Eric Lee / smarc-fsl-linux-kernel

Blame view

security/selinux/nlmsgtab.c 6.4 KB

1da177e4c Linus Torvalds Linux-2.6.12-rc2	1 2 3 4 5 6 7 8 9 10 11 12 13	/* * Netlink message type permission tables, for user generated messages. * * Author: James Morris <jmorris@redhat.com> * * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, * as published by the Free Software Foundation. */ #include <linux/types.h> #include <linux/kernel.h>
1da177e4c Linus Torvalds Linux-2.6.12-rc2	14 15 16 17	#include <linux/netlink.h> #include <linux/rtnetlink.h> #include <linux/if.h> #include <linux/netfilter_ipv4/ip_queue.h>
216efaaaa James Morris [SELINUX]: Update...	18	#include <linux/inet_diag.h>
1da177e4c Linus Torvalds Linux-2.6.12-rc2	19 20 21 22 23	#include <linux/xfrm.h> #include <linux/audit.h> #include "flask.h" #include "av_permissions.h"
6a3fbe811 James Morris selinux: sparse f...	24	#include "security.h"
1da177e4c Linus Torvalds Linux-2.6.12-rc2	25
bfff3aa49 Eric Paris SELinux: nlmsgtab...	26	struct nlmsg_perm {
1da177e4c Linus Torvalds Linux-2.6.12-rc2	27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61	u16 nlmsg_type; u32 perm; }; static struct nlmsg_perm nlmsg_route_perms[] = { { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
1da177e4c Linus Torvalds Linux-2.6.12-rc2	62 63	{ RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
c7fb64db0 Thomas Graf [NETLINK]: Neighb...	64 65	{ RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
2f99db28a Michal Schmidt selinux: recogniz...	66 67 68	{ RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
350e4f31e Eric Paris SELinux: define p...	69 70	{ RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ }, { RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
1da177e4c Linus Torvalds Linux-2.6.12-rc2	71 72 73 74 75 76 77 78 79 80 81	}; static struct nlmsg_perm nlmsg_firewall_perms[] = { { IPQM_MODE, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE }, { IPQM_VERDICT, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE }, }; static struct nlmsg_perm nlmsg_tcpdiag_perms[] = { { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
216efaaaa James Morris [SELINUX]: Update...	82	{ DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
1da177e4c Linus Torvalds Linux-2.6.12-rc2	83 84 85 86 87 88 89 90 91 92 93	}; static struct nlmsg_perm nlmsg_xfrm_perms[] = { { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ }, { XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ }, { XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
8c29bfe1c Jamal Hadi Salim [IPSEC]: Sync ser...	94 95	{ XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
1da177e4c Linus Torvalds Linux-2.6.12-rc2	96 97	{ XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
8c29bfe1c Jamal Hadi Salim [IPSEC]: Sync ser...	98 99 100 101 102	{ XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, { XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
1da177e4c Linus Torvalds Linux-2.6.12-rc2	103 104 105 106	}; static struct nlmsg_perm nlmsg_audit_perms[] = {
b207a290e James Morris [PATCH] SELinux: ...	107 108 109 110 111	{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
93315ed6d Amy Griffis [PATCH] audit str...	112 113 114	{ AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, { AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
b207a290e James Morris [PATCH] SELinux: ...	115	{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
c2f0c7c35 Steve Grubb The attached patc...	116	{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
850b0cee1 Eric Paris SELinux: define a...	117 118	{ AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
522ed7767 Miloslav Trmac Audit: add TTY in...	119	{ AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
dd34b5d75 Eric Paris SELinux: new perm...	120	{ AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },
1da177e4c Linus Torvalds Linux-2.6.12-rc2	121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148	}; static int nlmsg_perm(u16 nlmsg_type, u32 perm, struct nlmsg_perm tab, size_t tabsize) { int i, err = -EINVAL; for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++) if (nlmsg_type == tab[i].nlmsg_type) { perm = tab[i].perm; err = 0; break; } return err; } int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 perm) { int err = 0; switch (sclass) { case SECCLASS_NETLINK_ROUTE_SOCKET: err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms, sizeof(nlmsg_route_perms)); break; case SECCLASS_NETLINK_FIREWALL_SOCKET:
388c69789 James Morris [PATCH] SELinux: ...	149	case SECCLASS_NETLINK_IP6FW_SOCKET:
1da177e4c Linus Torvalds Linux-2.6.12-rc2	150 151 152 153 154 155 156 157 158 159 160 161 162 163 164	err = nlmsg_perm(nlmsg_type, perm, nlmsg_firewall_perms, sizeof(nlmsg_firewall_perms)); break; case SECCLASS_NETLINK_TCPDIAG_SOCKET: err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms, sizeof(nlmsg_tcpdiag_perms)); break; case SECCLASS_NETLINK_XFRM_SOCKET: err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms, sizeof(nlmsg_xfrm_perms)); break; case SECCLASS_NETLINK_AUDIT_SOCKET:
90d526c07 Steve Grubb [PATCH] Define ne...	165 166 167	if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && nlmsg_type <= AUDIT_LAST_USER_MSG) \|\| (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
bfff3aa49 Eric Paris SELinux: nlmsgtab...	168	nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
209aba032 David Woodhouse AUDIT: Treat all ...	169 170 171 172 173	*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; } else { err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, sizeof(nlmsg_audit_perms)); }
1da177e4c Linus Torvalds Linux-2.6.12-rc2	174 175 176 177 178 179 180 181 182 183	break; /* No messaging from userspace, or class unknown/unhandled */ default: err = -ENOENT; break; } return err; }