SELinux: Add a new peer class and permissions to the Flask definitions

Add additional Flask definitions to support the new "peer" object class and additional permissions to the netif, node, and packet object classes. Also, bring the kernel Flask definitions up to date with the Fedora SELinux policies by adding the "flow_in" and "flow_out" permissions to the "packet" class. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>

SELinux: Add a new peer class and permissions to the Flask definitions
Add additional Flask definitions to support the new "peer" object class and additional permissions to the netif, node, and packet object classes. Also, bring the kernel Flask definitions up to date with the Fedora SELinux policies by adding the "flow_in" and "flow_out" permissions to the "packet" class. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore · James Morris
1 parent 3bb56b25db
Showing 4 changed files with 26 additions and 0 deletions Side-by-side Diff
security/selinux/include/av_perm_to_string.h
security/selinux/include/av_permissions.h
security/selinux/include/class_to_string.h
security/selinux/include/flask.h
@@ -37,6 +37,8 @@
    S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
    S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
    S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
+   S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
    S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
    S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
    S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
@@ -45,6 +47,8 @@
    S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
    S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
    S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
+   S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
@@ -149,6 +153,10 @@
    S_(SECCLASS_PACKET, PACKET__SEND, "send")
    S_(SECCLASS_PACKET, PACKET__RECV, "recv")
    S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
+   S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
+   S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
+   S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
+   S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
    S_(SECCLASS_KEY, KEY__VIEW, "view")
    S_(SECCLASS_KEY, KEY__READ, "read")
    S_(SECCLASS_KEY, KEY__WRITE, "write")
@@ -159,4 +167,5 @@
    S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
    S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
    S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
+   S_(SECCLASS_PEER, PEER__RECV, "recv")
@@ -292,6 +292,8 @@
 #define NODE__ENFORCE_DEST                        0x00000040UL
 #define NODE__DCCP_RECV                           0x00000080UL
 #define NODE__DCCP_SEND                           0x00000100UL
+#define NODE__RECVFROM                            0x00000200UL
+#define NODE__SENDTO                              0x00000400UL
 #define NETIF__TCP_RECV                           0x00000001UL
 #define NETIF__TCP_SEND                           0x00000002UL
 #define NETIF__UDP_RECV                           0x00000004UL
@@ -300,6 +302,8 @@
 #define NETIF__RAWIP_SEND                         0x00000020UL
 #define NETIF__DCCP_RECV                          0x00000040UL
 #define NETIF__DCCP_SEND                          0x00000080UL
+#define NETIF__INGRESS                            0x00000100UL
+#define NETIF__EGRESS                             0x00000200UL
 #define NETLINK_SOCKET__IOCTL                     0x00000001UL
 #define NETLINK_SOCKET__READ                      0x00000002UL
 #define NETLINK_SOCKET__WRITE                     0x00000004UL
@@ -792,6 +796,10 @@
 #define PACKET__SEND                              0x00000001UL
 #define PACKET__RECV                              0x00000002UL
 #define PACKET__RELABELTO                         0x00000004UL
+#define PACKET__FLOW_IN                           0x00000008UL
+#define PACKET__FLOW_OUT                          0x00000010UL
+#define PACKET__FORWARD_IN                        0x00000020UL
+#define PACKET__FORWARD_OUT                       0x00000040UL
 #define KEY__VIEW                                 0x00000001UL
 #define KEY__READ                                 0x00000002UL
 #define KEY__WRITE                                0x00000004UL
@@ -824,4 +832,5 @@
 #define DCCP_SOCKET__NODE_BIND                    0x00400000UL
 #define DCCP_SOCKET__NAME_CONNECT                 0x00800000UL
 #define MEMPROTECT__MMAP_ZERO                     0x00000001UL
+#define PEER__RECV                                0x00000001UL
@@ -64,4 +64,11 @@
     S_(NULL)
     S_("dccp_socket")
     S_("memprotect")
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_(NULL)
+    S_("peer")
@@ -50,6 +50,7 @@
 #define SECCLASS_KEY                                     58
 #define SECCLASS_DCCP_SOCKET                             60
 #define SECCLASS_MEMPROTECT                              61
+#define SECCLASS_PEER                                    68
  
 /*
  * Security identifier indices for initial entities
...	...	@@ -37,6 +37,8 @@
37	37	S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
38	38	S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
39	39	S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
	40	+ S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
	41	+ S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
40	42	S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
41	43	S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
42	44	S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
...	...	@@ -45,6 +47,8 @@
45	47	S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
46	48	S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
47	49	S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
	50	+ S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
	51	+ S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
48	52	S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
49	53	S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
50	54	S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
...	...	@@ -149,6 +153,10 @@
149	153	S_(SECCLASS_PACKET, PACKET__SEND, "send")
150	154	S_(SECCLASS_PACKET, PACKET__RECV, "recv")
151	155	S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
	156	+ S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
	157	+ S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
	158	+ S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
	159	+ S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
152	160	S_(SECCLASS_KEY, KEY__VIEW, "view")
153	161	S_(SECCLASS_KEY, KEY__READ, "read")
154	162	S_(SECCLASS_KEY, KEY__WRITE, "write")
...	...	@@ -159,4 +167,5 @@
159	167	S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
160	168	S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
161	169	S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
	170	+ S_(SECCLASS_PEER, PEER__RECV, "recv")
...	...	@@ -292,6 +292,8 @@
292	292	#define NODE__ENFORCE_DEST 0x00000040UL
293	293	#define NODE__DCCP_RECV 0x00000080UL
294	294	#define NODE__DCCP_SEND 0x00000100UL
	295	+#define NODE__RECVFROM 0x00000200UL
	296	+#define NODE__SENDTO 0x00000400UL
295	297	#define NETIF__TCP_RECV 0x00000001UL
296	298	#define NETIF__TCP_SEND 0x00000002UL
297	299	#define NETIF__UDP_RECV 0x00000004UL
...	...	@@ -300,6 +302,8 @@
300	302	#define NETIF__RAWIP_SEND 0x00000020UL
301	303	#define NETIF__DCCP_RECV 0x00000040UL
302	304	#define NETIF__DCCP_SEND 0x00000080UL
	305	+#define NETIF__INGRESS 0x00000100UL
	306	+#define NETIF__EGRESS 0x00000200UL
303	307	#define NETLINK_SOCKET__IOCTL 0x00000001UL
304	308	#define NETLINK_SOCKET__READ 0x00000002UL
305	309	#define NETLINK_SOCKET__WRITE 0x00000004UL
...	...	@@ -792,6 +796,10 @@
792	796	#define PACKET__SEND 0x00000001UL
793	797	#define PACKET__RECV 0x00000002UL
794	798	#define PACKET__RELABELTO 0x00000004UL
	799	+#define PACKET__FLOW_IN 0x00000008UL
	800	+#define PACKET__FLOW_OUT 0x00000010UL
	801	+#define PACKET__FORWARD_IN 0x00000020UL
	802	+#define PACKET__FORWARD_OUT 0x00000040UL
795	803	#define KEY__VIEW 0x00000001UL
796	804	#define KEY__READ 0x00000002UL
797	805	#define KEY__WRITE 0x00000004UL
...	...	@@ -824,4 +832,5 @@
824	832	#define DCCP_SOCKET__NODE_BIND 0x00400000UL
825	833	#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
826	834	#define MEMPROTECT__MMAP_ZERO 0x00000001UL
	835	+#define PEER__RECV 0x00000001UL
...	...	@@ -64,4 +64,11 @@
64	64	S_(NULL)
65	65	S_("dccp_socket")
66	66	S_("memprotect")
	67	+ S_(NULL)
	68	+ S_(NULL)
	69	+ S_(NULL)
	70	+ S_(NULL)
	71	+ S_(NULL)
	72	+ S_(NULL)
	73	+ S_("peer")
...	...	@@ -50,6 +50,7 @@
50	50	#define SECCLASS_KEY 58
51	51	#define SECCLASS_DCCP_SOCKET 60
52	52	#define SECCLASS_MEMPROTECT 61
	53	+#define SECCLASS_PEER 68
53	54
54	55	/*
55	56	* Security identifier indices for initial entities