||
progname = argv[0];
|
||||
|
||||
if (argc < 3)
|
||||
usage();
|
||||
|
||||
fout = fopen(argv[1], "w");
|
||||
if (!fout) {
|
||||
fprintf(stderr, "Could not open %s for writing: %s\n",
|
||||
argv[1], strerror(errno));
|
||||
exit(2);
|
||||
}
|
||||
|
||||
for (i = 0; secclass_map[i].name; i++) {
|
||||
struct security_class_mapping *map = &secclass_map[i];
|
||||
map->name = stoupperx(map->name);
|
||||
for (j = 0; map->perms[j]; j++)
|
||||
map->perms[j] = stoupperx(map->perms[j]);
|
||||
}
|
||||
|
||||
isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
|
||||
for (i = 1; i < isids_len; i++)
|
||||
initial_sid_to_string[i] = stoupperx(initial_sid_to_string[i]);
|
||||
|
||||
fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
|
||||
fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
|
||||
|
||||
for (i = 0; secclass_map[i].name; i++) {
|
||||
struct security_class_mapping *map = &secclass_map[i];
|
||||
fprintf(fout, "#define SECCLASS_%s", map->name);
|
||||
for (j = 0; j < max(1, 40 - strlen(map->name)); j++)
|
||||
fprintf(fout, " ");
|
||||
fprintf(fout, "%2d\n", i+1);
|
||||
}
|
||||
|
||||
fprintf(fout, "\n");
|
||||
|
||||
for (i = 1; i < isids_len; i++) {
|
||||
char *s = initial_sid_to_string[i];
|
||||
fprintf(fout, "#define SECINITSID_%s", s);
|
||||
for (j = 0; j < max(1, 40 - strlen(s)); j++)
|
||||
fprintf(fout, " ");
|
||||
fprintf(fout, "%2d\n", i);
|
||||
}
|
||||
fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
|
||||
fprintf(fout, "\n#endif\n");
|
||||
fclose(fout);
|
||||
|
||||
fout = fopen(argv[2], "w");
|
||||
if (!fout) {
|
||||
fprintf(stderr, "Could not open %s for writing: %s\n",
|
||||
argv[2], strerror(errno));
|
||||
exit(4);
|
||||
}
|
||||
|
||||
fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
|
||||
fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
|
||||
|
||||
for (i = 0; secclass_map[i].name; i++) {
|
||||
struct security_class_mapping *map = &secclass_map[i];
|
||||
for (j = 0; map->perms[j]; j++) {
|
||||
fprintf(fout, "#define %s__%s", map->name,
|
||||
map->perms[j]);
|
||||
for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
|
||||
fprintf(fout, " ");
|
||||
fprintf(fout, "0x%08xUL\n", (1<<j));
|
||||
}
|
||||
}
|
||||
|
||||
fprintf(fout, "\n#endif\n");
|
||||
fclose(fout);
|
||||
exit(0);
|
||||
}
|
@ -29,86 +29,27 @@
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "flask.h"
|
||||
|
||||
static void usage(char *name)
|
||||
{
|
||||
printf("usage: %s [-m] policy_file context_file\n", name);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
static void find_common_name(char *cname, char *dest, int len)
|
||||
{
|
||||
char *start, *end;
|
||||
|
||||
start = strchr(cname, '_')+1;
|
||||
end = strchr(start, '_');
|
||||
if (!start || !end || start-cname > len || end-start > len) {
|
||||
printf("Error with commons defines\n");
|
||||
exit(1);
|
||||
}
|
||||
strncpy(dest, start, end-start);
|
||||
dest[end-start] = '\0';
|
||||
}
|
||||
|
||||
#define S_(x) x,
|
||||
static char *classlist[] = {
|
||||
#include "class_to_string.h"
|
||||
NULL
|
||||
/* Class/perm mapping support */
|
||||
struct security_class_mapping {
|
||||
const char *name;
|
||||
const char *perms[sizeof(unsigned) * 8 + 1];
|
||||
};
|
||||
#undef S_
|
||||
|
||||
#include "classmap.h"
|
||||
#include "initial_sid_to_string.h"
|
||||
|
||||
#define TB_(x) char *x[] = {
|
||||
#define TE_(x) NULL };
|
||||
#define S_(x) x,
|
||||
#include "common_perm_to_string.h"
|
||||
#undef TB_
|
||||
#undef TE_
|
||||
#undef S_
|
||||
|
||||
struct common {
|
||||
char *cname;
|
||||
char **perms;
|
||||
};
|
||||
struct common common[] = {
|
||||
#define TB_(x) { #x, x },
|
||||
#define S_(x)
|
||||
#define TE_(x)
|
||||
#include "common_perm_to_string.h"
|
||||
#undef TB_
|
||||
#undef TE_
|
||||
#undef S_
|
||||
};
|
||||
|
||||
#define S_(x, y, z) {x, #y},
|
||||
struct av_inherit {
|
||||
int class;
|
||||
char *common;
|
||||
};
|
||||
struct av_inherit av_inherit[] = {
|
||||
#include "av_inherit.h"
|
||||
};
|
||||
#undef S_
|
||||
|
||||
#include "av_permissions.h"
|
||||
#define S_(x, y, z) {x, y, z},
|
||||
struct av_perms {
|
||||
int class;
|
||||
int perm_i;
|
||||
char *perm_s;
|
||||
};
|
||||
struct av_perms av_perms[] = {
|
||||
#include "av_perm_to_string.h"
|
||||
};
|
||||
#undef S_
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
int i, j, mls = 0;
|
||||
int initial_sid_to_string_len;
|
||||
char **arg, *polout, *ctxout;
|
||||
int classlist_len, initial_sid_to_string_len;
|
||||
|
||||
FILE *fout;
|
||||
|
||||
if (argc < 3)
|
||||
@ -127,64 +68,25 @@ int main(int argc, char *argv[])
|
||||
usage(argv[0]);
|
||||
}
|
||||
|
||||
classlist_len = sizeof(classlist) / sizeof(char *);
|
||||
/* print out the classes */
|
||||
for (i=1; i < classlist_len; i++) {
|
||||
if(classlist[i])
|
||||
fprintf(fout, "class %s\n", classlist[i]);
|
||||
else
|
||||
fprintf(fout, "class user%d\n", i);
|
||||
}
|
||||
for (i = 0; secclass_map[i].name; i++)
|
||||
fprintf(fout, "class %s\n", secclass_map[i].name);
|
||||
fprintf(fout, "\n");
|
||||
|
||||
initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
|
||||
/* print out the sids */
|
||||
for (i=1; i < initial_sid_to_string_len; i++)
|
||||
for (i = 1; i < initial_sid_to_string_len; i++)
|
||||
fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
|
||||
fprintf(fout, "\n");
|
||||
|
||||
/* print out the commons */
|
||||
for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
|
||||
char cname[101];
|
||||
find_common_name(common[i].cname, cname, 100);
|
||||
cname[100] = '\0';
|
||||
fprintf(fout, "common %s\n{\n", cname);
|
||||
for (j=0; common[i].perms[j]; j++)
|
||||
fprintf(fout, "\t%s\n", common[i].perms[j]);
|
||||
fprintf(fout, "}\n\n");
|
||||
}
|
||||
fprintf(fout, "\n");
|
||||
|
||||
/* print out the class permissions */
|
||||
for (i=1; i < classlist_len; i++) {
|
||||
if (classlist[i]) {
|
||||
int firstperm = -1, numperms = 0;
|
||||
|
||||
fprintf(fout, "class %s\n", classlist[i]);
|
||||
/* does it inherit from a common? */
|
||||
for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++)
|
||||
if (av_inherit[j].class == i)
|
||||
fprintf(fout, "inherits %s\n", av_inherit[j].common);
|
||||
|
||||
for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
|
||||
if (av_perms[j].class == i) {
|
||||
if (firstperm == -1)
|
||||
firstperm = j;
|
||||
numperms++;
|
||||
}
|
||||
}
|
||||
if (!numperms) {
|
||||
fprintf(fout, "\n");
|
||||
continue;
|
||||
}
|
||||
|
||||
fprintf(fout, "{\n");
|
||||
/* print out the av_perms */
|
||||
for (j=0; j < numperms; j++) {
|
||||
fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
|
||||
}
|
||||
fprintf(fout, "}\n\n");
|
||||
}
|
||||
for (i = 0; secclass_map[i].name; i++) {
|
||||
struct security_class_mapping *map = &secclass_map[i];
|
||||
fprintf(fout, "class %s\n", map->name);
|
||||
fprintf(fout, "{\n");
|
||||
for (j = 0; map->perms[j]; j++)
|
||||
fprintf(fout, "\t%s\n", map->perms[j]);
|
||||
fprintf(fout, "}\n\n");
|
||||
}
|
||||
fprintf(fout, "\n");
|
||||
|
||||
@ -197,31 +99,34 @@ int main(int argc, char *argv[])
|
||||
/* types, roles, and allows */
|
||||
fprintf(fout, "type base_t;\n");
|
||||
fprintf(fout, "role base_r types { base_t };\n");
|
||||
for (i=1; i < classlist_len; i++) {
|
||||
if (classlist[i])
|
||||
fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]);
|
||||
else
|
||||
fprintf(fout, "allow base_t base_t:user%d *;\n", i);
|
||||
}
|
||||
for (i = 0; secclass_map[i].name; i++)
|
||||
fprintf(fout, "allow base_t base_t:%s *;\n",
|
||||
secclass_map[i].name);
|
||||
fprintf(fout, "user user_u roles { base_r };\n");
|
||||
fprintf(fout, "\n");
|
||||
|
||||
/* default sids */
|
||||
for (i=1; i < initial_sid_to_string_len; i++)
|
||||
for (i = 1; i < initial_sid_to_string_len; i++)
|
||||
fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
|
||||
fprintf(fout, "\n");
|
||||
|
||||
|
||||
fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
|
||||
|
||||
fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
|
||||
|
||||
fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
|
||||
fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
|
||||
|
||||
|
@ -91,28 +91,6 @@ config SECURITY_PATH
|
||||
implement pathname based access controls.
|
||||
If you are unsure how to answer this question, answer N.
|
||||
|
||||
config SECURITY_FILE_CAPABILITIES
|
||||
bool "File POSIX Capabilities"
|
||||
default n
|
||||
help
|
||||
This enables filesystem capabilities, allowing you to give
|
||||
binaries a subset of root's powers without using setuid 0.
|
||||
|
||||
If in doubt, answer N.
|
||||
|
||||
config SECURITY_ROOTPLUG
|
||||
bool "Root Plug Support"
|
||||
depends on USB=y && SECURITY
|
||||
help
|
||||
This is a sample LSM module that should only be used as such.
|
||||
It prevents any programs running with egid == 0 if a specific
|
||||
USB device is not present in the system.
|
||||
|
||||
See <http://www.linuxjournal.com/article.php?sid=6279> for
|
||||
more information about this module.
|
||||
|
||||
If you are unsure how to answer this question, answer N.
|
||||
|
||||
config INTEL_TXT
|
||||
bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
|
||||
depends on HAVE_INTEL_TXT
|
||||
@ -165,5 +143,37 @@ source security/tomoyo/Kconfig
|
||||
|
||||
source security/integrity/ima/Kconfig
|
||||
|
||||
choice
|
||||
prompt "Default security module"
|
||||
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
|
||||
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
|
||||
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
|
||||
default DEFAULT_SECURITY_DAC
|
||||
|
||||
help
|
||||
Select the security module that will be used by default if the
|
||||
kernel parameter security= is not specified.
|
||||
|
||||
config DEFAULT_SECURITY_SELINUX
|
||||
bool "SELinux" if SECURITY_SELINUX=y
|
||||
|
||||
config DEFAULT_SECURITY_SMACK
|
||||
bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
|
||||
|
||||
config DEFAULT_SECURITY_TOMOYO
|
||||
bool "TOMOYO" if SECURITY_TOMOYO=y
|
||||
|
||||
config DEFAULT_SECURITY_DAC
|
||||
bool "Unix Discretionary Access Controls"
|
||||
|
||||
endchoice
|
||||
|
||||
config DEFAULT_SECURITY
|
||||
string
|
||||
default "selinux" if DEFAULT_SECURITY_SELINUX
|
||||
default "smack" if DEFAULT_SECURITY_SMACK
|
||||
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
|
||||
default "" if DEFAULT_SECURITY_DAC
|
||||
|
||||
endmenu
|
||||
|
||||
|
@ -18,7 +18,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
|
||||
obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
|
||||
obj-$(CONFIG_AUDIT) += lsm_audit.o
|
||||
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
|
||||
obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
|
||||
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
|
||||
|
||||
# Object integrity file lists
|
||||
|
@ -308,6 +308,22 @@ static int cap_path_truncate(struct path *path, loff_t length,
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
|
||||
mode_t mode)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int cap_path_chroot(struct path *root)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int cap_file_permission(struct file *file, int mask)
|
||||
@ -405,7 +421,7 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int cap_kernel_module_request(void)
|
||||
static int cap_kernel_module_request(char *kmod_name)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
@ -977,6 +993,9 @@ void security_fixup_ops(struct security_operations *ops)
|
||||
set_to_cap_if_null(ops, path_link);
|
||||
set_to_cap_if_null(ops, path_rename);
|
||||
set_to_cap_if_null(ops, path_truncate);
|
||||
set_to_cap_if_null(ops, path_chmod);
|
||||
set_to_cap_if_null(ops, path_chown);
|
||||
set_to_cap_if_null(ops, path_chroot);
|
||||
#endif
|
||||
set_to_cap_if_null(ops, file_permission);
|
||||
set_to_cap_if_null(ops, file_alloc_security);
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* Common capabilities, needed by capability.o and root_plug.o
|
||||
/* Common capabilities, needed by capability.o.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -173,7 +173,6 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective,
|
||||
*/
|
||||
static inline int cap_inh_is_capped(void)
|
||||
{
|
||||
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
|
||||
/* they are so limited unless the current task has the CAP_SETPCAP
|
||||
* capability
|
||||
@ -181,7 +180,6 @@ static inline int cap_inh_is_capped(void)
|
||||
if (cap_capable(current, current_cred(), CAP_SETPCAP,
|
||||
SECURITY_CAP_AUDIT) == 0)
|
||||
return 0;
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
@ -239,8 +237,6 @@ static inline void bprm_clear_caps(struct linux_binprm *bprm)
|
||||
bprm->cap_effective = false;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
|
||||
/**
|
||||
* cap_inode_need_killpriv - Determine if inode change affects privileges
|
||||
* @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
|
||||
@ -421,49 +417,6 @@ out:
|
||||
return rc;
|
||||
}
|
||||
|
||||
#else
|
||||
int cap_inode_need_killpriv(struct dentry *dentry)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
int cap_inode_killpriv(struct dentry *dentry)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
|
||||
{
|
||||
memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
|
||||
return -ENODATA;
|
||||
}
|
||||
|
||||
static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
|
||||
{
|
||||
bprm_clear_caps(bprm);
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Determine whether a exec'ing process's new permitted capabilities should be
|
||||
* limited to just what it already has.
|
||||
*
|
||||
* This prevents processes that are being ptraced from gaining access to
|
||||
* CAP_SETPCAP, unless the process they're tracing already has it, and the
|
||||
* binary they're executing has filecaps that elevate it.
|
||||
*
|
||||
* Returns 1 if they should be limited, 0 if they are not.
|
||||
*/
|
||||
static inline int cap_limit_ptraced_target(void)
|
||||
{
|
||||
#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
if (capable(CAP_SETPCAP))
|
||||
return 0;
|
||||
#endif
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* cap_bprm_set_creds - Set up the proposed credentials for execve().
|
||||
* @bprm: The execution parameters, including the proposed creds
|
||||
@ -523,9 +476,8 @@ skip:
|
||||
new->euid = new->uid;
|
||||
new->egid = new->gid;
|
||||
}
|
||||
if (cap_limit_ptraced_target())
|
||||
new->cap_permitted = cap_intersect(new->cap_permitted,
|
||||
old->cap_permitted);
|
||||
new->cap_permitted = cap_intersect(new->cap_permitted,
|
||||
old->cap_permitted);
|
||||
}
|
||||
|
||||
new->suid = new->fsuid = new->euid;
|
||||
@ -739,7 +691,6 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
/*
|
||||
* Rationale: code calling task_setscheduler, task_setioprio, and
|
||||
* task_setnice, assumes that
|
||||
@ -820,22 +771,6 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#else
|
||||
int cap_task_setscheduler (struct task_struct *p, int policy,
|
||||
struct sched_param *lp)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
int cap_task_setioprio (struct task_struct *p, int ioprio)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
int cap_task_setnice (struct task_struct *p, int nice)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
/**
|
||||
* cap_task_prctl - Implement process control functions for this security module
|
||||
* @option: The process control function requested
|
||||
@ -866,7 +801,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
|
||||
error = !!cap_raised(new->cap_bset, arg2);
|
||||
goto no_change;
|
||||
|
||||
#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
|
||||
case PR_CAPBSET_DROP:
|
||||
error = cap_prctl_drop(new, arg2);
|
||||
if (error < 0)
|
||||
@ -917,8 +851,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
|
||||
error = new->securebits;
|
||||
goto no_change;
|
||||
|
||||
#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
|
||||
|
||||
case PR_GET_KEEPCAPS:
|
||||
if (issecure(SECURE_KEEP_CAPS))
|
||||
error = 1;
|
||||
|
@ -3,6 +3,7 @@
|
||||
config IMA
|
||||
bool "Integrity Measurement Architecture(IMA)"
|
||||
depends on ACPI
|
||||
depends on SECURITY
|
||||
select SECURITYFS
|
||||
select CRYPTO
|
||||
select CRYPTO_HMAC
|
||||
|
@ -354,6 +354,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
|
||||
}
|
||||
break;
|
||||
#endif
|
||||
case LSM_AUDIT_DATA_KMOD:
|
||||
audit_log_format(ab, " kmod=");
|
||||
audit_log_untrustedstring(ab, a->u.kmod_name);
|
||||
break;
|
||||
} /* switch (a->type) */
|
||||
}
|
||||
|
||||
|
@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write,
|
||||
{
|
||||
int ret;
|
||||
|
||||
if (!capable(CAP_SYS_RAWIO))
|
||||
return -EPERM;
|
||||
|
||||
ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
|
||||
|
||||
update_mmap_min_addr();
|
||||
|
@ -1,90 +0,0 @@
|
||||
/*
|
||||
* Root Plug sample LSM module
|
||||
*
|
||||
* Originally written for a Linux Journal.
|
||||
*
|
||||
* Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
|
||||
*
|
||||
* Prevents any programs running with egid == 0 if a specific USB device
|
||||
* is not present in the system. Yes, it can be gotten around, but is a
|
||||
* nice starting point for people to play with, and learn the LSM
|
||||
* interface.
|
||||
*
|
||||
* If you want to turn this into something with a semblance of security,
|
||||
* you need to hook the task_* functions also.
|
||||
*
|
||||
* See http://www.linuxjournal.com/article.php?sid=6279 for more information
|
||||
* about this code.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License as
|
||||
* published by the Free Software Foundation, version 2 of the
|
||||
* License.
|
||||
*/
|
||||
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/init.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/usb.h>
|
||||
#include <linux/moduleparam.h>
|
||||
|
||||
/* default is a generic type of usb to serial converter */
|
||||
static int vendor_id = 0x0557;
|
||||
static int product_id = 0x2008;
|
||||
|
||||
module_param(vendor_id, uint, 0400);
|
||||
module_param(product_id, uint, 0400);
|
||||
|
||||
/* should we print out debug messages */
|
||||
static int debug = 0;
|
||||
|
||||
module_param(debug, bool, 0600);
|
||||
|
||||
#define MY_NAME "root_plug"
|
||||
|
||||
#define root_dbg(fmt, arg...) \
|
||||
do { \
|
||||
if (debug) \
|
||||
printk(KERN_DEBUG "%s: %s: " fmt , \
|
||||
MY_NAME , __func__ , \
|
||||
## arg); \
|
||||
} while (0)
|
||||
|
||||
static int rootplug_bprm_check_security (struct linux_binprm *bprm)
|
||||
{
|
||||
struct usb_device *dev;
|
||||
|
||||
root_dbg("file %s, e_uid = %d, e_gid = %d\n",
|
||||
bprm->filename, bprm->cred->euid, bprm->cred->egid);
|
||||
|
||||
if (bprm->cred->egid == 0) {
|
||||
dev = usb_find_device(vendor_id, product_id);
|
||||
if (!dev) {
|
||||
root_dbg("e_gid = 0, and device not found, "
|
||||
"task not allowed to run...\n");
|
||||
return -EPERM;
|
||||
}
|
||||
usb_put_dev(dev);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static struct security_operations rootplug_security_ops = {
|
||||
.bprm_check_security = rootplug_bprm_check_security,
|
||||
};
|
||||
|
||||
static int __init rootplug_init (void)
|
||||
{
|
||||
/* register ourselves with the security framework */
|
||||
if (register_security (&rootplug_security_ops)) {
|
||||
printk (KERN_INFO
|
||||
"Failure registering Root Plug module with the kernel\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
printk (KERN_INFO "Root Plug module initialized, "
|
||||
"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
|
||||
return 0;
|
||||
}
|
||||
|
||||
security_initcall (rootplug_init);
|
@ -16,9 +16,11 @@
|
||||
#include <linux/init.h>
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/security.h>
|
||||
#include <linux/ima.h>
|
||||
|
||||
/* Boot-time LSM user choice */
|
||||
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
|
||||
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
|
||||
CONFIG_DEFAULT_SECURITY;
|
||||
|
||||
/* things that live in capability.c */
|
||||
extern struct security_operations default_security_ops;
|
||||
@ -79,8 +81,10 @@ __setup("security=", choose_lsm);
|
||||
*
|
||||
* Return true if:
|
||||
* -The passed LSM is the one chosen by user at boot time,
|
||||
* -or user didn't specify a specific LSM and we're the first to ask
|
||||
* for registration permission,
|
||||
* -or the passed LSM is configured as the default and the user did not
|
||||
* choose an alternate LSM at boot time,
|
||||
* -or there is no default LSM set and the user didn't specify a
|
||||
* specific LSM and we're the first to ask for registration permission,
|
||||
* -or the passed LSM is currently loaded.
|
||||
* Otherwise, return false.
|
||||
*/
|
||||
@ -235,7 +239,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
|
||||
|
||||
int security_bprm_check(struct linux_binprm *bprm)
|
||||
{
|
||||
return security_ops->bprm_check_security(bprm);
|
||||
int ret;
|
||||
|
||||
ret = security_ops->bprm_check_security(bprm);
|
||||
if (ret)
|
||||
return ret;
|
||||
return ima_bprm_check(bprm);
|
||||
}
|
||||
|
||||
void security_bprm_committing_creds(struct linux_binprm *bprm)
|
||||
@ -352,12 +361,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
|
||||
|
||||
int security_inode_alloc(struct inode *inode)
|
||||
{
|
||||
int ret;
|
||||
|
||||
inode->i_security = NULL;
|
||||
return security_ops->inode_alloc_security(inode);
|
||||
ret = security_ops->inode_alloc_security(inode);
|
||||
if (ret)
|
||||
return ret;
|
||||
ret = ima_inode_alloc(inode);
|
||||
if (ret)
|
||||
security_inode_free(inode);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void security_inode_free(struct inode *inode)
|
||||
{
|
||||
ima_inode_free(inode);
|
||||
security_ops->inode_free_security(inode);
|
||||
}
|
||||
|
||||
@ -434,6 +452,26 @@ int security_path_truncate(struct path *path, loff_t length,
|
||||
return 0;
|
||||
return security_ops->path_truncate(path, length, time_attrs);
|
||||
}
|
||||
|
||||
int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
|
||||
mode_t mode)
|
||||
{
|
||||
if (unlikely(IS_PRIVATE(dentry->d_inode)))
|
||||
return 0;
|
||||
return security_ops->path_chmod(dentry, mnt, mode);
|
||||
}
|
||||
|
||||
int security_path_chown(struct path *path, uid_t uid, gid_t gid)
|
||||
{
|
||||
if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
|
||||
return 0;
|
||||
return security_ops->path_chown(path, uid, gid);
|
||||
}
|
||||
|
||||
int security_path_chroot(struct path *path)
|
||||
{
|
||||
return security_ops->path_chroot(path);
|
||||
}
|
||||
#endif
|
||||
|
||||
int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
|
||||
@ -628,6 +666,8 @@ int security_file_alloc(struct file *file)
|
||||
void security_file_free(struct file *file)
|
||||
{
|
||||
security_ops->file_free_security(file);
|
||||
if (file->f_dentry)
|
||||
ima_file_free(file);
|
||||
}
|
||||
|
||||
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
@ -639,7 +679,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot,
|
||||
unsigned long prot, unsigned long flags,
|
||||
unsigned long addr, unsigned long addr_only)
|
||||
{
|
||||
return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
|
||||
int ret;
|
||||
|
||||
ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
|
||||
if (ret)
|
||||
return ret;
|
||||
return ima_file_mmap(file, prot);
|
||||
}
|
||||
|
||||
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
|
||||
@ -719,9 +764,9 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
|
||||
return security_ops->kernel_create_files_as(new, inode);
|
||||
}
|
||||
|
||||
int security_kernel_module_request(void)
|
||||
int security_kernel_module_request(char *kmod_name)
|
||||
{
|
||||
return security_ops->kernel_module_request();
|
||||
return security_ops->kernel_module_request(kmod_name);
|
||||
}
|
||||
|
||||
int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
|
||||
|
2
security/selinux/.gitignore
vendored
Normal file
2
security/selinux/.gitignore
vendored
Normal file
@ -0,0 +1,2 @@
|
||||
av_permissions.h
|
||||
flask.h
|
@ -18,5 +18,13 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
|
||||
|
||||
selinux-$(CONFIG_NETLABEL) += netlabel.o
|
||||
|
||||
EXTRA_CFLAGS += -Isecurity/selinux/include
|
||||
EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
|
||||
|
||||
$(obj)/avc.o: $(obj)/flask.h
|
||||
|
||||
quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
|
||||
cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
|
||||
|
||||
targets += flask.h
|
||||
$(obj)/flask.h: $(src)/include/classmap.h FORCE
|
||||
$(call if_changed,flask)
|
||||
|
@ -31,43 +31,7 @@
|
||||
#include <net/ipv6.h>
|
||||
#include "avc.h"
|
||||
#include "avc_ss.h"
|
||||
|
||||
static const struct av_perm_to_string av_perm_to_string[] = {
|
||||
#define S_(c, v, s) { c, v, s },
|
||||
#include "av_perm_to_string.h"
|
||||
#undef S_
|
||||
};
|
||||
|
||||
static const char *class_to_string[] = {
|
||||
#define S_(s) s,
|
||||
#include "class_to_string.h"
|
||||
#undef S_
|
||||
};
|
||||
|
||||
#define TB_(s) static const char *s[] = {
|
||||
#define TE_(s) };
|
||||
#define S_(s) s,
|
||||
#include "common_perm_to_string.h"
|
||||
#undef TB_
|
||||
#undef TE_
|
||||
#undef S_
|
||||
|
||||
static const struct av_inherit av_inherit[] = {
|
||||
#define S_(c, i, b) { .tclass = c,\
|
||||
.common_pts = common_##i##_perm_to_string,\
|
||||
.common_base = b },
|
||||
#include "av_inherit.h"
|
||||
#undef S_
|
||||
};
|
||||
|
||||
const struct selinux_class_perm selinux_class_perm = {
|
||||
.av_perm_to_string = av_perm_to_string,
|
||||
.av_pts_len = ARRAY_SIZE(av_perm_to_string),
|
||||
.class_to_string = class_to_string,
|
||||
.cts_len = ARRAY_SIZE(class_to_string),
|
||||
.av_inherit = av_inherit,
|
||||
.av_inherit_len = ARRAY_SIZE(av_inherit)
|
||||
};
|
||||
#include "classmap.h"
|
||||
|
||||
#define AVC_CACHE_SLOTS 512
|
||||
#define AVC_DEF_CACHE_THRESHOLD 512
|
||||
@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
|
||||
*/
|
||||
static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
|
||||
{
|
||||
const char **common_pts = NULL;
|
||||
u32 common_base = 0;
|
||||
int i, i2, perm;
|
||||
const char **perms;
|
||||
int i, perm;
|
||||
|
||||
if (av == 0) {
|
||||
audit_log_format(ab, " null");
|
||||
return;
|
||||
}
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(av_inherit); i++) {
|
||||
if (av_inherit[i].tclass == tclass) {
|
||||
common_pts = av_inherit[i].common_pts;
|
||||
common_base = av_inherit[i].common_base;
|
||||
break;
|
||||
}
|
||||
}
|
||||
perms = secclass_map[tclass-1].perms;
|
||||
|
||||
audit_log_format(ab, " {");
|
||||
i = 0;
|
||||
perm = 1;
|
||||
while (perm < common_base) {
|
||||
if (perm & av) {
|
||||
audit_log_format(ab, " %s", common_pts[i]);
|
||||
while (i < (sizeof(av) * 8)) {
|
||||
if ((perm & av) && perms[i]) {
|
||||
audit_log_format(ab, " %s", perms[i]);
|
||||
av &= ~perm;
|
||||
}
|
||||
i++;
|
||||
perm <<= 1;
|
||||
}
|
||||
|
||||
while (i < sizeof(av) * 8) {
|
||||
if (perm & av) {
|
||||
for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
|
||||
if ((av_perm_to_string[i2].tclass == tclass) &&
|
||||
(av_perm_to_string[i2].value == perm))
|
||||
break;
|
||||
}
|
||||
if (i2 < ARRAY_SIZE(av_perm_to_string)) {
|
||||
audit_log_format(ab, " %s",
|
||||
av_perm_to_string[i2].name);
|
||||
av &= ~perm;
|
||||
}
|
||||
}
|
||||
i++;
|
||||
perm <<= 1;
|
||||
}
|
||||
|
||||
if (av)
|
||||
audit_log_format(ab, " 0x%x", av);
|
||||
|
||||
@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
|
||||
kfree(scontext);
|
||||
}
|
||||
|
||||
BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);
|
||||
audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
|
||||
BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
|
||||
audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -91,7 +91,6 @@
|
||||
|
||||
#define NUM_SEL_MNT_OPTS 5
|
||||
|
||||
extern unsigned int policydb_loaded_version;
|
||||
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
|
||||
extern struct security_operations *security_ops;
|
||||
|
||||
@ -3338,9 +3337,18 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int selinux_kernel_module_request(void)
|
||||
static int selinux_kernel_module_request(char *kmod_name)
|
||||
{
|
||||
return task_has_system(current, SYSTEM__MODULE_REQUEST);
|
||||
u32 sid;
|
||||
struct common_audit_data ad;
|
||||
|
||||
sid = task_sid(current);
|
||||
|
||||
COMMON_AUDIT_DATA_INIT(&ad, KMOD);
|
||||
ad.u.kmod_name = kmod_name;
|
||||
|
||||
return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
|
||||
SYSTEM__MODULE_REQUEST, &ad);
|
||||
}
|
||||
|
||||
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
|
||||
@ -4714,10 +4722,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
|
||||
if (err)
|
||||
return err;
|
||||
|
||||
if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
|
||||
err = selinux_nlmsg_perm(sk, skb);
|
||||
|
||||
return err;
|
||||
return selinux_nlmsg_perm(sk, skb);
|
||||
}
|
||||
|
||||
static int selinux_netlink_recv(struct sk_buff *skb, int capability)
|
||||
@ -5830,12 +5835,12 @@ int selinux_disable(void)
|
||||
selinux_disabled = 1;
|
||||
selinux_enabled = 0;
|
||||
|
||||
/* Try to destroy the avc node cache */
|
||||
avc_disable();
|
||||
|
||||
/* Reset security_ops to the secondary module, dummy or capability. */
|
||||
security_ops = secondary_ops;
|
||||
|
||||
/* Try to destroy the avc node cache */
|
||||
avc_disable();
|
||||
|
||||
/* Unregister netfilter hooks. */
|
||||
selinux_nf_ip_exit();
|
||||
|
||||
|
@ -1,34 +0,0 @@
|
||||
/* This file is automatically generated. Do not edit. */
|
||||
S_(SECCLASS_DIR, file, 0x00020000UL)
|
||||
S_(SECCLASS_FILE, file, 0x00020000UL)
|
||||
S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
|
||||
S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
|
||||
S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
|
||||
S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
|
||||
S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
|
||||
S_(SECCLASS_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_IPC, ipc, 0x00000200UL)
|
||||
S_(SECCLASS_SEM, ipc, 0x00000200UL)
|
||||
S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
|
||||
S_(SECCLASS_SHM, ipc, 0x00000200UL)
|
||||
S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
|
||||
S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
|
@ -1,183 +0,0 @@
|
||||
/* This file is automatically generated. Do not edit. */
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
|
||||
S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
|
||||
S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
|
||||
S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
|
||||
S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
|
||||
S_(SECCLASS_DIR, DIR__SEARCH, "search")
|
||||
S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
|
||||
S_(SECCLASS_DIR, DIR__OPEN, "open")
|
||||
S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
|
||||
S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
|
||||
S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
|
||||
S_(SECCLASS_FILE, FILE__OPEN, "open")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
|
||||
S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
|
||||
S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
|
||||
S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
|
||||
S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
|
||||
S_(SECCLASS_FD, FD__USE, "use")
|
||||
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
|
||||
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
|
||||
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
|
||||
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
|
||||
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
|
||||
S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
|
||||
S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
|
||||
S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
|
||||
S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
|
||||
S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
|
||||
S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
|
||||
S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
|
||||
S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
|
||||
S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
|
||||
S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
|
||||
S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
|
||||
S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
|
||||
S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
|
||||
S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
|
||||
S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
|
||||
S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
|
||||
S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
|
||||
S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
|
||||
S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
|
||||
S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
|
||||
S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
|
||||
S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
|
||||
S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
|
||||
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
|
||||
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
|
||||
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
|
||||
S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
|
||||
S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
|
||||
S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
|
||||
S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
|
||||
S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
|
||||
S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
|
||||
S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
|
||||
S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
|
||||
S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
|
||||
S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
|
||||
S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
|
||||
S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
|
||||
S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
|
||||
S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
|
||||
S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
|
||||
S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
|
||||
S_(SECCLASS_MSG, MSG__SEND, "send")
|
||||
S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
|
||||
S_(SECCLASS_SHM, SHM__LOCK, "lock")
|
||||
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
|
||||
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
|
||||
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
|
||||
S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
|
||||
S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
|
||||
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
|
||||
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
|
||||
S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
|
||||
S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
|
||||
S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
|
||||
S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
|
||||
S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
|
||||
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
|
||||
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
|
||||
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
|
||||
S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
|
||||
S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
|
||||
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
|
||||
S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
|
||||
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
||||
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
||||
S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
||||
S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
||||
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
||||
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
|
||||
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
|
||||
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
|
||||
S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
|
||||
S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
|
||||
S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
|
||||
S_(SECCLASS_PACKET, PACKET__SEND, "send")
|
||||
S_(SECCLASS_PACKET, PACKET__RECV, "recv")
|
||||
S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
|
||||
S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
|
||||
S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
|
||||
S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
|
||||
S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
|
||||
S_(SECCLASS_KEY, KEY__VIEW, "view")
|
||||
S_(SECCLASS_KEY, KEY__READ, "read")
|
||||
S_(SECCLASS_KEY, KEY__WRITE, "write")
|
||||
S_(SECCLASS_KEY, KEY__SEARCH, "search")
|
||||
S_(SECCLASS_KEY, KEY__LINK, "link")
|
||||
S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
|
||||
S_(SECCLASS_KEY, KEY__CREATE, "create")
|
||||
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
|
||||
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
|
||||
S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
|
||||
S_(SECCLASS_PEER, PEER__RECV, "recv")
|
||||
S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
|
||||
S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
|
@ -1,870 +0,0 @@
|
||||
/* This file is automatically generated. Do not edit. */
|
||||
#define COMMON_FILE__IOCTL 0x00000001UL
|
||||
#define COMMON_FILE__READ 0x00000002UL
|
||||
#define COMMON_FILE__WRITE 0x00000004UL
|
||||
#define COMMON_FILE__CREATE 0x00000008UL
|
||||
#define COMMON_FILE__GETATTR 0x00000010UL
|
||||
#define COMMON_FILE__SETATTR 0x00000020UL
|
||||
#define COMMON_FILE__LOCK 0x00000040UL
|
||||
#define COMMON_FILE__RELABELFROM 0x00000080UL
|
||||
#define COMMON_FILE__RELABELTO 0x00000100UL
|
||||
#define COMMON_FILE__APPEND 0x00000200UL
|
||||
#define COMMON_FILE__UNLINK 0x00000400UL
|
||||
#define COMMON_FILE__LINK 0x00000800UL
|
||||
#define COMMON_FILE__RENAME 0x00001000UL
|
||||
#define COMMON_FILE__EXECUTE 0x00002000UL
|
||||
#define COMMON_FILE__SWAPON 0x00004000UL
|
||||
#define COMMON_FILE__QUOTAON 0x00008000UL
|
||||
#define COMMON_FILE__MOUNTON 0x00010000UL
|
||||
#define COMMON_SOCKET__IOCTL 0x00000001UL
|
||||
#define COMMON_SOCKET__READ 0x00000002UL
|
||||
#define COMMON_SOCKET__WRITE 0x00000004UL
|
||||
#define COMMON_SOCKET__CREATE 0x00000008UL
|
||||
#define COMMON_SOCKET__GETATTR 0x00000010UL
|
||||
#define COMMON_SOCKET__SETATTR 0x00000020UL
|
||||
#define COMMON_SOCKET__LOCK 0x00000040UL
|
||||
#define COMMON_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define COMMON_SOCKET__RELABELTO 0x00000100UL
|
||||
#define COMMON_SOCKET__APPEND 0x00000200UL
|
||||
#define COMMON_SOCKET__BIND 0x00000400UL
|
||||
#define COMMON_SOCKET__CONNECT 0x00000800UL
|
||||
#define COMMON_SOCKET__LISTEN 0x00001000UL
|
||||
#define COMMON_SOCKET__ACCEPT 0x00002000UL
|
||||
#define COMMON_SOCKET__GETOPT 0x00004000UL
|
||||
#define COMMON_SOCKET__SETOPT 0x00008000UL
|
||||
#define COMMON_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define COMMON_SOCKET__RECVFROM 0x00020000UL
|
||||
#define COMMON_SOCKET__SENDTO 0x00040000UL
|
||||
#define COMMON_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define COMMON_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define COMMON_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define COMMON_IPC__CREATE 0x00000001UL
|
||||
#define COMMON_IPC__DESTROY 0x00000002UL
|
||||
#define COMMON_IPC__GETATTR 0x00000004UL
|
||||
#define COMMON_IPC__SETATTR 0x00000008UL
|
||||
#define COMMON_IPC__READ 0x00000010UL
|
||||
#define COMMON_IPC__WRITE 0x00000020UL
|
||||
#define COMMON_IPC__ASSOCIATE 0x00000040UL
|
||||
#define COMMON_IPC__UNIX_READ 0x00000080UL
|
||||
#define COMMON_IPC__UNIX_WRITE 0x00000100UL
|
||||
#define FILESYSTEM__MOUNT 0x00000001UL
|
||||
#define FILESYSTEM__REMOUNT 0x00000002UL
|
||||
#define FILESYSTEM__UNMOUNT 0x00000004UL
|
||||
#define FILESYSTEM__GETATTR 0x00000008UL
|
||||
#define FILESYSTEM__RELABELFROM 0x00000010UL
|
||||
#define FILESYSTEM__RELABELTO 0x00000020UL
|
||||
#define FILESYSTEM__TRANSITION 0x00000040UL
|
||||
#define FILESYSTEM__ASSOCIATE 0x00000080UL
|
||||
#define FILESYSTEM__QUOTAMOD 0x00000100UL
|
||||
#define FILESYSTEM__QUOTAGET 0x00000200UL
|
||||
#define DIR__IOCTL 0x00000001UL
|
||||
#define DIR__READ 0x00000002UL
|
||||
#define DIR__WRITE 0x00000004UL
|
||||
#define DIR__CREATE 0x00000008UL
|
||||
#define DIR__GETATTR 0x00000010UL
|
||||
#define DIR__SETATTR 0x00000020UL
|
||||
#define DIR__LOCK 0x00000040UL
|
||||
#define DIR__RELABELFROM 0x00000080UL
|
||||
#define DIR__RELABELTO 0x00000100UL
|
||||
#define DIR__APPEND 0x00000200UL
|
||||
#define DIR__UNLINK 0x00000400UL
|
||||
#define DIR__LINK 0x00000800UL
|
||||
#define DIR__RENAME 0x00001000UL
|
||||
#define DIR__EXECUTE 0x00002000UL
|
||||
#define DIR__SWAPON 0x00004000UL
|
||||
#define DIR__QUOTAON 0x00008000UL
|
||||
#define DIR__MOUNTON 0x00010000UL
|
||||
#define DIR__ADD_NAME 0x00020000UL
|
||||
#define DIR__REMOVE_NAME 0x00040000UL
|
||||
#define DIR__REPARENT 0x00080000UL
|
||||
#define DIR__SEARCH 0x00100000UL
|
||||
#define DIR__RMDIR 0x00200000UL
|
||||
#define DIR__OPEN 0x00400000UL
|
||||
#define FILE__IOCTL 0x00000001UL
|
||||
#define FILE__READ 0x00000002UL
|
||||
#define FILE__WRITE 0x00000004UL
|
||||
#define FILE__CREATE 0x00000008UL
|
||||
#define FILE__GETATTR 0x00000010UL
|
||||
#define FILE__SETATTR 0x00000020UL
|
||||
#define FILE__LOCK 0x00000040UL
|
||||
#define FILE__RELABELFROM 0x00000080UL
|
||||
#define FILE__RELABELTO 0x00000100UL
|
||||
#define FILE__APPEND 0x00000200UL
|
||||
#define FILE__UNLINK 0x00000400UL
|
||||
#define FILE__LINK 0x00000800UL
|
||||
#define FILE__RENAME 0x00001000UL
|
||||
#define FILE__EXECUTE 0x00002000UL
|
||||
#define FILE__SWAPON 0x00004000UL
|
||||
#define FILE__QUOTAON 0x00008000UL
|
||||
#define FILE__MOUNTON 0x00010000UL
|
||||
#define FILE__EXECUTE_NO_TRANS 0x00020000UL
|
||||
#define FILE__ENTRYPOINT 0x00040000UL
|
||||
#define FILE__EXECMOD 0x00080000UL
|
||||
#define FILE__OPEN 0x00100000UL
|
||||
#define LNK_FILE__IOCTL 0x00000001UL
|
||||
#define LNK_FILE__READ 0x00000002UL
|
||||
#define LNK_FILE__WRITE 0x00000004UL
|
||||
#define LNK_FILE__CREATE 0x00000008UL
|
||||
#define LNK_FILE__GETATTR 0x00000010UL
|
||||
#define LNK_FILE__SETATTR 0x00000020UL
|
||||
#define LNK_FILE__LOCK 0x00000040UL
|
||||
#define LNK_FILE__RELABELFROM 0x00000080UL
|
||||
#define LNK_FILE__RELABELTO 0x00000100UL
|
||||
#define LNK_FILE__APPEND 0x00000200UL
|
||||
#define LNK_FILE__UNLINK 0x00000400UL
|
||||
#define LNK_FILE__LINK 0x00000800UL
|
||||
#define LNK_FILE__RENAME 0x00001000UL
|
||||
#define LNK_FILE__EXECUTE 0x00002000UL
|
||||
#define LNK_FILE__SWAPON 0x00004000UL
|
||||
#define LNK_FILE__QUOTAON 0x00008000UL
|
||||
#define LNK_FILE__MOUNTON 0x00010000UL
|
||||
#define CHR_FILE__IOCTL 0x00000001UL
|
||||
#define CHR_FILE__READ 0x00000002UL
|
||||
#define CHR_FILE__WRITE 0x00000004UL
|
||||
#define CHR_FILE__CREATE 0x00000008UL
|
||||
#define CHR_FILE__GETATTR 0x00000010UL
|
||||
#define CHR_FILE__SETATTR 0x00000020UL
|
||||
#define CHR_FILE__LOCK 0x00000040UL
|
||||
#define CHR_FILE__RELABELFROM 0x00000080UL
|
||||
#define CHR_FILE__RELABELTO 0x00000100UL
|
||||
#define CHR_FILE__APPEND 0x00000200UL
|
||||
#define CHR_FILE__UNLINK 0x00000400UL
|
||||
#define CHR_FILE__LINK 0x00000800UL
|
||||
#define CHR_FILE__RENAME 0x00001000UL
|
||||
#define CHR_FILE__EXECUTE 0x00002000UL
|
||||
#define CHR_FILE__SWAPON 0x00004000UL
|
||||
#define CHR_FILE__QUOTAON 0x00008000UL
|
||||
#define CHR_FILE__MOUNTON 0x00010000UL
|
||||
#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
|
||||
#define CHR_FILE__ENTRYPOINT 0x00040000UL
|
||||
#define CHR_FILE__EXECMOD 0x00080000UL
|
||||
#define CHR_FILE__OPEN 0x00100000UL
|
||||
#define BLK_FILE__IOCTL 0x00000001UL
|
||||
#define BLK_FILE__READ 0x00000002UL
|
||||
#define BLK_FILE__WRITE 0x00000004UL
|
||||
#define BLK_FILE__CREATE 0x00000008UL
|
||||
#define BLK_FILE__GETATTR 0x00000010UL
|
||||
#define BLK_FILE__SETATTR 0x00000020UL
|
||||
#define BLK_FILE__LOCK 0x00000040UL
|
||||
#define BLK_FILE__RELABELFROM 0x00000080UL
|
||||
#define BLK_FILE__RELABELTO 0x00000100UL
|
||||
#define BLK_FILE__APPEND 0x00000200UL
|
||||
#define BLK_FILE__UNLINK 0x00000400UL
|
||||
#define BLK_FILE__LINK 0x00000800UL
|
||||
#define BLK_FILE__RENAME 0x00001000UL
|
||||
#define BLK_FILE__EXECUTE 0x00002000UL
|
||||
#define BLK_FILE__SWAPON 0x00004000UL
|
||||
#define BLK_FILE__QUOTAON 0x00008000UL
|
||||
#define BLK_FILE__MOUNTON 0x00010000UL
|
||||
#define BLK_FILE__OPEN 0x00020000UL
|
||||
#define SOCK_FILE__IOCTL 0x00000001UL
|
||||
#define SOCK_FILE__READ 0x00000002UL
|
||||
#define SOCK_FILE__WRITE 0x00000004UL
|
||||
#define SOCK_FILE__CREATE 0x00000008UL
|
||||
#define SOCK_FILE__GETATTR 0x00000010UL
|
||||
#define SOCK_FILE__SETATTR 0x00000020UL
|
||||
#define SOCK_FILE__LOCK 0x00000040UL
|
||||
#define SOCK_FILE__RELABELFROM 0x00000080UL
|
||||
#define SOCK_FILE__RELABELTO 0x00000100UL
|
||||
#define SOCK_FILE__APPEND 0x00000200UL
|
||||
#define SOCK_FILE__UNLINK 0x00000400UL
|
||||
#define SOCK_FILE__LINK 0x00000800UL
|
||||
#define SOCK_FILE__RENAME 0x00001000UL
|
||||
#define SOCK_FILE__EXECUTE 0x00002000UL
|
||||
#define SOCK_FILE__SWAPON 0x00004000UL
|
||||
#define SOCK_FILE__QUOTAON 0x00008000UL
|
||||
#define SOCK_FILE__MOUNTON 0x00010000UL
|
||||
#define SOCK_FILE__OPEN 0x00020000UL
|
||||
#define FIFO_FILE__IOCTL 0x00000001UL
|
||||
#define FIFO_FILE__READ 0x00000002UL
|
||||
#define FIFO_FILE__WRITE 0x00000004UL
|
||||
#define FIFO_FILE__CREATE 0x00000008UL
|
||||
#define FIFO_FILE__GETATTR 0x00000010UL
|
||||
#define FIFO_FILE__SETATTR 0x00000020UL
|
||||
#define FIFO_FILE__LOCK 0x00000040UL
|
||||
#define FIFO_FILE__RELABELFROM 0x00000080UL
|
||||
#define FIFO_FILE__RELABELTO 0x00000100UL
|
||||
#define FIFO_FILE__APPEND 0x00000200UL
|
||||
#define FIFO_FILE__UNLINK 0x00000400UL
|
||||
#define FIFO_FILE__LINK 0x00000800UL
|
||||
#define FIFO_FILE__RENAME 0x00001000UL
|
||||
#define FIFO_FILE__EXECUTE 0x00002000UL
|
||||
#define FIFO_FILE__SWAPON 0x00004000UL
|
||||
#define FIFO_FILE__QUOTAON 0x00008000UL
|
||||
#define FIFO_FILE__MOUNTON 0x00010000UL
|
||||
#define FIFO_FILE__OPEN 0x00020000UL
|
||||
#define FD__USE 0x00000001UL
|
||||
#define SOCKET__IOCTL 0x00000001UL
|
||||
#define SOCKET__READ 0x00000002UL
|
||||
#define SOCKET__WRITE 0x00000004UL
|
||||
#define SOCKET__CREATE 0x00000008UL
|
||||
#define SOCKET__GETATTR 0x00000010UL
|
||||
#define SOCKET__SETATTR 0x00000020UL
|
||||
#define SOCKET__LOCK 0x00000040UL
|
||||
#define SOCKET__RELABELFROM 0x00000080UL
|
||||
#define SOCKET__RELABELTO 0x00000100UL
|
||||
#define SOCKET__APPEND 0x00000200UL
|
||||
#define SOCKET__BIND 0x00000400UL
|
||||
#define SOCKET__CONNECT 0x00000800UL
|
||||
#define SOCKET__LISTEN 0x00001000UL
|
||||
#define SOCKET__ACCEPT 0x00002000UL
|
||||
#define SOCKET__GETOPT 0x00004000UL
|
||||
#define SOCKET__SETOPT 0x00008000UL
|
||||
#define SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define SOCKET__RECVFROM 0x00020000UL
|
||||
#define SOCKET__SENDTO 0x00040000UL
|
||||
#define SOCKET__RECV_MSG 0x00080000UL
|
||||
#define SOCKET__SEND_MSG 0x00100000UL
|
||||
#define SOCKET__NAME_BIND 0x00200000UL
|
||||
#define TCP_SOCKET__IOCTL 0x00000001UL
|
||||
#define TCP_SOCKET__READ 0x00000002UL
|
||||
#define TCP_SOCKET__WRITE 0x00000004UL
|
||||
#define TCP_SOCKET__CREATE 0x00000008UL
|
||||
#define TCP_SOCKET__GETATTR 0x00000010UL
|
||||
#define TCP_SOCKET__SETATTR 0x00000020UL
|
||||
#define TCP_SOCKET__LOCK 0x00000040UL
|
||||
#define TCP_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define TCP_SOCKET__RELABELTO 0x00000100UL
|
||||
#define TCP_SOCKET__APPEND 0x00000200UL
|
||||
#define TCP_SOCKET__BIND 0x00000400UL
|
||||
#define TCP_SOCKET__CONNECT 0x00000800UL
|
||||
#define TCP_SOCKET__LISTEN 0x00001000UL
|
||||
#define TCP_SOCKET__ACCEPT 0x00002000UL
|
||||
#define TCP_SOCKET__GETOPT 0x00004000UL
|
||||
#define TCP_SOCKET__SETOPT 0x00008000UL
|
||||
#define TCP_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define TCP_SOCKET__RECVFROM 0x00020000UL
|
||||
#define TCP_SOCKET__SENDTO 0x00040000UL
|
||||
#define TCP_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define TCP_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define TCP_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define TCP_SOCKET__CONNECTTO 0x00400000UL
|
||||
#define TCP_SOCKET__NEWCONN 0x00800000UL
|
||||
#define TCP_SOCKET__ACCEPTFROM 0x01000000UL
|
||||
#define TCP_SOCKET__NODE_BIND 0x02000000UL
|
||||
#define TCP_SOCKET__NAME_CONNECT 0x04000000UL
|
||||
#define UDP_SOCKET__IOCTL 0x00000001UL
|
||||
#define UDP_SOCKET__READ 0x00000002UL
|
||||
#define UDP_SOCKET__WRITE 0x00000004UL
|
||||
#define UDP_SOCKET__CREATE 0x00000008UL
|
||||
#define UDP_SOCKET__GETATTR 0x00000010UL
|
||||
#define UDP_SOCKET__SETATTR 0x00000020UL
|
||||
#define UDP_SOCKET__LOCK 0x00000040UL
|
||||
#define UDP_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define UDP_SOCKET__RELABELTO 0x00000100UL
|
||||
#define UDP_SOCKET__APPEND 0x00000200UL
|
||||
#define UDP_SOCKET__BIND 0x00000400UL
|
||||
#define UDP_SOCKET__CONNECT 0x00000800UL
|
||||
#define UDP_SOCKET__LISTEN 0x00001000UL
|
||||
#define UDP_SOCKET__ACCEPT 0x00002000UL
|
||||
#define UDP_SOCKET__GETOPT 0x00004000UL
|
||||
#define UDP_SOCKET__SETOPT 0x00008000UL
|
||||
#define UDP_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define UDP_SOCKET__RECVFROM 0x00020000UL
|
||||
#define UDP_SOCKET__SENDTO 0x00040000UL
|
||||
#define UDP_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define UDP_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define UDP_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define UDP_SOCKET__NODE_BIND 0x00400000UL
|
||||
#define RAWIP_SOCKET__IOCTL 0x00000001UL
|
||||
#define RAWIP_SOCKET__READ 0x00000002UL
|
||||
#define RAWIP_SOCKET__WRITE 0x00000004UL
|
||||
#define RAWIP_SOCKET__CREATE 0x00000008UL
|
||||
#define RAWIP_SOCKET__GETATTR 0x00000010UL
|
||||
#define RAWIP_SOCKET__SETATTR 0x00000020UL
|
||||
#define RAWIP_SOCKET__LOCK 0x00000040UL
|
||||
#define RAWIP_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define RAWIP_SOCKET__RELABELTO 0x00000100UL
|
||||
#define RAWIP_SOCKET__APPEND 0x00000200UL
|
||||
#define RAWIP_SOCKET__BIND 0x00000400UL
|
||||
#define RAWIP_SOCKET__CONNECT 0x00000800UL
|
||||
#define RAWIP_SOCKET__LISTEN 0x00001000UL
|
||||
#define RAWIP_SOCKET__ACCEPT 0x00002000UL
|
||||
#define RAWIP_SOCKET__GETOPT 0x00004000UL
|
||||
#define RAWIP_SOCKET__SETOPT 0x00008000UL
|
||||
#define RAWIP_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define RAWIP_SOCKET__RECVFROM 0x00020000UL
|
||||
#define RAWIP_SOCKET__SENDTO 0x00040000UL
|
||||
#define RAWIP_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define RAWIP_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define RAWIP_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define RAWIP_SOCKET__NODE_BIND 0x00400000UL
|
||||
#define NODE__TCP_RECV 0x00000001UL
|
||||
#define NODE__TCP_SEND 0x00000002UL
|
||||
#define NODE__UDP_RECV 0x00000004UL
|
||||
#define NODE__UDP_SEND 0x00000008UL
|
||||
#define NODE__RAWIP_RECV 0x00000010UL
|
||||
#define NODE__RAWIP_SEND 0x00000020UL
|
||||
#define NODE__ENFORCE_DEST 0x00000040UL
|
||||
#define NODE__DCCP_RECV 0x00000080UL
|
||||
#define NODE__DCCP_SEND 0x00000100UL
|
||||
#define NODE__RECVFROM 0x00000200UL
|
||||
#define NODE__SENDTO 0x00000400UL
|
||||
#define NETIF__TCP_RECV 0x00000001UL
|
||||
#define NETIF__TCP_SEND 0x00000002UL
|
||||
#define NETIF__UDP_RECV 0x00000004UL
|
||||
#define NETIF__UDP_SEND 0x00000008UL
|
||||
#define NETIF__RAWIP_RECV 0x00000010UL
|
||||
#define NETIF__RAWIP_SEND 0x00000020UL
|
||||
#define NETIF__DCCP_RECV 0x00000040UL
|
||||
#define NETIF__DCCP_SEND 0x00000080UL
|
||||
#define NETIF__INGRESS 0x00000100UL
|
||||
#define NETIF__EGRESS 0x00000200UL
|
||||
#define NETLINK_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define PACKET_SOCKET__IOCTL 0x00000001UL
|
||||
#define PACKET_SOCKET__READ 0x00000002UL
|
||||
#define PACKET_SOCKET__WRITE 0x00000004UL
|
||||
#define PACKET_SOCKET__CREATE 0x00000008UL
|
||||
#define PACKET_SOCKET__GETATTR 0x00000010UL
|
||||
#define PACKET_SOCKET__SETATTR 0x00000020UL
|
||||
#define PACKET_SOCKET__LOCK 0x00000040UL
|
||||
#define PACKET_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define PACKET_SOCKET__RELABELTO 0x00000100UL
|
||||
#define PACKET_SOCKET__APPEND 0x00000200UL
|
||||
#define PACKET_SOCKET__BIND 0x00000400UL
|
||||
#define PACKET_SOCKET__CONNECT 0x00000800UL
|
||||
#define PACKET_SOCKET__LISTEN 0x00001000UL
|
||||
#define PACKET_SOCKET__ACCEPT 0x00002000UL
|
||||
#define PACKET_SOCKET__GETOPT 0x00004000UL
|
||||
#define PACKET_SOCKET__SETOPT 0x00008000UL
|
||||
#define PACKET_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define PACKET_SOCKET__RECVFROM 0x00020000UL
|
||||
#define PACKET_SOCKET__SENDTO 0x00040000UL
|
||||
#define PACKET_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define PACKET_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define PACKET_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define KEY_SOCKET__IOCTL 0x00000001UL
|
||||
#define KEY_SOCKET__READ 0x00000002UL
|
||||
#define KEY_SOCKET__WRITE 0x00000004UL
|
||||
#define KEY_SOCKET__CREATE 0x00000008UL
|
||||
#define KEY_SOCKET__GETATTR 0x00000010UL
|
||||
#define KEY_SOCKET__SETATTR 0x00000020UL
|
||||
#define KEY_SOCKET__LOCK 0x00000040UL
|
||||
#define KEY_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define KEY_SOCKET__RELABELTO 0x00000100UL
|
||||
#define KEY_SOCKET__APPEND 0x00000200UL
|
||||
#define KEY_SOCKET__BIND 0x00000400UL
|
||||
#define KEY_SOCKET__CONNECT 0x00000800UL
|
||||
#define KEY_SOCKET__LISTEN 0x00001000UL
|
||||
#define KEY_SOCKET__ACCEPT 0x00002000UL
|
||||
#define KEY_SOCKET__GETOPT 0x00004000UL
|
||||
#define KEY_SOCKET__SETOPT 0x00008000UL
|
||||
#define KEY_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define KEY_SOCKET__RECVFROM 0x00020000UL
|
||||
#define KEY_SOCKET__SENDTO 0x00040000UL
|
||||
#define KEY_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define KEY_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define KEY_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL
|
||||
#define UNIX_STREAM_SOCKET__READ 0x00000002UL
|
||||
#define UNIX_STREAM_SOCKET__WRITE 0x00000004UL
|
||||
#define UNIX_STREAM_SOCKET__CREATE 0x00000008UL
|
||||
#define UNIX_STREAM_SOCKET__GETATTR 0x00000010UL
|
||||
#define UNIX_STREAM_SOCKET__SETATTR 0x00000020UL
|
||||
#define UNIX_STREAM_SOCKET__LOCK 0x00000040UL
|
||||
#define UNIX_STREAM_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define UNIX_STREAM_SOCKET__RELABELTO 0x00000100UL
|
||||
#define UNIX_STREAM_SOCKET__APPEND 0x00000200UL
|
||||
#define UNIX_STREAM_SOCKET__BIND 0x00000400UL
|
||||
#define UNIX_STREAM_SOCKET__CONNECT 0x00000800UL
|
||||
#define UNIX_STREAM_SOCKET__LISTEN 0x00001000UL
|
||||
#define UNIX_STREAM_SOCKET__ACCEPT 0x00002000UL
|
||||
#define UNIX_STREAM_SOCKET__GETOPT 0x00004000UL
|
||||
#define UNIX_STREAM_SOCKET__SETOPT 0x00008000UL
|
||||
#define UNIX_STREAM_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define UNIX_STREAM_SOCKET__RECVFROM 0x00020000UL
|
||||
#define UNIX_STREAM_SOCKET__SENDTO 0x00040000UL
|
||||
#define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL
|
||||
#define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL
|
||||
#define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL
|
||||
#define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL
|
||||
#define UNIX_DGRAM_SOCKET__READ 0x00000002UL
|
||||
#define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL
|
||||
#define UNIX_DGRAM_SOCKET__CREATE 0x00000008UL
|
||||
#define UNIX_DGRAM_SOCKET__GETATTR 0x00000010UL
|
||||
#define UNIX_DGRAM_SOCKET__SETATTR 0x00000020UL
|
||||
#define UNIX_DGRAM_SOCKET__LOCK 0x00000040UL
|
||||
#define UNIX_DGRAM_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define UNIX_DGRAM_SOCKET__RELABELTO 0x00000100UL
|
||||
#define UNIX_DGRAM_SOCKET__APPEND 0x00000200UL
|
||||
#define UNIX_DGRAM_SOCKET__BIND 0x00000400UL
|
||||
#define UNIX_DGRAM_SOCKET__CONNECT 0x00000800UL
|
||||
#define UNIX_DGRAM_SOCKET__LISTEN 0x00001000UL
|
||||
#define UNIX_DGRAM_SOCKET__ACCEPT 0x00002000UL
|
||||
#define UNIX_DGRAM_SOCKET__GETOPT 0x00004000UL
|
||||
#define UNIX_DGRAM_SOCKET__SETOPT 0x00008000UL
|
||||
#define UNIX_DGRAM_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define UNIX_DGRAM_SOCKET__RECVFROM 0x00020000UL
|
||||
#define UNIX_DGRAM_SOCKET__SENDTO 0x00040000UL
|
||||
#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define TUN_SOCKET__IOCTL 0x00000001UL
|
||||
#define TUN_SOCKET__READ 0x00000002UL
|
||||
#define TUN_SOCKET__WRITE 0x00000004UL
|
||||
#define TUN_SOCKET__CREATE 0x00000008UL
|
||||
#define TUN_SOCKET__GETATTR 0x00000010UL
|
||||
#define TUN_SOCKET__SETATTR 0x00000020UL
|
||||
#define TUN_SOCKET__LOCK 0x00000040UL
|
||||
#define TUN_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define TUN_SOCKET__RELABELTO 0x00000100UL
|
||||
#define TUN_SOCKET__APPEND 0x00000200UL
|
||||
#define TUN_SOCKET__BIND 0x00000400UL
|
||||
#define TUN_SOCKET__CONNECT 0x00000800UL
|
||||
#define TUN_SOCKET__LISTEN 0x00001000UL
|
||||
#define TUN_SOCKET__ACCEPT 0x00002000UL
|
||||
#define TUN_SOCKET__GETOPT 0x00004000UL
|
||||
#define TUN_SOCKET__SETOPT 0x00008000UL
|
||||
#define TUN_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define TUN_SOCKET__RECVFROM 0x00020000UL
|
||||
#define TUN_SOCKET__SENDTO 0x00040000UL
|
||||
#define TUN_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define TUN_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define TUN_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define PROCESS__FORK 0x00000001UL
|
||||
#define PROCESS__TRANSITION 0x00000002UL
|
||||
#define PROCESS__SIGCHLD 0x00000004UL
|
||||
#define PROCESS__SIGKILL 0x00000008UL
|
||||
#define PROCESS__SIGSTOP 0x00000010UL
|
||||
#define PROCESS__SIGNULL 0x00000020UL
|
||||
#define PROCESS__SIGNAL 0x00000040UL
|
||||
#define PROCESS__PTRACE 0x00000080UL
|
||||
#define PROCESS__GETSCHED 0x00000100UL
|
||||
#define PROCESS__SETSCHED 0x00000200UL
|
||||
#define PROCESS__GETSESSION 0x00000400UL
|
||||
#define PROCESS__GETPGID 0x00000800UL
|
||||
#define PROCESS__SETPGID 0x00001000UL
|
||||
#define PROCESS__GETCAP 0x00002000UL
|
||||
#define PROCESS__SETCAP 0x00004000UL
|
||||
#define PROCESS__SHARE 0x00008000UL
|
||||
#define PROCESS__GETATTR 0x00010000UL
|
||||
#define PROCESS__SETEXEC 0x00020000UL
|
||||
#define PROCESS__SETFSCREATE 0x00040000UL
|
||||
#define PROCESS__NOATSECURE 0x00080000UL
|
||||
#define PROCESS__SIGINH 0x00100000UL
|
||||
#define PROCESS__SETRLIMIT 0x00200000UL
|
||||
#define PROCESS__RLIMITINH 0x00400000UL
|
||||
#define PROCESS__DYNTRANSITION 0x00800000UL
|
||||
#define PROCESS__SETCURRENT 0x01000000UL
|
||||
#define PROCESS__EXECMEM 0x02000000UL
|
||||
#define PROCESS__EXECSTACK 0x04000000UL
|
||||
#define PROCESS__EXECHEAP 0x08000000UL
|
||||
#define PROCESS__SETKEYCREATE 0x10000000UL
|
||||
#define PROCESS__SETSOCKCREATE 0x20000000UL
|
||||
#define IPC__CREATE 0x00000001UL
|
||||
#define IPC__DESTROY 0x00000002UL
|
||||
#define IPC__GETATTR 0x00000004UL
|
||||
#define IPC__SETATTR 0x00000008UL
|
||||
#define IPC__READ 0x00000010UL
|
||||
#define IPC__WRITE 0x00000020UL
|
||||
#define IPC__ASSOCIATE 0x00000040UL
|
||||
#define IPC__UNIX_READ 0x00000080UL
|
||||
#define IPC__UNIX_WRITE 0x00000100UL
|
||||
#define SEM__CREATE 0x00000001UL
|
||||
#define SEM__DESTROY 0x00000002UL
|
||||
#define SEM__GETATTR 0x00000004UL
|
||||
#define SEM__SETATTR 0x00000008UL
|
||||
#define SEM__READ 0x00000010UL
|
||||
#define SEM__WRITE 0x00000020UL
|
||||
#define SEM__ASSOCIATE 0x00000040UL
|
||||
#define SEM__UNIX_READ 0x00000080UL
|
||||
#define SEM__UNIX_WRITE 0x00000100UL
|
||||
#define MSGQ__CREATE 0x00000001UL
|
||||
#define MSGQ__DESTROY 0x00000002UL
|
||||
#define MSGQ__GETATTR 0x00000004UL
|
||||
#define MSGQ__SETATTR 0x00000008UL
|
||||
#define MSGQ__READ 0x00000010UL
|
||||
#define MSGQ__WRITE 0x00000020UL
|
||||
#define MSGQ__ASSOCIATE 0x00000040UL
|
||||
#define MSGQ__UNIX_READ 0x00000080UL
|
||||
#define MSGQ__UNIX_WRITE 0x00000100UL
|
||||
#define MSGQ__ENQUEUE 0x00000200UL
|
||||
#define MSG__SEND 0x00000001UL
|
||||
#define MSG__RECEIVE 0x00000002UL
|
||||
#define SHM__CREATE 0x00000001UL
|
||||
#define SHM__DESTROY 0x00000002UL
|
||||
#define SHM__GETATTR 0x00000004UL
|
||||
#define SHM__SETATTR 0x00000008UL
|
||||
#define SHM__READ 0x00000010UL
|
||||
#define SHM__WRITE 0x00000020UL
|
||||
#define SHM__ASSOCIATE 0x00000040UL
|
||||
#define SHM__UNIX_READ 0x00000080UL
|
||||
#define SHM__UNIX_WRITE 0x00000100UL
|
||||
#define SHM__LOCK 0x00000200UL
|
||||
#define SECURITY__COMPUTE_AV 0x00000001UL
|
||||
#define SECURITY__COMPUTE_CREATE 0x00000002UL
|
||||
#define SECURITY__COMPUTE_MEMBER 0x00000004UL
|
||||
#define SECURITY__CHECK_CONTEXT 0x00000008UL
|
||||
#define SECURITY__LOAD_POLICY 0x00000010UL
|
||||
#define SECURITY__COMPUTE_RELABEL 0x00000020UL
|
||||
#define SECURITY__COMPUTE_USER 0x00000040UL
|
||||
#define SECURITY__SETENFORCE 0x00000080UL
|
||||
#define SECURITY__SETBOOL 0x00000100UL
|
||||
#define SECURITY__SETSECPARAM 0x00000200UL
|
||||
#define SECURITY__SETCHECKREQPROT 0x00000400UL
|
||||
#define SYSTEM__IPC_INFO 0x00000001UL
|
||||
#define SYSTEM__SYSLOG_READ 0x00000002UL
|
||||
#define SYSTEM__SYSLOG_MOD 0x00000004UL
|
||||
#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL
|
||||
#define SYSTEM__MODULE_REQUEST 0x00000010UL
|
||||
#define CAPABILITY__CHOWN 0x00000001UL
|
||||
#define CAPABILITY__DAC_OVERRIDE 0x00000002UL
|
||||
#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL
|
||||
#define CAPABILITY__FOWNER 0x00000008UL
|
||||
#define CAPABILITY__FSETID 0x00000010UL
|
||||
#define CAPABILITY__KILL 0x00000020UL
|
||||
#define CAPABILITY__SETGID 0x00000040UL
|
||||
#define CAPABILITY__SETUID 0x00000080UL
|
||||
#define CAPABILITY__SETPCAP 0x00000100UL
|
||||
#define CAPABILITY__LINUX_IMMUTABLE 0x00000200UL
|
||||
#define CAPABILITY__NET_BIND_SERVICE 0x00000400UL
|
||||
#define CAPABILITY__NET_BROADCAST 0x00000800UL
|
||||
#define CAPABILITY__NET_ADMIN 0x00001000UL
|
||||
#define CAPABILITY__NET_RAW 0x00002000UL
|
||||
#define CAPABILITY__IPC_LOCK 0x00004000UL
|
||||
#define CAPABILITY__IPC_OWNER 0x00008000UL
|
||||
#define CAPABILITY__SYS_MODULE 0x00010000UL
|
||||
#define CAPABILITY__SYS_RAWIO 0x00020000UL
|
||||
#define CAPABILITY__SYS_CHROOT 0x00040000UL
|
||||
#define CAPABILITY__SYS_PTRACE 0x00080000UL
|
||||
#define CAPABILITY__SYS_PACCT 0x00100000UL
|
||||
#define CAPABILITY__SYS_ADMIN 0x00200000UL
|
||||
#define CAPABILITY__SYS_BOOT 0x00400000UL
|
||||
#define CAPABILITY__SYS_NICE 0x00800000UL
|
||||
#define CAPABILITY__SYS_RESOURCE 0x01000000UL
|
||||
#define CAPABILITY__SYS_TIME 0x02000000UL
|
||||
#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
|
||||
#define CAPABILITY__MKNOD 0x08000000UL
|
||||
#define CAPABILITY__LEASE 0x10000000UL
|
||||
#define CAPABILITY__AUDIT_WRITE 0x20000000UL
|
||||
#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
|
||||
#define CAPABILITY__SETFCAP 0x80000000UL
|
||||
#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
|
||||
#define CAPABILITY2__MAC_ADMIN 0x00000002UL
|
||||
#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_ROUTE_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_ROUTE_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_ROUTE_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_ROUTE_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_ROUTE_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_ROUTE_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_ROUTE_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_ROUTE_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_ROUTE_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_ROUTE_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_ROUTE_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_ROUTE_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_ROUTE_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_ROUTE_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_ROUTE_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_ROUTE_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL
|
||||
#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_FIREWALL_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_FIREWALL_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_FIREWALL_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_FIREWALL_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_FIREWALL_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_FIREWALL_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_FIREWALL_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_FIREWALL_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_FIREWALL_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_FIREWALL_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL
|
||||
#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL
|
||||
#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL
|
||||
#define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_NFLOG_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_NFLOG_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_NFLOG_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_NFLOG_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_NFLOG_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_NFLOG_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_NFLOG_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_NFLOG_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_NFLOG_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_NFLOG_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_NFLOG_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_NFLOG_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_NFLOG_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_NFLOG_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_NFLOG_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_NFLOG_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_NFLOG_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_XFRM_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_XFRM_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_XFRM_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_XFRM_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_XFRM_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_XFRM_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_XFRM_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_XFRM_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_XFRM_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_XFRM_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_XFRM_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_XFRM_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_XFRM_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_XFRM_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_XFRM_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_XFRM_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_XFRM_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL
|
||||
#define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL
|
||||
#define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_SELINUX_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_SELINUX_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_SELINUX_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_SELINUX_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_SELINUX_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_SELINUX_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_SELINUX_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_SELINUX_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_SELINUX_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_SELINUX_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_SELINUX_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_SELINUX_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_SELINUX_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_SELINUX_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_SELINUX_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_SELINUX_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_SELINUX_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_AUDIT_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_AUDIT_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_AUDIT_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_AUDIT_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_AUDIT_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_AUDIT_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_AUDIT_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_AUDIT_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_AUDIT_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_AUDIT_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_AUDIT_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_AUDIT_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_AUDIT_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_AUDIT_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_AUDIT_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_AUDIT_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_AUDIT_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL
|
||||
#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL
|
||||
#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL
|
||||
#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL
|
||||
#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL
|
||||
#define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_IP6FW_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_IP6FW_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_IP6FW_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_IP6FW_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_IP6FW_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_IP6FW_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_IP6FW_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_IP6FW_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_IP6FW_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_IP6FW_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_IP6FW_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_IP6FW_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_IP6FW_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_IP6FW_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_IP6FW_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_IP6FW_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_IP6FW_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL
|
||||
#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL
|
||||
#define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_DNRT_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_DNRT_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_DNRT_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_DNRT_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_DNRT_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_DNRT_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_DNRT_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_DNRT_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_DNRT_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_DNRT_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_DNRT_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_DNRT_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_DNRT_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_DNRT_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_DNRT_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_DNRT_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_DNRT_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define ASSOCIATION__SENDTO 0x00000001UL
|
||||
#define ASSOCIATION__RECVFROM 0x00000002UL
|
||||
#define ASSOCIATION__SETCONTEXT 0x00000004UL
|
||||
#define ASSOCIATION__POLMATCH 0x00000008UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define APPLETALK_SOCKET__IOCTL 0x00000001UL
|
||||
#define APPLETALK_SOCKET__READ 0x00000002UL
|
||||
#define APPLETALK_SOCKET__WRITE 0x00000004UL
|
||||
#define APPLETALK_SOCKET__CREATE 0x00000008UL
|
||||
#define APPLETALK_SOCKET__GETATTR 0x00000010UL
|
||||
#define APPLETALK_SOCKET__SETATTR 0x00000020UL
|
||||
#define APPLETALK_SOCKET__LOCK 0x00000040UL
|
||||
#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define APPLETALK_SOCKET__RELABELTO 0x00000100UL
|
||||
#define APPLETALK_SOCKET__APPEND 0x00000200UL
|
||||
#define APPLETALK_SOCKET__BIND 0x00000400UL
|
||||
#define APPLETALK_SOCKET__CONNECT 0x00000800UL
|
||||
#define APPLETALK_SOCKET__LISTEN 0x00001000UL
|
||||
#define APPLETALK_SOCKET__ACCEPT 0x00002000UL
|
||||
#define APPLETALK_SOCKET__GETOPT 0x00004000UL
|
||||
#define APPLETALK_SOCKET__SETOPT 0x00008000UL
|
||||
#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define APPLETALK_SOCKET__RECVFROM 0x00020000UL
|
||||
#define APPLETALK_SOCKET__SENDTO 0x00040000UL
|
||||
#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define PACKET__SEND 0x00000001UL
|
||||
#define PACKET__RECV 0x00000002UL
|
||||
#define PACKET__RELABELTO 0x00000004UL
|
||||
#define PACKET__FLOW_IN 0x00000008UL
|
||||
#define PACKET__FLOW_OUT 0x00000010UL
|
||||
#define PACKET__FORWARD_IN 0x00000020UL
|
||||
#define PACKET__FORWARD_OUT 0x00000040UL
|
||||
#define KEY__VIEW 0x00000001UL
|
||||
#define KEY__READ 0x00000002UL
|
||||
#define KEY__WRITE 0x00000004UL
|
||||
#define KEY__SEARCH 0x00000008UL
|
||||
#define KEY__LINK 0x00000010UL
|
||||
#define KEY__SETATTR 0x00000020UL
|
||||
#define KEY__CREATE 0x00000040UL
|
||||
#define DCCP_SOCKET__IOCTL 0x00000001UL
|
||||
#define DCCP_SOCKET__READ 0x00000002UL
|
||||
#define DCCP_SOCKET__WRITE 0x00000004UL
|
||||
#define DCCP_SOCKET__CREATE 0x00000008UL
|
||||
#define DCCP_SOCKET__GETATTR 0x00000010UL
|
||||
#define DCCP_SOCKET__SETATTR 0x00000020UL
|
||||
#define DCCP_SOCKET__LOCK 0x00000040UL
|
||||
#define DCCP_SOCKET__RELABELFROM 0x00000080UL
|
||||
#define DCCP_SOCKET__RELABELTO 0x00000100UL
|
||||
#define DCCP_SOCKET__APPEND 0x00000200UL
|
||||
#define DCCP_SOCKET__BIND 0x00000400UL
|
||||
#define DCCP_SOCKET__CONNECT 0x00000800UL
|
||||
#define DCCP_SOCKET__LISTEN 0x00001000UL
|
||||
#define DCCP_SOCKET__ACCEPT 0x00002000UL
|
||||
#define DCCP_SOCKET__GETOPT 0x00004000UL
|
||||
#define DCCP_SOCKET__SETOPT 0x00008000UL
|
||||
#define DCCP_SOCKET__SHUTDOWN 0x00010000UL
|
||||
#define DCCP_SOCKET__RECVFROM 0x00020000UL
|
||||
#define DCCP_SOCKET__SENDTO 0x00040000UL
|
||||
#define DCCP_SOCKET__RECV_MSG 0x00080000UL
|
||||
#define DCCP_SOCKET__SEND_MSG 0x00100000UL
|
||||
#define DCCP_SOCKET__NAME_BIND 0x00200000UL
|
||||
#define DCCP_SOCKET__NODE_BIND 0x00400000UL
|
||||
#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
|
||||
#define MEMPROTECT__MMAP_ZERO 0x00000001UL
|
||||
#define PEER__RECV 0x00000001UL
|
||||
#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
|
||||
#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
|
@ -10,26 +10,13 @@
|
||||
|
||||
int avc_ss_reset(u32 seqno);
|
||||
|
||||
struct av_perm_to_string {
|
||||
u16 tclass;
|
||||
u32 value;
|
||||
/* Class/perm mapping support */
|
||||
struct security_class_mapping {
|
||||
const char *name;
|
||||
const char *perms[sizeof(u32) * 8 + 1];
|
||||
};
|
||||
|
||||
struct av_inherit {
|
||||
const char **common_pts;
|
||||
u32 common_base;
|
||||
u16 tclass;
|
||||
};
|
||||
|
||||
struct selinux_class_perm {
|
||||
const struct av_perm_to_string *av_perm_to_string;
|
||||
u32 av_pts_len;
|
||||
u32 cts_len;
|
||||
const char **class_to_string;
|
||||
const struct av_inherit *av_inherit;
|
||||
u32 av_inherit_len;
|
||||
};
|
||||
extern struct security_class_mapping secclass_map[];
|
||||
|
||||
#endif /* _SELINUX_AVC_SS_H_ */
|
||||
|
||||
|
@ -1,80 +0,0 @@
|
||||
/* This file is automatically generated. Do not edit. */
|
||||
/*
|
||||
* Security object class definitions
|
||||
*/
|
||||
S_(NULL)
|
||||
S_("security")
|
||||
S_("process")
|
||||
S_("system")
|
||||
S_("capability")
|
||||
S_("filesystem")
|
||||
S_("file")
|
||||
S_("dir")
|
||||
S_("fd")
|
||||
S_("lnk_file")
|
||||
S_("chr_file")
|
||||
S_("blk_file")
|
||||
S_("sock_file")
|
||||
S_("fifo_file")
|
||||
S_("socket")
|
||||
S_("tcp_socket")
|
||||
S_("udp_socket")
|
||||
S_("rawip_socket")
|
||||
S_("node")
|
||||
S_("netif")
|
||||
S_("netlink_socket")
|
||||
S_("packet_socket")
|
||||
S_("key_socket")
|
||||
S_("unix_stream_socket")
|
||||
S_("unix_dgram_socket")
|
||||
S_("sem")
|
||||
S_("msg")
|
||||
S_("msgq")
|
||||
S_("shm")
|
||||
S_("ipc")
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_("netlink_route_socket")
|
||||
S_("netlink_firewall_socket")
|
||||
S_("netlink_tcpdiag_socket")
|
||||
S_("netlink_nflog_socket")
|
||||
S_("netlink_xfrm_socket")
|
||||
S_("netlink_selinux_socket")
|
||||
S_("netlink_audit_socket")
|
||||
S_("netlink_ip6fw_socket")
|
||||
S_("netlink_dnrt_socket")
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_("association")
|
||||
S_("netlink_kobject_uevent_socket")
|
||||
S_("appletalk_socket")
|
||||
S_("packet")
|
||||
S_("key")
|
||||
S_(NULL)
|
||||
S_("dccp_socket")
|
||||
S_("memprotect")
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_("peer")
|
||||
S_("capability2")
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_(NULL)
|
||||
S_("kernel_service")
|
||||
S_("tun_socket")
|
150
security/selinux/include/classmap.h
Normal file
150
security/selinux/include/classmap.h
Normal file
@ -0,0 +1,150 @@
|
||||
#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
|
||||
"getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
|
||||
|
||||
#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
|
||||
"rename", "execute", "swapon", "quotaon", "mounton"
|
||||
|
||||
#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
|
||||
"listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
|
||||
"sendto", "recv_msg", "send_msg", "name_bind"
|
||||
|
||||
#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
|
||||
"write", "associate", "unix_read", "unix_write"
|
||||
|
||||
struct security_class_mapping secclass_map[] = {
|
||||
{ "security",
|
||||
{ "compute_av", "compute_create", "compute_member",
|
||||
"check_context", "load_policy", "compute_relabel",
|
||||
"compute_user", "setenforce", "setbool", "setsecparam",
|
||||
"setcheckreqprot", NULL } },
|
||||
{ "process",
|
||||
{ "fork", "transition", "sigchld", "sigkill",
|
||||
"sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
|
||||
"getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
|
||||
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
|
||||
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
|
||||
"execmem", "execstack", "execheap", "setkeycreate",
|
||||
"setsockcreate", NULL } },
|
||||
{ "system",
|
||||
{ "ipc_info", "syslog_read", "syslog_mod",
|
||||
"syslog_console", "module_request", NULL } },
|
||||
{ "capability",
|
||||
{ "chown", "dac_override", "dac_read_search",
|
||||
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
|
||||
"linux_immutable", "net_bind_service", "net_broadcast",
|
||||
"net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
|
||||
"sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
|
||||
"sys_boot", "sys_nice", "sys_resource", "sys_time",
|
||||
"sys_tty_config", "mknod", "lease", "audit_write",
|
||||
"audit_control", "setfcap", NULL } },
|
||||
{ "filesystem",
|
||||
{ "mount", "remount", "unmount", "getattr",
|
||||
"relabelfrom", "relabelto", "transition", "associate", "quotamod",
|
||||
"quotaget", NULL } },
|
||||
{ "file",
|
||||
{ COMMON_FILE_PERMS,
|
||||
"execute_no_trans", "entrypoint", "execmod", "open", NULL } },
|
||||
{ "dir",
|
||||
{ COMMON_FILE_PERMS, "add_name", "remove_name",
|
||||
"reparent", "search", "rmdir", "open", NULL } },
|
||||
{ "fd", { "use", NULL } },
|
||||
{ "lnk_file",
|
||||
{ COMMON_FILE_PERMS, NULL } },
|
||||
{ "chr_file",
|
||||
{ COMMON_FILE_PERMS,
|
||||
"execute_no_trans", "entrypoint", "execmod", "open", NULL } },
|
||||
{ "blk_file",
|
||||
{ COMMON_FILE_PERMS, "open", NULL } },
|
||||
{ "sock_file",
|
||||
{ COMMON_FILE_PERMS, "open", NULL } },
|
||||
{ "fifo_file",
|
||||
{ COMMON_FILE_PERMS, "open", NULL } },
|
||||
{ "socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "tcp_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
|
||||
NULL } },
|
||||
{ "udp_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"node_bind", NULL } },
|
||||
{ "rawip_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"node_bind", NULL } },
|
||||
{ "node",
|
||||
{ "tcp_recv", "tcp_send", "udp_recv", "udp_send",
|
||||
"rawip_recv", "rawip_send", "enforce_dest",
|
||||
"dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
|
||||
{ "netif",
|
||||
{ "tcp_recv", "tcp_send", "udp_recv", "udp_send",
|
||||
"rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
|
||||
"ingress", "egress", NULL } },
|
||||
{ "netlink_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "packet_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "key_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "unix_stream_socket",
|
||||
{ COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
|
||||
} },
|
||||
{ "unix_dgram_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL
|
||||
} },
|
||||
{ "sem",
|
||||
{ COMMON_IPC_PERMS, NULL } },
|
||||
{ "msg", { "send", "receive", NULL } },
|
||||
{ "msgq",
|
||||
{ COMMON_IPC_PERMS, "enqueue", NULL } },
|
||||
{ "shm",
|
||||
{ COMMON_IPC_PERMS, "lock", NULL } },
|
||||
{ "ipc",
|
||||
{ COMMON_IPC_PERMS, NULL } },
|
||||
{ "netlink_route_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ "netlink_firewall_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ "netlink_tcpdiag_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ "netlink_nflog_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "netlink_xfrm_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ "netlink_selinux_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "netlink_audit_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
|
||||
"nlmsg_tty_audit", NULL } },
|
||||
{ "netlink_ip6fw_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"nlmsg_read", "nlmsg_write", NULL } },
|
||||
{ "netlink_dnrt_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "association",
|
||||
{ "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
|
||||
{ "netlink_kobject_uevent_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "appletalk_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ "packet",
|
||||
{ "send", "recv", "relabelto", "flow_in", "flow_out",
|
||||
"forward_in", "forward_out", NULL } },
|
||||
{ "key",
|
||||
{ "view", "read", "write", "search", "link", "setattr", "create",
|
||||
NULL } },
|
||||
{ "dccp_socket",
|
||||
{ COMMON_SOCK_PERMS,
|
||||
"node_bind", "name_connect", NULL } },
|
||||
{ "memprotect", { "mmap_zero", NULL } },
|
||||
{ "peer", { "recv", NULL } },
|
||||
{ "capability2", { "mac_override", "mac_admin", NULL } },
|
||||
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
|
||||
{ "tun_socket",
|
||||
{ COMMON_SOCK_PERMS, NULL } },
|
||||
{ NULL }
|
||||
};
|
@ -1,58 +0,0 @@
|
||||
/* This file is automatically generated. Do not edit. */
|
||||
TB_(common_file_perm_to_string)
|
||||
S_("ioctl")
|
||||
S_("read")
|
||||
S_("write")
|
||||
S_("create")
|
||||
S_("getattr")
|
||||
S_("setattr")
|
||||
S_("lock")
|
||||
S_("relabelfrom")
|
||||
S_("relabelto")
|
||||
S_("append")
|
||||
S_("unlink")
|
||||
S_("link")
|
||||
S_("rename")
|
||||
S_("execute")
|
||||
S_("swapon")
|
||||
S_("quotaon")
|
||||
S_("mounton")
|
||||
TE_(common_file_perm_to_string)
|
||||
|
||||
TB_(common_socket_perm_to_string)
|
||||
S_("ioctl")
|
||||
S_("read")
|
||||
S_("write")
|
||||
S_("create")
|
||||
S_("getattr")
|
||||
S_("setattr")
|
||||
S_("lock")
|
||||
S_("relabelfrom")
|
||||
S_("relabelto")
|
||||
S_("append")
|
||||
S_("bind")
|
||||
S_("connect")
|
||||
S_("listen")
|
||||
S_("accept")
|
||||
S_("getopt")
|
||||
S_("setopt")
|
||||
S_("shutdown")
|
||||
S_("recvfrom")
|
||||
S_("sendto")
|
||||
S_("recv_msg")
|
||||
S_("send_msg")
|
||||
S_("name_bind")
|
||||
TE_(common_socket_perm_to_string)
|
||||
|
||||
TB_(common_ipc_perm_to_string)
|
||||
S_("create")
|
||||
S_("destroy")
|
||||
S_("getattr")
|
||||
S_("setattr")
|
||||
S_("read")
|
||||
S_("write")
|
||||
S_("associate")
|
||||
S_("unix_read")
|
||||
S_("unix_write")
|
||||
TE_(common_ipc_perm_to_string)
|
||||
|
@ -1,91 +0,0 @@
|
||||
/* This file is automatically generated. Do not edit. */
|
||||
#ifndef _SELINUX_FLASK_H_
|
||||
#define _SELINUX_FLASK_H_
|
||||
|
||||
/*
|
||||
* Security object class definitions
|
||||
*/
|
||||
#define SECCLASS_SECURITY 1
|
||||
#define SECCLASS_PROCESS 2
|
||||
#define SECCLASS_SYSTEM 3
|
||||
#define SECCLASS_CAPABILITY 4
|
||||
#define SECCLASS_FILESYSTEM 5
|
||||
#define SECCLASS_FILE 6
|
||||
#define SECCLASS_DIR 7
|
||||
#define SECCLASS_FD 8
|
||||
#define SECCLASS_LNK_FILE 9
|
||||
#define SECCLASS_CHR_FILE 10
|
||||
#define SECCLASS_BLK_FILE 11
|
||||
#define SECCLASS_SOCK_FILE 12
|
||||
#define SECCLASS_FIFO_FILE 13
|
||||
#define SECCLASS_SOCKET 14
|
||||
#define SECCLASS_TCP_SOCKET 15
|
||||
#define SECCLASS_UDP_SOCKET 16
|
||||
#define SECCLASS_RAWIP_SOCKET 17
|
||||
#define SECCLASS_NODE 18
|
||||
#define SECCLASS_NETIF 19
|
||||
#define SECCLASS_NETLINK_SOCKET 20
|
||||
#define SECCLASS_PACKET_SOCKET 21
|
||||
#define SECCLASS_KEY_SOCKET 22
|
||||
#define SECCLASS_UNIX_STREAM_SOCKET 23
|
||||
#define SECCLASS_UNIX_DGRAM_SOCKET 24
|
||||
#define SECCLASS_SEM 25
|
||||
#define SECCLASS_MSG 26
|
||||
#define SECCLASS_MSGQ 27
|
||||
#define SECCLASS_SHM 28
|
||||
#define SECCLASS_IPC 29
|
||||
#define SECCLASS_NETLINK_ROUTE_SOCKET 43
|
||||
#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
|
||||
#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
|
||||
#define SECCLASS_NETLINK_NFLOG_SOCKET 46
|
||||
#define SECCLASS_NETLINK_XFRM_SOCKET 47
|
||||
#define SECCLASS_NETLINK_SELINUX_SOCKET 48
|
||||
#define SECCLASS_NETLINK_AUDIT_SOCKET 49
|
||||
#define SECCLASS_NETLINK_IP6FW_SOCKET 50
|
||||
#define SECCLASS_NETLINK_DNRT_SOCKET 51
|
||||
#define SECCLASS_ASSOCIATION 54
|
||||
#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
|
||||
#define SECCLASS_APPLETALK_SOCKET 56
|
||||
#define SECCLASS_PACKET 57
|
||||
#define SECCLASS_KEY 58
|
||||
#define SECCLASS_DCCP_SOCKET 60
|
||||
#define SECCLASS_MEMPROTECT 61
|
||||
#define SECCLASS_PEER 68
|
||||
#define SECCLASS_CAPABILITY2 69
|
||||
#define SECCLASS_KERNEL_SERVICE 74
|
||||
#define SECCLASS_TUN_SOCKET 75
|
||||
|
||||
/*
|
||||
* Security identifier indices for initial entities
|
||||
*/
|
||||
#define SECINITSID_KERNEL 1
|
||||
#define SECINITSID_SECURITY 2
|
||||
#define SECINITSID_UNLABELED 3
|
||||
#define SECINITSID_FS 4
|
||||
#define SECINITSID_FILE 5
|
||||
#define SECINITSID_FILE_LABELS 6
|
||||
#define SECINITSID_INIT 7
|
||||
#define SECINITSID_ANY_SOCKET 8
|
||||
#define SECINITSID_PORT 9
|
||||
#define SECINITSID_NETIF 10
|
||||
#define SECINITSID_NETMSG 11
|
||||
#define SECINITSID_NODE 12
|
||||
#define SECINITSID_IGMP_PACKET 13
|
||||
#define SECINITSID_ICMP_SOCKET 14
|
||||
#define SECINITSID_TCP_SOCKET 15
|
||||
#define SECINITSID_SYSCTL_MODPROBE 16
|
||||
#define SECINITSID_SYSCTL 17
|
||||
#define SECINITSID_SYSCTL_FS 18
|
||||
#define SECINITSID_SYSCTL_KERNEL 19
|
||||
#define SECINITSID_SYSCTL_NET 20
|
||||
#define SECINITSID_SYSCTL_NET_UNIX 21
|
||||
#define SECINITSID_SYSCTL_VM 22
|
||||
#define SECINITSID_SYSCTL_DEV 23
|
||||
#define SECINITSID_KMOD 24
|
||||
#define SECINITSID_POLICY 25
|
||||
#define SECINITSID_SCMP_PACKET 26
|
||||
#define SECINITSID_DEVNULL 27
|
||||
|
||||
#define SECINITSID_NUM 27
|
||||
|
||||
#endif
|
@ -97,11 +97,18 @@ struct av_decision {
|
||||
#define AVD_FLAGS_PERMISSIVE 0x0001
|
||||
|
||||
int security_compute_av(u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 requested,
|
||||
struct av_decision *avd);
|
||||
u16 tclass, u32 requested,
|
||||
struct av_decision *avd);
|
||||
|
||||
int security_compute_av_user(u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 requested,
|
||||
struct av_decision *avd);
|
||||
|
||||
int security_transition_sid(u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 *out_sid);
|
||||
u16 tclass, u32 *out_sid);
|
||||
|
||||
int security_transition_sid_user(u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 *out_sid);
|
||||
|
||||
int security_member_sid(u32 ssid, u32 tsid,
|
||||
u16 tclass, u32 *out_sid);
|
||||
|
@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
|
||||
if (length < 0)
|
||||
goto out2;
|
||||
|
||||
length = security_compute_av(ssid, tsid, tclass, req, &avd);
|
||||
length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
|
||||
if (length < 0)
|
||||
goto out2;
|
||||
|
||||
@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
|
||||
if (length < 0)
|
||||
goto out2;
|
||||
|
||||
length = security_transition_sid(ssid, tsid, tclass, &newsid);
|
||||
length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
|
||||
if (length < 0)
|
||||
goto out2;
|
||||
|
||||
|
@ -2,7 +2,7 @@
|
||||
# Makefile for building the SELinux security server as part of the kernel tree.
|
||||
#
|
||||
|
||||
EXTRA_CFLAGS += -Isecurity/selinux/include
|
||||
EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
|
||||
obj-y := ss.o
|
||||
|
||||
ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
|
||||
|
@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
|
||||
}
|
||||
/* Fallthrough */
|
||||
case AVTAB_CHANGE:
|
||||
if (tclass == SECCLASS_PROCESS)
|
||||
if (tclass == policydb.process_class)
|
||||
/* Use the process MLS attributes. */
|
||||
return mls_context_cpy(newcontext, scontext);
|
||||
else
|
||||
|
@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p)
|
||||
ebitmap_destroy(&p->type_attr_map[i]);
|
||||
}
|
||||
kfree(p->type_attr_map);
|
||||
kfree(p->undefined_perms);
|
||||
ebitmap_destroy(&p->policycaps);
|
||||
ebitmap_destroy(&p->permissive_map);
|
||||
|
||||
@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
|
||||
|
||||
extern int ss_initialized;
|
||||
|
||||
u16 string_to_security_class(struct policydb *p, const char *name)
|
||||
{
|
||||
struct class_datum *cladatum;
|
||||
|
||||
cladatum = hashtab_search(p->p_classes.table, name);
|
||||
if (!cladatum)
|
||||
return 0;
|
||||
|
||||
return cladatum->value;
|
||||
}
|
||||
|
||||
u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
|
||||
{
|
||||
struct class_datum *cladatum;
|
||||
struct perm_datum *perdatum = NULL;
|
||||
struct common_datum *comdatum;
|
||||
|
||||
if (!tclass || tclass > p->p_classes.nprim)
|
||||
return 0;
|
||||
|
||||
cladatum = p->class_val_to_struct[tclass-1];
|
||||
comdatum = cladatum->comdatum;
|
||||
if (comdatum)
|
||||
perdatum = hashtab_search(comdatum->permissions.table,
|
||||
name);
|
||||
if (!perdatum)
|
||||
perdatum = hashtab_search(cladatum->permissions.table,
|
||||
name);
|
||||
if (!perdatum)
|
||||
return 0;
|
||||
|
||||
return 1U << (perdatum->value-1);
|
||||
}
|
||||
|
||||
/*
|
||||
* Read the configuration data from a policy database binary
|
||||
* representation file into a policy database structure.
|
||||
@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp)
|
||||
if (rc)
|
||||
goto bad;
|
||||
|
||||
p->process_class = string_to_security_class(p, "process");
|
||||
if (!p->process_class)
|
||||
goto bad;
|
||||
p->process_trans_perms = string_to_av_perm(p, p->process_class,
|
||||
"transition");
|
||||
p->process_trans_perms |= string_to_av_perm(p, p->process_class,
|
||||
"dyntransition");
|
||||
if (!p->process_trans_perms)
|
||||
goto bad;
|
||||
|
||||
for (i = 0; i < info->ocon_num; i++) {
|
||||
rc = next_entry(buf, fp, sizeof(u32));
|
||||
if (rc < 0)
|
||||
@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp)
|
||||
goto bad;
|
||||
rt->target_class = le32_to_cpu(buf[0]);
|
||||
} else
|
||||
rt->target_class = SECCLASS_PROCESS;
|
||||
rt->target_class = p->process_class;
|
||||
if (!policydb_type_isvalid(p, rt->source_type) ||
|
||||
!policydb_type_isvalid(p, rt->target_type) ||
|
||||
!policydb_class_isvalid(p, rt->target_class)) {
|
||||
|
@ -254,7 +254,9 @@ struct policydb {
|
||||
|
||||
unsigned int reject_unknown : 1;
|
||||
unsigned int allow_unknown : 1;
|
||||
u32 *undefined_perms;
|
||||
|
||||
u16 process_class;
|
||||
u32 process_trans_perms;
|
||||
};
|
||||
|
||||
extern void policydb_destroy(struct policydb *p);
|
||||
@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
|
||||
return 0;
|
||||
}
|
||||
|
||||
extern u16 string_to_security_class(struct policydb *p, const char *name);
|
||||
extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
|
||||
|
||||
#endif /* _SS_POLICYDB_H_ */
|
||||
|
||||
|
@ -65,16 +65,10 @@
|
||||
#include "audit.h"
|
||||
|
||||
extern void selnl_notify_policyload(u32 seqno);
|
||||
unsigned int policydb_loaded_version;
|
||||
|
||||
int selinux_policycap_netpeer;
|
||||
int selinux_policycap_openperm;
|
||||
|
||||
/*
|
||||
* This is declared in avc.c
|
||||
*/
|
||||
extern const struct selinux_class_perm selinux_class_perm;
|
||||
|
||||
static DEFINE_RWLOCK(policy_rwlock);
|
||||
|
||||
static struct sidtab sidtab;
|
||||
@ -98,6 +92,165 @@ static int context_struct_compute_av(struct context *scontext,
|
||||
u16 tclass,
|
||||
u32 requested,
|
||||
struct av_decision *avd);
|
||||
|
||||
struct selinux_mapping {
|
||||
u16 value; /* policy value */
|
||||
unsigned num_perms;
|
||||
u32 perms[sizeof(u32) * 8];
|
||||
};
|
||||
|
||||
static struct selinux_mapping *current_mapping;
|
||||
static u16 current_mapping_size;
|
||||
|
||||
static int selinux_set_mapping(struct policydb *pol,
|
||||
struct security_class_mapping *map,
|
||||
struct selinux_mapping **out_map_p,
|
||||
u16 *out_map_size)
|
||||
{
|
||||
struct selinux_mapping *out_map = NULL;
|
||||
size_t size = sizeof(struct selinux_mapping);
|
||||
u16 i, j;
|
||||
unsigned k;
|
||||
bool print_unknown_handle = false;
|
||||
|
||||
/* Find number of classes in the input mapping */
|
||||
if (!map)
|
||||
return -EINVAL;
|
||||
i = 0;
|
||||
while (map[i].name)
|
||||
i++;
|
||||
|
||||
/* Allocate space for the class records, plus one for class zero */
|
||||
out_map = kcalloc(++i, size, GFP_ATOMIC);
|
||||
if (!out_map)
|
||||
return -ENOMEM;
|
||||
|
||||
/* Store the raw class and permission values */
|
||||
j = 0;
|
||||
while (map[j].name) {
|
||||
struct security_class_mapping *p_in = map + (j++);
|
||||
struct selinux_mapping *p_out = out_map + j;
|
||||
|
||||
/* An empty class string skips ahead */
|
||||
if (!strcmp(p_in->name, "")) {
|
||||
p_out->num_perms = 0;
|
||||
continue;
|
||||
}
|
||||
|
||||
p_out->value = string_to_security_class(pol, p_in->name);
|
||||
if (!p_out->value) {
|
||||
printk(KERN_INFO
|
||||
"SELinux: Class %s not defined in policy.\n",
|
||||
p_in->name);
|
||||
if (pol->reject_unknown)
|
||||
goto err;
|
||||
p_out->num_perms = 0;
|
||||
print_unknown_handle = true;
|
||||
continue;
|
||||
}
|
||||
|
||||
k = 0;
|
||||
while (p_in->perms && p_in->perms[k]) {
|
||||
/* An empty permission string skips ahead */
|
||||
if (!*p_in->perms[k]) {
|
||||
k++;
|
||||
continue;
|
||||
}
|
||||
p_out->perms[k] = string_to_av_perm(pol, p_out->value,
|
||||
p_in->perms[k]);
|
||||
if (!p_out->perms[k]) {
|
||||
printk(KERN_INFO
|
||||
"SELinux: Permission %s in class %s not defined in policy.\n",
|
||||
p_in->perms[k], p_in->name);
|
||||
if (pol->reject_unknown)
|
||||
goto err;
|
||||
print_unknown_handle = true;
|
||||
}
|
||||
|
||||
k++;
|
||||
}
|
||||
p_out->num_perms = k;
|
||||
}
|
||||
|
||||
if (print_unknown_handle)
|
||||
printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
|
||||
pol->allow_unknown ? "allowed" : "denied");
|
||||
|
||||
*out_map_p = out_map;
|
||||
*out_map_size = i;
|
||||
return 0;
|
||||
err:
|
||||
kfree(out_map);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Get real, policy values from mapped values
|
||||
*/
|
||||
|
||||
static u16 unmap_class(u16 tclass)
|
||||
{
|
||||
if (tclass < current_mapping_size)
|
||||
return current_mapping[tclass].value;
|
||||
|
||||
return tclass;
|
||||
}
|
||||
|
||||
static u32 unmap_perm(u16 tclass, u32 tperm)
|
||||
{
|
||||
if (tclass < current_mapping_size) {
|
||||
unsigned i;
|
||||
u32 kperm = 0;
|
||||
|
||||
for (i = 0; i < current_mapping[tclass].num_perms; i++)
|
||||
if (tperm & (1<<i)) {
|
||||
kperm |= current_mapping[tclass].perms[i];
|
||||
tperm &= ~(1<<i);
|
||||
}
|
||||
return kperm;
|
||||
}
|
||||
|
||||
return tperm;
|
||||
}
|
||||
|
||||
static void map_decision(u16 tclass, struct av_decision *avd,
|
||||
int allow_unknown)
|
||||
{
|
||||
if (tclass < current_mapping_size) {
|
||||
unsigned i, n = current_mapping[tclass].num_perms;
|
||||
u32 result;
|
||||
|
||||
for (i = 0, result = 0; i < n; i++) {
|
||||
if (avd->allowed & current_mapping[tclass].perms[i])
|
||||
result |= 1<<i;
|
||||
if (allow_unknown && !current_mapping[tclass].perms[i])
|
||||
result |= 1<<i;
|
||||
}
|
||||
avd->allowed = result;
|
||||
|
||||
for (i = 0, result = 0; i < n; i++)
|
||||
if (avd->auditallow & current_mapping[tclass].perms[i])
|
||||
result |= 1<<i;
|
||||
avd->auditallow = result;
|
||||
|
||||
for (i = 0, result = 0; i < n; i++) {
|
||||
if (avd->auditdeny & current_mapping[tclass].perms[i])
|
||||
result |= 1<<i;
|
||||
if (!allow_unknown && !current_mapping[tclass].perms[i])
|
||||
result |= 1<<i;
|
||||
}
|
||||
/*
|
||||
* In case the kernel has a bug and requests a permission
|
||||
* between num_perms and the maximum permission number, we
|
||||
* should audit that denial
|
||||
*/
|
||||
for (; i < (sizeof(u32)*8); i++)
|
||||
result |= 1<<i;
|
||||
avd->auditdeny = result;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Return the boolean value of a constraint expression
|
||||
* when it is applied to the specified source and target
|
||||
@ -467,20 +620,8 @@ static int context_struct_compute_av(struct context *scontext,
|
||||
struct class_datum *tclass_datum;
|
||||
struct ebitmap *sattr, *tattr;
|
||||
struct ebitmap_node *snode, *tnode;
|
||||
const struct selinux_class_perm *kdefs = &selinux_class_perm;
|
||||
unsigned int i, j;
|
||||
|
||||
/*
|
||||
* Remap extended Netlink classes for old policy versions.
|
||||
* Do this here rather than socket_type_to_security_class()
|
||||
* in case a newer policy version is loaded, allowing sockets
|
||||
* to remain in the correct class.
|
||||
*/
|
||||
if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
|
||||
if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
|
||||
tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
|
||||
tclass = SECCLASS_NETLINK_SOCKET;
|
||||
|
||||
/*
|
||||
* Initialize the access vectors to the default values.
|
||||
*/
|
||||
@ -490,33 +631,11 @@ static int context_struct_compute_av(struct context *scontext,
|
||||
avd->seqno = latest_granting;
|
||||
avd->flags = 0;
|
||||
|
||||
/*
|
||||
* Check for all the invalid cases.
|
||||
* - tclass 0
|
||||
* - tclass > policy and > kernel
|
||||
* - tclass > policy but is a userspace class
|
||||
* - tclass > policy but we do not allow unknowns
|
||||
*/
|
||||
if (unlikely(!tclass))
|
||||
goto inval_class;
|
||||
if (unlikely(tclass > policydb.p_classes.nprim))
|
||||
if (tclass > kdefs->cts_len ||
|
||||
!kdefs->class_to_string[tclass] ||
|
||||
!policydb.allow_unknown)
|
||||
goto inval_class;
|
||||
|
||||
/*
|
||||
* Kernel class and we allow unknown so pad the allow decision
|
||||
* the pad will be all 1 for unknown classes.
|
||||
*/
|
||||
if (tclass <= kdefs->cts_len && policydb.allow_unknown)
|
||||
avd->allowed = policydb.undefined_perms[tclass - 1];
|
||||
|
||||
/*
|
||||
* Not in policy. Since decision is completed (all 1 or all 0) return.
|
||||
*/
|
||||
if (unlikely(tclass > policydb.p_classes.nprim))
|
||||
return 0;
|
||||
if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
|
||||
if (printk_ratelimit())
|
||||
printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
tclass_datum = policydb.class_val_to_struct[tclass - 1];
|
||||
|
||||
@ -568,8 +687,8 @@ static int context_struct_compute_av(struct context *scontext,
|
||||
* role is changing, then check the (current_role, new_role)
|
||||
* pair.
|
||||
*/
|
||||
if (tclass == SECCLASS_PROCESS &&
|
||||
(avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
|
||||
if (tclass == policydb.process_class &&
|
||||
(avd->allowed & policydb.process_trans_perms) &&
|
||||
scontext->role != tcontext->role) {
|
||||
for (ra = policydb.role_allow; ra; ra = ra->next) {
|
||||
if (scontext->role == ra->role &&
|
||||
@ -577,8 +696,7 @@ static int context_struct_compute_av(struct context *scontext,
|
||||
break;
|
||||
}
|
||||
if (!ra)
|
||||
avd->allowed &= ~(PROCESS__TRANSITION |
|
||||
PROCESS__DYNTRANSITION);
|
||||
avd->allowed &= ~policydb.process_trans_perms;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -590,21 +708,6 @@ static int context_struct_compute_av(struct context *scontext,
|
||||
tclass, requested, avd);
|
||||
|
||||
return 0;
|
||||
|
||||
inval_class:
|
||||
if (!tclass || tclass > kdefs->cts_len ||
|
||||
!kdefs->class_to_string[tclass]) {
|
||||
if (printk_ratelimit())
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
|
||||
__func__, tclass);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Known to the kernel, but not to the policy.
|
||||
* Handle as a denial (allowed is 0).
|
||||
*/
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int security_validtrans_handle_fail(struct context *ocontext,
|
||||
@ -636,13 +739,14 @@ out:
|
||||
}
|
||||
|
||||
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
|
||||
u16 tclass)
|
||||
u16 orig_tclass)
|
||||
{
|
||||
struct context *ocontext;
|
||||
struct context *ncontext;
|
||||
struct context *tcontext;
|
||||
struct class_datum *tclass_datum;
|
||||
struct constraint_node *constraint;
|
||||
u16 tclass;
|
||||
int rc = 0;
|
||||
|
||||
if (!ss_initialized)
|
||||
@ -650,16 +754,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
|
||||
|
||||
read_lock(&policy_rwlock);
|
||||
|
||||
/*
|
||||
* Remap extended Netlink classes for old policy versions.
|
||||
* Do this here rather than socket_type_to_security_class()
|
||||
* in case a newer policy version is loaded, allowing sockets
|
||||
* to remain in the correct class.
|
||||
*/
|
||||
if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
|
||||
if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
|
||||
tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
|
||||
tclass = SECCLASS_NETLINK_SOCKET;
|
||||
tclass = unmap_class(orig_tclass);
|
||||
|
||||
if (!tclass || tclass > policydb.p_classes.nprim) {
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
|
||||
@ -792,6 +887,38 @@ out:
|
||||
}
|
||||
|
||||
|
||||
static int security_compute_av_core(u32 ssid,
|
||||
u32 tsid,
|
||||
u16 tclass,
|
||||
u32 requested,
|
||||
struct av_decision *avd)
|
||||
{
|
||||
struct context *scontext = NULL, *tcontext = NULL;
|
||||
int rc = 0;
|
||||
|
||||
scontext = sidtab_search(&sidtab, ssid);
|
||||
if (!scontext) {
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, ssid);
|
||||
return -EINVAL;
|
||||
}
|
||||
tcontext = sidtab_search(&sidtab, tsid);
|
||||
if (!tcontext) {
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, tsid);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
rc = context_struct_compute_av(scontext, tcontext, tclass,
|
||||
requested, avd);
|
||||
|
||||
/* permissive domain? */
|
||||
if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
|
||||
avd->flags |= AVD_FLAGS_PERMISSIVE;
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
/**
|
||||
* security_compute_av - Compute access vector decisions.
|
||||
* @ssid: source security identifier
|
||||
@ -807,12 +934,49 @@ out:
|
||||
*/
|
||||
int security_compute_av(u32 ssid,
|
||||
u32 tsid,
|
||||
u16 tclass,
|
||||
u32 requested,
|
||||
u16 orig_tclass,
|
||||
u32 orig_requested,
|
||||
struct av_decision *avd)
|
||||
{
|
||||
struct context *scontext = NULL, *tcontext = NULL;
|
||||
int rc = 0;
|
||||
u16 tclass;
|
||||
u32 requested;
|
||||
int rc;
|
||||
|
||||
read_lock(&policy_rwlock);
|
||||
|
||||
if (!ss_initialized)
|
||||
goto allow;
|
||||
|
||||
requested = unmap_perm(orig_tclass, orig_requested);
|
||||
tclass = unmap_class(orig_tclass);
|
||||
if (unlikely(orig_tclass && !tclass)) {
|
||||
if (policydb.allow_unknown)
|
||||
goto allow;
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
|
||||
map_decision(orig_tclass, avd, policydb.allow_unknown);
|
||||
out:
|
||||
read_unlock(&policy_rwlock);
|
||||
return rc;
|
||||
allow:
|
||||
avd->allowed = 0xffffffff;
|
||||
avd->auditallow = 0;
|
||||
avd->auditdeny = 0xffffffff;
|
||||
avd->seqno = latest_granting;
|
||||
avd->flags = 0;
|
||||
rc = 0;
|
||||
goto out;
|
||||
}
|
||||
|
||||
int security_compute_av_user(u32 ssid,
|
||||
u32 tsid,
|
||||
u16 tclass,
|
||||
u32 requested,
|
||||
struct av_decision *avd)
|
||||
{
|
||||
int rc;
|
||||
|
||||
if (!ss_initialized) {
|
||||
avd->allowed = 0xffffffff;
|
||||
@ -823,29 +987,7 @@ int security_compute_av(u32 ssid,
|
||||
}
|
||||
|
||||
read_lock(&policy_rwlock);
|
||||
|
||||
scontext = sidtab_search(&sidtab, ssid);
|
||||
if (!scontext) {
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, ssid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
tcontext = sidtab_search(&sidtab, tsid);
|
||||
if (!tcontext) {
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
__func__, tsid);
|
||||
rc = -EINVAL;
|
||||
goto out;
|
||||
}
|
||||
|
||||
rc = context_struct_compute_av(scontext, tcontext, tclass,
|
||||
requested, avd);
|
||||
|
||||
/* permissive domain? */
|
||||
if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
|
||||
avd->flags |= AVD_FLAGS_PERMISSIVE;
|
||||
out:
|
||||
rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
|
||||
read_unlock(&policy_rwlock);
|
||||
return rc;
|
||||
}
|
||||
@ -1204,20 +1346,22 @@ out:
|
||||
|
||||
static int security_compute_sid(u32 ssid,
|
||||
u32 tsid,
|
||||
u16 tclass,
|
||||
u16 orig_tclass,
|
||||
u32 specified,
|
||||
u32 *out_sid)
|
||||
u32 *out_sid,
|
||||
bool kern)
|
||||
{
|
||||
struct context *scontext = NULL, *tcontext = NULL, newcontext;
|
||||
struct role_trans *roletr = NULL;
|
||||
struct avtab_key avkey;
|
||||
struct avtab_datum *avdatum;
|
||||
struct avtab_node *node;
|
||||
u16 tclass;
|
||||
int rc = 0;
|
||||
|
||||
if (!ss_initialized) {
|
||||
switch (tclass) {
|
||||
case SECCLASS_PROCESS:
|
||||
switch (orig_tclass) {
|
||||
case SECCLASS_PROCESS: /* kernel value */
|
||||
*out_sid = ssid;
|
||||
break;
|
||||
default:
|
||||
@ -1231,6 +1375,11 @@ static int security_compute_sid(u32 ssid,
|
||||
|
||||
read_lock(&policy_rwlock);
|
||||
|
||||
if (kern)
|
||||
tclass = unmap_class(orig_tclass);
|
||||
else
|
||||
tclass = orig_tclass;
|
||||
|
||||
scontext = sidtab_search(&sidtab, ssid);
|
||||
if (!scontext) {
|
||||
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
|
||||
@ -1260,13 +1409,11 @@ static int security_compute_sid(u32 ssid,
|
||||
}
|
||||
|
||||
/* Set the role and type to default values. */
|
||||
switch (tclass) {
|
||||
case SECCLASS_PROCESS:
|
||||
if (tclass == policydb.process_class) {
|
||||
/* Use the current role and type of process. */
|
||||
newcontext.role = scontext->role;
|
||||
newcontext.type = scontext->type;
|
||||
break;
|
||||
default:
|
||||
} else {
|
||||
/* Use the well-defined object role. */
|
||||
newcontext.role = OBJECT_R_VAL;
|
||||
/* Use the type of the related object. */
|
||||
@ -1297,8 +1444,7 @@ static int security_compute_sid(u32 ssid,
|
||||
}
|
||||
|
||||
/* Check for class-specific changes. */
|
||||
switch (tclass) {
|
||||
case SECCLASS_PROCESS:
|
||||
if (tclass == policydb.process_class) {
|
||||
if (specified & AVTAB_TRANSITION) {
|
||||
/* Look for a role transition rule. */
|
||||
for (roletr = policydb.role_tr; roletr;
|
||||
@ -1311,9 +1457,6 @@ static int security_compute_sid(u32 ssid,
|
||||
}
|
||||
}
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
/* Set the MLS attributes.
|
||||
@ -1358,7 +1501,17 @@ int security_transition_sid(u32 ssid,
|
||||
u16 tclass,
|
||||
u32 *out_sid)
|
||||
{
|
||||
return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
|
||||
return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
|
||||
out_sid, true);
|
||||
}
|
||||
|
||||
int security_transition_sid_user(u32 ssid,
|
||||
u32 tsid,
|
||||
u16 tclass,
|
||||
u32 *out_sid)
|
||||
{
|
||||
return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
|
||||
out_sid, false);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1379,7 +1532,8 @@ int security_member_sid(u32 ssid,
|
||||
u16 tclass,
|
||||
u32 *out_sid)
|
||||
{
|
||||
return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
|
||||
return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
|
||||
false);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1400,144 +1554,8 @@ int security_change_sid(u32 ssid,
|
||||
u16 tclass,
|
||||
u32 *out_sid)
|
||||
{
|
||||
return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
|
||||
}
|
||||
|
||||
/*
|
||||
* Verify that each kernel class that is defined in the
|
||||
* policy is correct
|
||||
*/
|
||||
static int validate_classes(struct policydb *p)
|
||||
{
|
||||
int i, j;
|
||||
struct class_datum *cladatum;
|
||||
struct perm_datum *perdatum;
|
||||
u32 nprim, tmp, common_pts_len, perm_val, pol_val;
|
||||
u16 class_val;
|
||||
const struct selinux_class_perm *kdefs = &selinux_class_perm;
|
||||
const char *def_class, *def_perm, *pol_class;
|
||||
struct symtab *perms;
|
||||
bool print_unknown_handle = 0;
|
||||
|
||||
if (p->allow_unknown) {
|
||||
u32 num_classes = kdefs->cts_len;
|
||||
p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
|
||||
if (!p->undefined_perms)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
for (i = 1; i < kdefs->cts_len; i++) {
|
||||
def_class = kdefs->class_to_string[i];
|
||||
if (!def_class)
|
||||
continue;
|
||||
if (i > p->p_classes.nprim) {
|
||||
printk(KERN_INFO
|
||||
"SELinux: class %s not defined in policy\n",
|
||||
def_class);
|
||||
if (p->reject_unknown)
|
||||
return -EINVAL;
|
||||
if (p->allow_unknown)
|
||||
p->undefined_perms[i-1] = ~0U;
|
||||
print_unknown_handle = 1;
|
||||
continue;
|
||||
}
|
||||
pol_class = p->p_class_val_to_name[i-1];
|
||||
if (strcmp(pol_class, def_class)) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: class %d is incorrect, found %s but should be %s\n",
|
||||
i, pol_class, def_class);
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
for (i = 0; i < kdefs->av_pts_len; i++) {
|
||||
class_val = kdefs->av_perm_to_string[i].tclass;
|
||||
perm_val = kdefs->av_perm_to_string[i].value;
|
||||
def_perm = kdefs->av_perm_to_string[i].name;
|
||||
if (class_val > p->p_classes.nprim)
|
||||
continue;
|
||||
pol_class = p->p_class_val_to_name[class_val-1];
|
||||
cladatum = hashtab_search(p->p_classes.table, pol_class);
|
||||
BUG_ON(!cladatum);
|
||||
perms = &cladatum->permissions;
|
||||
nprim = 1 << (perms->nprim - 1);
|
||||
if (perm_val > nprim) {
|
||||
printk(KERN_INFO
|
||||
"SELinux: permission %s in class %s not defined in policy\n",
|
||||
def_perm, pol_class);
|
||||
if (p->reject_unknown)
|
||||
return -EINVAL;
|
||||
if (p->allow_unknown)
|
||||
p->undefined_perms[class_val-1] |= perm_val;
|
||||
print_unknown_handle = 1;
|
||||
continue;
|
||||
}
|
||||
perdatum = hashtab_search(perms->table, def_perm);
|
||||
if (perdatum == NULL) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: permission %s in class %s not found in policy, bad policy\n",
|
||||
def_perm, pol_class);
|
||||
return -EINVAL;
|
||||
}
|
||||
pol_val = 1 << (perdatum->value - 1);
|
||||
if (pol_val != perm_val) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: permission %s in class %s has incorrect value\n",
|
||||
def_perm, pol_class);
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
for (i = 0; i < kdefs->av_inherit_len; i++) {
|
||||
class_val = kdefs->av_inherit[i].tclass;
|
||||
if (class_val > p->p_classes.nprim)
|
||||
continue;
|
||||
pol_class = p->p_class_val_to_name[class_val-1];
|
||||
cladatum = hashtab_search(p->p_classes.table, pol_class);
|
||||
BUG_ON(!cladatum);
|
||||
if (!cladatum->comdatum) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: class %s should have an inherits clause but does not\n",
|
||||
pol_class);
|
||||
return -EINVAL;
|
||||
}
|
||||
tmp = kdefs->av_inherit[i].common_base;
|
||||
common_pts_len = 0;
|
||||
while (!(tmp & 0x01)) {
|
||||
common_pts_len++;
|
||||
tmp >>= 1;
|
||||
}
|
||||
perms = &cladatum->comdatum->permissions;
|
||||
for (j = 0; j < common_pts_len; j++) {
|
||||
def_perm = kdefs->av_inherit[i].common_pts[j];
|
||||
if (j >= perms->nprim) {
|
||||
printk(KERN_INFO
|
||||
"SELinux: permission %s in class %s not defined in policy\n",
|
||||
def_perm, pol_class);
|
||||
if (p->reject_unknown)
|
||||
return -EINVAL;
|
||||
if (p->allow_unknown)
|
||||
p->undefined_perms[class_val-1] |= (1 << j);
|
||||
print_unknown_handle = 1;
|
||||
continue;
|
||||
}
|
||||
perdatum = hashtab_search(perms->table, def_perm);
|
||||
if (perdatum == NULL) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: permission %s in class %s not found in policy, bad policy\n",
|
||||
def_perm, pol_class);
|
||||
return -EINVAL;
|
||||
}
|
||||
if (perdatum->value != j + 1) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: permission %s in class %s has incorrect value\n",
|
||||
def_perm, pol_class);
|
||||
return -EINVAL;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (print_unknown_handle)
|
||||
printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
|
||||
(security_get_allow_unknown() ? "allowed" : "denied"));
|
||||
return 0;
|
||||
return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
|
||||
false);
|
||||
}
|
||||
|
||||
/* Clone the SID into the new SID table. */
|
||||
@ -1710,8 +1728,10 @@ int security_load_policy(void *data, size_t len)
|
||||
{
|
||||
struct policydb oldpolicydb, newpolicydb;
|
||||
struct sidtab oldsidtab, newsidtab;
|
||||
struct selinux_mapping *oldmap, *map = NULL;
|
||||
struct convert_context_args args;
|
||||
u32 seqno;
|
||||
u16 map_size;
|
||||
int rc = 0;
|
||||
struct policy_file file = { data, len }, *fp = &file;
|
||||
|
||||
@ -1721,22 +1741,19 @@ int security_load_policy(void *data, size_t len)
|
||||
avtab_cache_destroy();
|
||||
return -EINVAL;
|
||||
}
|
||||
if (selinux_set_mapping(&policydb, secclass_map,
|
||||
¤t_mapping,
|
||||
¤t_mapping_size)) {
|
||||
policydb_destroy(&policydb);
|
||||
avtab_cache_destroy();
|
||||
return -EINVAL;
|
||||
}
|
||||
if (policydb_load_isids(&policydb, &sidtab)) {
|
||||
policydb_destroy(&policydb);
|
||||
avtab_cache_destroy();
|
||||
return -EINVAL;
|
||||
}
|
||||
/* Verify that the kernel defined classes are correct. */
|
||||
if (validate_classes(&policydb)) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: the definition of a class is incorrect\n");
|
||||
sidtab_destroy(&sidtab);
|
||||
policydb_destroy(&policydb);
|
||||
avtab_cache_destroy();
|
||||
return -EINVAL;
|
||||
}
|
||||
security_load_policycaps();
|
||||
policydb_loaded_version = policydb.policyvers;
|
||||
ss_initialized = 1;
|
||||
seqno = ++latest_granting;
|
||||
selinux_complete_init();
|
||||
@ -1759,13 +1776,9 @@ int security_load_policy(void *data, size_t len)
|
||||
return -ENOMEM;
|
||||
}
|
||||
|
||||
/* Verify that the kernel defined classes are correct. */
|
||||
if (validate_classes(&newpolicydb)) {
|
||||
printk(KERN_ERR
|
||||
"SELinux: the definition of a class is incorrect\n");
|
||||
rc = -EINVAL;
|
||||
if (selinux_set_mapping(&newpolicydb, secclass_map,
|
||||
&map, &map_size))
|
||||
goto err;
|
||||
}
|
||||
|
||||
rc = security_preserve_bools(&newpolicydb);
|
||||
if (rc) {
|
||||
@ -1799,13 +1812,16 @@ int security_load_policy(void *data, size_t len)
|
||||
memcpy(&policydb, &newpolicydb, sizeof policydb);
|
||||
sidtab_set(&sidtab, &newsidtab);
|
||||
security_load_policycaps();
|
||||
oldmap = current_mapping;
|
||||
current_mapping = map;
|
||||
current_mapping_size = map_size;
|
||||
seqno = ++latest_granting;
|
||||
policydb_loaded_version = policydb.policyvers;
|
||||
write_unlock_irq(&policy_rwlock);
|
||||
|
||||
/* Free the old policydb and SID table. */
|
||||
policydb_destroy(&oldpolicydb);
|
||||
sidtab_destroy(&oldsidtab);
|
||||
kfree(oldmap);
|
||||
|
||||
avc_ss_reset(seqno);
|
||||
selnl_notify_policyload(seqno);
|
||||
@ -1815,6 +1831,7 @@ int security_load_policy(void *data, size_t len)
|
||||
return 0;
|
||||
|
||||
err:
|
||||
kfree(map);
|
||||
sidtab_destroy(&newsidtab);
|
||||
policydb_destroy(&newpolicydb);
|
||||
return rc;
|
||||
@ -2091,7 +2108,7 @@ out_unlock:
|
||||
}
|
||||
for (i = 0, j = 0; i < mynel; i++) {
|
||||
rc = avc_has_perm_noaudit(fromsid, mysids[i],
|
||||
SECCLASS_PROCESS,
|
||||
SECCLASS_PROCESS, /* kernel value */
|
||||
PROCESS__TRANSITION, AVC_STRICT,
|
||||
NULL);
|
||||
if (!rc)
|
||||
@ -2119,10 +2136,11 @@ out:
|
||||
*/
|
||||
int security_genfs_sid(const char *fstype,
|
||||
char *path,
|
||||
u16 sclass,
|
||||
u16 orig_sclass,
|
||||
u32 *sid)
|
||||
{
|
||||
int len;
|
||||
u16 sclass;
|
||||
struct genfs *genfs;
|
||||
struct ocontext *c;
|
||||
int rc = 0, cmp = 0;
|
||||
@ -2132,6 +2150,8 @@ int security_genfs_sid(const char *fstype,
|
||||
|
||||
read_lock(&policy_rwlock);
|
||||
|
||||
sclass = unmap_class(orig_sclass);
|
||||
|
||||
for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
|
||||
cmp = strcmp(fstype, genfs->fstype);
|
||||
if (cmp <= 0)
|
||||
|
@ -187,6 +187,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
|
||||
const s8 pattern_type, const s8 end_type,
|
||||
const char *function)
|
||||
{
|
||||
const char *const start = filename;
|
||||
bool in_repetition = false;
|
||||
bool contains_pattern = false;
|
||||
unsigned char c;
|
||||
unsigned char d;
|
||||
@ -212,9 +214,13 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
|
||||
if (c == '/')
|
||||
goto out;
|
||||
}
|
||||
while ((c = *filename++) != '\0') {
|
||||
while (1) {
|
||||
c = *filename++;
|
||||
if (!c)
|
||||
break;
|
||||
if (c == '\\') {
|
||||
switch ((c = *filename++)) {
|
||||
c = *filename++;
|
||||
switch (c) {
|
||||
case '\\': /* "\\" */
|
||||
continue;
|
||||
case '$': /* "\$" */
|
||||
@ -231,6 +237,22 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
|
||||
break; /* Must not contain pattern */
|
||||
contains_pattern = true;
|
||||
continue;
|
||||
case '{': /* "/\{" */
|
||||
if (filename - 3 < start ||
|
||||
*(filename - 3) != '/')
|
||||
break;
|
||||
if (pattern_type == -1)
|
||||
break; /* Must not contain pattern */
|
||||
contains_pattern = true;
|
||||
in_repetition = true;
|
||||
continue;
|
||||
case '}': /* "\}/" */
|
||||
if (*filename != '/')
|
||||
break;
|
||||
if (!in_repetition)
|
||||
break;
|
||||
in_repetition = false;
|
||||
continue;
|
||||
case '0': /* "\ooo" */
|
||||
case '1':
|
||||
case '2':
|
||||
@ -246,6 +268,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
|
||||
continue; /* pattern is not \000 */
|
||||
}
|
||||
goto out;
|
||||
} else if (in_repetition && c == '/') {
|
||||
goto out;
|
||||
} else if (tomoyo_is_invalid(c)) {
|
||||
goto out;
|
||||
}
|
||||
@ -254,6 +278,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
|
||||
if (!contains_pattern)
|
||||
goto out;
|
||||
}
|
||||
if (in_repetition)
|
||||
goto out;
|
||||
return true;
|
||||
out:
|
||||
printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function,
|
||||
@ -359,33 +385,6 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_path_depth - Evaluate the number of '/' in a string.
|
||||
*
|
||||
* @pathname: The string to evaluate.
|
||||
*
|
||||
* Returns path depth of the string.
|
||||
*
|
||||
* I score 2 for each of the '/' in the @pathname
|
||||
* and score 1 if the @pathname ends with '/'.
|
||||
*/
|
||||
static int tomoyo_path_depth(const char *pathname)
|
||||
{
|
||||
int i = 0;
|
||||
|
||||
if (pathname) {
|
||||
const char *ep = pathname + strlen(pathname);
|
||||
if (pathname < ep--) {
|
||||
if (*ep != '/')
|
||||
i++;
|
||||
while (pathname <= ep)
|
||||
if (*ep-- == '/')
|
||||
i += 2;
|
||||
}
|
||||
}
|
||||
return i;
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
|
||||
*
|
||||
@ -444,11 +443,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
|
||||
ptr->is_dir = len && (name[len - 1] == '/');
|
||||
ptr->is_patterned = (ptr->const_len < len);
|
||||
ptr->hash = full_name_hash(name, len);
|
||||
ptr->depth = tomoyo_path_depth(name);
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character
|
||||
* tomoyo_file_matches_pattern2 - Pattern matching without '/' character
|
||||
* and "\-" pattern.
|
||||
*
|
||||
* @filename: The start of string to check.
|
||||
@ -458,10 +456,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
|
||||
*
|
||||
* Returns true if @filename matches @pattern, false otherwise.
|
||||
*/
|
||||
static bool tomoyo_file_matches_to_pattern2(const char *filename,
|
||||
const char *filename_end,
|
||||
const char *pattern,
|
||||
const char *pattern_end)
|
||||
static bool tomoyo_file_matches_pattern2(const char *filename,
|
||||
const char *filename_end,
|
||||
const char *pattern,
|
||||
const char *pattern_end)
|
||||
{
|
||||
while (filename < filename_end && pattern < pattern_end) {
|
||||
char c;
|
||||
@ -519,7 +517,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
|
||||
case '*':
|
||||
case '@':
|
||||
for (i = 0; i <= filename_end - filename; i++) {
|
||||
if (tomoyo_file_matches_to_pattern2(
|
||||
if (tomoyo_file_matches_pattern2(
|
||||
filename + i, filename_end,
|
||||
pattern + 1, pattern_end))
|
||||
return true;
|
||||
@ -550,7 +548,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
|
||||
j++;
|
||||
}
|
||||
for (i = 1; i <= j; i++) {
|
||||
if (tomoyo_file_matches_to_pattern2(
|
||||
if (tomoyo_file_matches_pattern2(
|
||||
filename + i, filename_end,
|
||||
pattern + 1, pattern_end))
|
||||
return true;
|
||||
@ -567,7 +565,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_file_matches_to_pattern - Pattern matching without without '/' character.
|
||||
* tomoyo_file_matches_pattern - Pattern matching without without '/' character.
|
||||
*
|
||||
* @filename: The start of string to check.
|
||||
* @filename_end: The end of string to check.
|
||||
@ -576,7 +574,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
|
||||
*
|
||||
* Returns true if @filename matches @pattern, false otherwise.
|
||||
*/
|
||||
static bool tomoyo_file_matches_to_pattern(const char *filename,
|
||||
static bool tomoyo_file_matches_pattern(const char *filename,
|
||||
const char *filename_end,
|
||||
const char *pattern,
|
||||
const char *pattern_end)
|
||||
@ -589,10 +587,10 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
|
||||
/* Split at "\-" pattern. */
|
||||
if (*pattern++ != '\\' || *pattern++ != '-')
|
||||
continue;
|
||||
result = tomoyo_file_matches_to_pattern2(filename,
|
||||
filename_end,
|
||||
pattern_start,
|
||||
pattern - 2);
|
||||
result = tomoyo_file_matches_pattern2(filename,
|
||||
filename_end,
|
||||
pattern_start,
|
||||
pattern - 2);
|
||||
if (first)
|
||||
result = !result;
|
||||
if (result)
|
||||
@ -600,64 +598,35 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
|
||||
first = false;
|
||||
pattern_start = pattern;
|
||||
}
|
||||
result = tomoyo_file_matches_to_pattern2(filename, filename_end,
|
||||
pattern_start, pattern_end);
|
||||
result = tomoyo_file_matches_pattern2(filename, filename_end,
|
||||
pattern_start, pattern_end);
|
||||
return first ? result : !result;
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
|
||||
* @filename: The filename to check.
|
||||
* @pattern: The pattern to compare.
|
||||
* tomoyo_path_matches_pattern2 - Do pathname pattern matching.
|
||||
*
|
||||
* Returns true if matches, false otherwise.
|
||||
* @f: The start of string to check.
|
||||
* @p: The start of pattern to compare.
|
||||
*
|
||||
* The following patterns are available.
|
||||
* \\ \ itself.
|
||||
* \ooo Octal representation of a byte.
|
||||
* \* More than or equals to 0 character other than '/'.
|
||||
* \@ More than or equals to 0 character other than '/' or '.'.
|
||||
* \? 1 byte character other than '/'.
|
||||
* \$ More than or equals to 1 decimal digit.
|
||||
* \+ 1 decimal digit.
|
||||
* \X More than or equals to 1 hexadecimal digit.
|
||||
* \x 1 hexadecimal digit.
|
||||
* \A More than or equals to 1 alphabet character.
|
||||
* \a 1 alphabet character.
|
||||
* \- Subtraction operator.
|
||||
* Returns true if @f matches @p, false otherwise.
|
||||
*/
|
||||
bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
|
||||
const struct tomoyo_path_info *pattern)
|
||||
static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
|
||||
{
|
||||
/*
|
||||
if (!filename || !pattern)
|
||||
return false;
|
||||
*/
|
||||
const char *f = filename->name;
|
||||
const char *p = pattern->name;
|
||||
const int len = pattern->const_len;
|
||||
const char *f_delimiter;
|
||||
const char *p_delimiter;
|
||||
|
||||
/* If @pattern doesn't contain pattern, I can use strcmp(). */
|
||||
if (!pattern->is_patterned)
|
||||
return !tomoyo_pathcmp(filename, pattern);
|
||||
/* Dont compare if the number of '/' differs. */
|
||||
if (filename->depth != pattern->depth)
|
||||
return false;
|
||||
/* Compare the initial length without patterns. */
|
||||
if (strncmp(f, p, len))
|
||||
return false;
|
||||
f += len;
|
||||
p += len;
|
||||
/* Main loop. Compare each directory component. */
|
||||
while (*f && *p) {
|
||||
const char *f_delimiter = strchr(f, '/');
|
||||
const char *p_delimiter = strchr(p, '/');
|
||||
f_delimiter = strchr(f, '/');
|
||||
if (!f_delimiter)
|
||||
f_delimiter = f + strlen(f);
|
||||
p_delimiter = strchr(p, '/');
|
||||
if (!p_delimiter)
|
||||
p_delimiter = p + strlen(p);
|
||||
if (!tomoyo_file_matches_to_pattern(f, f_delimiter,
|
||||
p, p_delimiter))
|
||||
if (*p == '\\' && *(p + 1) == '{')
|
||||
goto recursive;
|
||||
if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
|
||||
p_delimiter))
|
||||
return false;
|
||||
f = f_delimiter;
|
||||
if (*f)
|
||||
@ -671,6 +640,79 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
|
||||
(*(p + 1) == '*' || *(p + 1) == '@'))
|
||||
p += 2;
|
||||
return !*f && !*p;
|
||||
recursive:
|
||||
/*
|
||||
* The "\{" pattern is permitted only after '/' character.
|
||||
* This guarantees that below "*(p - 1)" is safe.
|
||||
* Also, the "\}" pattern is permitted only before '/' character
|
||||
* so that "\{" + "\}" pair will not break the "\-" operator.
|
||||
*/
|
||||
if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
|
||||
*(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
|
||||
return false; /* Bad pattern. */
|
||||
do {
|
||||
/* Compare current component with pattern. */
|
||||
if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
|
||||
p_delimiter - 2))
|
||||
break;
|
||||
/* Proceed to next component. */
|
||||
f = f_delimiter;
|
||||
if (!*f)
|
||||
break;
|
||||
f++;
|
||||
/* Continue comparison. */
|
||||
if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
|
||||
return true;
|
||||
f_delimiter = strchr(f, '/');
|
||||
} while (f_delimiter);
|
||||
return false; /* Not matched. */
|
||||
}
|
||||
|
||||
/**
|
||||
* tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
|
||||
*
|
||||
* @filename: The filename to check.
|
||||
* @pattern: The pattern to compare.
|
||||
*
|
||||
* Returns true if matches, false otherwise.
|
||||
*
|
||||
* The following patterns are available.
|
||||
* \\ \ itself.
|
||||
* \ooo Octal representation of a byte.
|
||||
* \* Zero or more repetitions of characters other than '/'.
|
||||
* \@ Zero or more repetitions of characters other than '/' or '.'.
|
||||
* \? 1 byte character other than '/'.
|
||||
* \$ One or more repetitions of decimal digits.
|
||||
* \+ 1 decimal digit.
|
||||
* \X One or more repetitions of hexadecimal digits.
|
||||
* \x 1 hexadecimal digit.
|
||||
* \A One or more repetitions of alphabet characters.
|
||||
* \a 1 alphabet character.
|
||||
*
|
||||
* \- Subtraction operator.
|
||||
*
|
||||
* /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
|
||||
* /dir/dir/dir/ ).
|
||||
*/
|
||||
bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
|
||||
const struct tomoyo_path_info *pattern)
|
||||
{
|
||||
const char *f = filename->name;
|
||||
const char *p = pattern->name;
|
||||
const int len = pattern->const_len;
|
||||
|
||||
/* If @pattern doesn't contain pattern, I can use strcmp(). */
|
||||
if (!pattern->is_patterned)
|
||||
return !tomoyo_pathcmp(filename, pattern);
|
||||
/* Don't compare directory and non-directory. */
|
||||
if (filename->is_dir != pattern->is_dir)
|
||||
return false;
|
||||
/* Compare the initial length without patterns. */
|
||||
if (strncmp(f, p, len))
|
||||
return false;
|
||||
f += len;
|
||||
p += len;
|
||||
return tomoyo_path_matches_pattern2(f, p);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -56,9 +56,6 @@ struct tomoyo_page_buffer {
|
||||
* (5) "is_patterned" is a bool which is true if "name" contains wildcard
|
||||
* characters, false otherwise. This allows TOMOYO to use "hash" and
|
||||
* strcmp() for string comparison if "is_patterned" is false.
|
||||
* (6) "depth" is calculated using the number of "/" characters in "name".
|
||||
* This allows TOMOYO to avoid comparing two pathnames which never match
|
||||
* (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$").
|
||||
*/
|
||||
struct tomoyo_path_info {
|
||||
const char *name;
|
||||
@ -66,7 +63,6 @@ struct tomoyo_path_info {
|
||||
u16 const_len; /* = tomoyo_const_part_length(name) */
|
||||
bool is_dir; /* = tomoyo_strendswith(name, "/") */
|
||||
bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
|
||||
u16 depth; /* = tomoyo_path_depth(name) */
|
||||
};
|
||||
|
||||
/*
|
||||
|
@ -13,6 +13,8 @@
|
||||
#include <linux/mount.h>
|
||||
#include <linux/mnt_namespace.h>
|
||||
#include <linux/fs_struct.h>
|
||||
#include <linux/hash.h>
|
||||
|
||||
#include "common.h"
|
||||
#include "realpath.h"
|
||||
|
||||
@ -263,7 +265,8 @@ static unsigned int tomoyo_quota_for_savename;
|
||||
* table. Frequency of appending strings is very low. So we don't need
|
||||
* large (e.g. 64k) hash size. 256 will be sufficient.
|
||||
*/
|
||||
#define TOMOYO_MAX_HASH 256
|
||||
#define TOMOYO_HASH_BITS 8
|
||||
#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
|
||||
|
||||
/*
|
||||
* tomoyo_name_entry is a structure which is used for linking
|
||||
@ -315,6 +318,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
|
||||
struct tomoyo_free_memory_block_list *fmb;
|
||||
int len;
|
||||
char *cp;
|
||||
struct list_head *head;
|
||||
|
||||
if (!name)
|
||||
return NULL;
|
||||
@ -325,9 +329,10 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
|
||||
return NULL;
|
||||
}
|
||||
hash = full_name_hash((const unsigned char *) name, len - 1);
|
||||
head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)];
|
||||
|
||||
mutex_lock(&lock);
|
||||
list_for_each_entry(ptr, &tomoyo_name_list[hash % TOMOYO_MAX_HASH],
|
||||
list) {
|
||||
list_for_each_entry(ptr, head, list) {
|
||||
if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name))
|
||||
goto out;
|
||||
}
|
||||
@ -365,7 +370,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
|
||||
tomoyo_fill_path_info(&ptr->entry);
|
||||
fmb->ptr += len;
|
||||
fmb->len -= len;
|
||||
list_add_tail(&ptr->list, &tomoyo_name_list[hash % TOMOYO_MAX_HASH]);
|
||||
list_add_tail(&ptr->list, head);
|
||||
if (fmb->len == 0) {
|
||||
list_del(&fmb->list);
|
||||
kfree(fmb);
|
||||
|
Loading…
Reference in New Issue
Block a user