[PATCH] SELinux: add support for NETLINK_KOBJECT_UEVENT

This patch adds SELinux support for the KOBJECT_UEVENT Netlink family, so that SELinux can apply finer grained controls to it. For example, security policy for hald can be locked down to the KOBJECT_UEVENT Netlink family only. Currently, this family simply defaults to the default Netlink socket class. Note that some new permission definitions are added to sync with changes in the core userspace policy package, which auto-generates header files. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
author: James Morris <jmorris@redhat.com> 2005-04-16 18:24:13 -0400
committer: Linus Torvalds <torvalds@ppc970.osdl.org> 2005-04-16 18:24:13 -0400
commit: 0c9b79429c83a404a04908be65baa9d97836bbb6 (patch)
tree: 66cdf9fc4cf40867ed8c9dc060661615941cd95f /security
parent: 7e5c6bc0a600c49e5922591ad41ff41987f54eb4 (diff)
6 files changed, 39 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8a2cc75b3948..2ae7d3cb8df4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -672,6 +672,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
                        return SECCLASS_NETLINK_IP6FW_SOCKET;
                case NETLINK_DNRTMSG:
                        return SECCLASS_NETLINK_DNRT_SOCKET;
+                case NETLINK_KOBJECT_UEVENT:
+                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
                default:
                        return SECCLASS_NETLINK_SOCKET;
                }
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
index 9facb27822a1..b0e6b12931c9 100644
--- a/security/selinux/include/av_inherit.h
+++ b/security/selinux/include/av_inherit.h
@@ -28,3 +28,4 @@
   S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
   S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
   S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 903e8b3cc2e9..eb340b45bc6f 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -118,6 +118,8 @@
   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
   S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
   S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
   S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
   S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
   S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
@@ -230,3 +232,5 @@
   S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")
   S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")
   S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index b0a12ac8f7ee..f9de0f966559 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -559,6 +559,8 @@
 #define CAPABILITY__SYS_TTY_CONFIG                0x04000000UL
 #define CAPABILITY__MKNOD                         0x08000000UL
 #define CAPABILITY__LEASE                         0x10000000UL
+#define CAPABILITY__AUDIT_WRITE                   0x20000000UL
+#define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
 #define PASSWD__PASSWD                            0x00000001UL
 #define PASSWD__CHFN                              0x00000002UL
@@ -900,3 +902,29 @@
 #define NSCD__SHMEMGRP                            0x00000040UL
 #define NSCD__SHMEMHOST                           0x00000080UL
+#define ASSOCIATION__SENDTO                       0x00000001UL
+#define ASSOCIATION__RECVFROM                     0x00000002UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE      0x00000004UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE     0x00000008UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR    0x00000010UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR    0x00000020UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK       0x00000040UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO  0x00000100UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND     0x00000200UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND       0x00000400UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT    0x00000800UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN     0x00001000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT     0x00002000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT     0x00004000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT     0x00008000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN   0x00010000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM   0x00020000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO     0x00040000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG   0x00080000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG   0x00100000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND  0x00200000UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index 519a77d7394a..77b2c5996f35 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -56,3 +56,5 @@
    S_("netlink_dnrt_socket")
    S_("dbus")
    S_("nscd")
+    S_("association")
+    S_("netlink_kobject_uevent_socket")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index 4eef1b654e92..eb9f50823f6e 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -58,6 +58,8 @@
 #define SECCLASS_NETLINK_DNRT_SOCKET                     51
 #define SECCLASS_DBUS                                    52
 #define SECCLASS_NSCD                                    53
+#define SECCLASS_ASSOCIATION                             54
+#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
 /*
 * Security identifier indices for initial entities
author	James Morris <jmorris@redhat.com>	2005-04-16 18:24:13 -0400
committer	Linus Torvalds <torvalds@ppc970.osdl.org>	2005-04-16 18:24:13 -0400
commit	0c9b79429c83a404a04908be65baa9d97836bbb6 (patch)
tree	66cdf9fc4cf40867ed8c9dc060661615941cd95f /security
parent	7e5c6bc0a600c49e5922591ad41ff41987f54eb4 (diff)

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8a2cc75b3948..2ae7d3cb8df4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -672,6 +672,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
672	return SECCLASS_NETLINK_IP6FW_SOCKET;	672	return SECCLASS_NETLINK_IP6FW_SOCKET;
673	case NETLINK_DNRTMSG:	673	case NETLINK_DNRTMSG:
674	return SECCLASS_NETLINK_DNRT_SOCKET;	674	return SECCLASS_NETLINK_DNRT_SOCKET;
		675	case NETLINK_KOBJECT_UEVENT:
		676	return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
675	default:	677	default:
676	return SECCLASS_NETLINK_SOCKET;	678	return SECCLASS_NETLINK_SOCKET;
677	}	679	}


diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h index 9facb27822a1..b0e6b12931c9 100644 --- a/security/selinux/include/av_inherit.h +++ b/security/selinux/include/av_inherit.h
@@ -28,3 +28,4 @@
28	S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)	28	S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
29	S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)	29	S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
30	S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)	30	S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
		31	S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)


diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 903e8b3cc2e9..eb340b45bc6f 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h
@@ -118,6 +118,8 @@
118	S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")	118	S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
119	S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")	119	S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
120	S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")	120	S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
		121	S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
		122	S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
121	S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")	123	S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
122	S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")	124	S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
123	S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")	125	S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
@@ -230,3 +232,5 @@
230	S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")	232	S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")
231	S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")	233	S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")
232	S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")	234	S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
		235	S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
		236	S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")


diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index b0a12ac8f7ee..f9de0f966559 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h
@@ -559,6 +559,8 @@
559	#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL	559	#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
560	#define CAPABILITY__MKNOD 0x08000000UL	560	#define CAPABILITY__MKNOD 0x08000000UL
561	#define CAPABILITY__LEASE 0x10000000UL	561	#define CAPABILITY__LEASE 0x10000000UL
		562	#define CAPABILITY__AUDIT_WRITE 0x20000000UL
		563	#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
562		564
563	#define PASSWD__PASSWD 0x00000001UL	565	#define PASSWD__PASSWD 0x00000001UL
564	#define PASSWD__CHFN 0x00000002UL	566	#define PASSWD__CHFN 0x00000002UL
@@ -900,3 +902,29 @@
900	#define NSCD__SHMEMGRP 0x00000040UL	902	#define NSCD__SHMEMGRP 0x00000040UL
901	#define NSCD__SHMEMHOST 0x00000080UL	903	#define NSCD__SHMEMHOST 0x00000080UL
902		904
		905	#define ASSOCIATION__SENDTO 0x00000001UL
		906	#define ASSOCIATION__RECVFROM 0x00000002UL
		907
		908	#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
		909	#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
		910	#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
		911	#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
		912	#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
		913	#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
		914	#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
		915	#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
		916	#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
		917	#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
		918	#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
		919	#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
		920	#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
		921	#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
		922	#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
		923	#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
		924	#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
		925	#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
		926	#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
		927	#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
		928	#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
		929	#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
		930


diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h index 519a77d7394a..77b2c5996f35 100644 --- a/security/selinux/include/class_to_string.h +++ b/security/selinux/include/class_to_string.h
@@ -56,3 +56,5 @@
56	S_("netlink_dnrt_socket")	56	S_("netlink_dnrt_socket")
57	S_("dbus")	57	S_("dbus")
58	S_("nscd")	58	S_("nscd")
		59	S_("association")
		60	S_("netlink_kobject_uevent_socket")


diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h index 4eef1b654e92..eb9f50823f6e 100644 --- a/security/selinux/include/flask.h +++ b/security/selinux/include/flask.h
@@ -58,6 +58,8 @@
58	#define SECCLASS_NETLINK_DNRT_SOCKET 51	58	#define SECCLASS_NETLINK_DNRT_SOCKET 51
59	#define SECCLASS_DBUS 52	59	#define SECCLASS_DBUS 52
60	#define SECCLASS_NSCD 53	60	#define SECCLASS_NSCD 53
		61	#define SECCLASS_ASSOCIATION 54
		62	#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
61		63
62	/*	64	/*
63	* Security identifier indices for initial entities	65	* Security identifier indices for initial entities