aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include/classmap.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/include/classmap.h')
-rw-r--r--security/selinux/include/classmap.h30
1 files changed, 19 insertions, 11 deletions
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index ef83c4b85a33..1f1f4b2f6018 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -12,6 +12,18 @@
12#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 12#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
13 "write", "associate", "unix_read", "unix_write" 13 "write", "associate", "unix_read", "unix_write"
14 14
15#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \
16 "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \
17 "linux_immutable", "net_bind_service", "net_broadcast", \
18 "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \
19 "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \
20 "sys_boot", "sys_nice", "sys_resource", "sys_time", \
21 "sys_tty_config", "mknod", "lease", "audit_write", \
22 "audit_control", "setfcap"
23
24#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \
25 "wake_alarm", "block_suspend", "audit_read"
26
15/* 27/*
16 * Note: The name for any socket class should be suffixed by "socket", 28 * Note: The name for any socket class should be suffixed by "socket",
17 * and doesn't contain more than one substr of "socket". 29 * and doesn't contain more than one substr of "socket".
@@ -32,16 +44,9 @@ struct security_class_mapping secclass_map[] = {
32 "setsockcreate", NULL } }, 44 "setsockcreate", NULL } },
33 { "system", 45 { "system",
34 { "ipc_info", "syslog_read", "syslog_mod", 46 { "ipc_info", "syslog_read", "syslog_mod",
35 "syslog_console", "module_request", NULL } }, 47 "syslog_console", "module_request", "module_load", NULL } },
36 { "capability", 48 { "capability",
37 { "chown", "dac_override", "dac_read_search", 49 { COMMON_CAP_PERMS, NULL } },
38 "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
39 "linux_immutable", "net_bind_service", "net_broadcast",
40 "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
41 "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
42 "sys_boot", "sys_nice", "sys_resource", "sys_time",
43 "sys_tty_config", "mknod", "lease", "audit_write",
44 "audit_control", "setfcap", NULL } },
45 { "filesystem", 50 { "filesystem",
46 { "mount", "remount", "unmount", "getattr", 51 { "mount", "remount", "unmount", "getattr",
47 "relabelfrom", "relabelto", "associate", "quotamod", 52 "relabelfrom", "relabelto", "associate", "quotamod",
@@ -150,12 +155,15 @@ struct security_class_mapping secclass_map[] = {
150 { "memprotect", { "mmap_zero", NULL } }, 155 { "memprotect", { "mmap_zero", NULL } },
151 { "peer", { "recv", NULL } }, 156 { "peer", { "recv", NULL } },
152 { "capability2", 157 { "capability2",
153 { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", 158 { COMMON_CAP2_PERMS, NULL } },
154 "audit_read", NULL } },
155 { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 159 { "kernel_service", { "use_as_override", "create_files_as", NULL } },
156 { "tun_socket", 160 { "tun_socket",
157 { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 161 { COMMON_SOCK_PERMS, "attach_queue", NULL } },
158 { "binder", { "impersonate", "call", "set_context_mgr", "transfer", 162 { "binder", { "impersonate", "call", "set_context_mgr", "transfer",
159 NULL } }, 163 NULL } },
164 { "cap_userns",
165 { COMMON_CAP_PERMS, NULL } },
166 { "cap2_userns",
167 { COMMON_CAP2_PERMS, NULL } },
160 { NULL } 168 { NULL }
161 }; 169 };
generated by cgit v1.2.2 (git 2.25.0) at 2025-10-03 21:55:02 -0400