6 files changed, 39 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8a2cc75b3948..2ae7d3cb8df4 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -672,6 +672,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
                        return SECCLASS_NETLINK_IP6FW_SOCKET;
                case NETLINK_DNRTMSG:
                        return SECCLASS_NETLINK_DNRT_SOCKET;
+                case NETLINK_KOBJECT_UEVENT:
+                        return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
                default:
                        return SECCLASS_NETLINK_SOCKET;
                }
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
index 9facb27822a1..b0e6b12931c9 100644
--- a/security/selinux/include/av_inherit.h
+++ b/security/selinux/include/av_inherit.h
@@ -28,3 +28,4 @@
   S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
   S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
   S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
+   S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 903e8b3cc2e9..eb340b45bc6f 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -118,6 +118,8 @@
   S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
   S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
   S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
+   S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
   S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
   S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
   S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
@@ -230,3 +232,5 @@
   S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")
   S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")
   S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
+   S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index b0a12ac8f7ee..f9de0f966559 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -559,6 +559,8 @@
 #define CAPABILITY__SYS_TTY_CONFIG                0x04000000UL
 #define CAPABILITY__MKNOD                         0x08000000UL
 #define CAPABILITY__LEASE                         0x10000000UL
+#define CAPABILITY__AUDIT_WRITE                   0x20000000UL
+#define CAPABILITY__AUDIT_CONTROL                 0x40000000UL
 #define PASSWD__PASSWD                            0x00000001UL
 #define PASSWD__CHFN                              0x00000002UL
@@ -900,3 +902,29 @@
 #define NSCD__SHMEMGRP                            0x00000040UL
 #define NSCD__SHMEMHOST                           0x00000080UL
+#define ASSOCIATION__SENDTO                       0x00000001UL
+#define ASSOCIATION__RECVFROM                     0x00000002UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL      0x00000001UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__READ       0x00000002UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE      0x00000004UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE     0x00000008UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR    0x00000010UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR    0x00000020UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK       0x00000040UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO  0x00000100UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND     0x00000200UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND       0x00000400UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT    0x00000800UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN     0x00001000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT     0x00002000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT     0x00004000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT     0x00008000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN   0x00010000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM   0x00020000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO     0x00040000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG   0x00080000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG   0x00100000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND  0x00200000UL
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index 519a77d7394a..77b2c5996f35 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -56,3 +56,5 @@
    S_("netlink_dnrt_socket")
    S_("dbus")
    S_("nscd")
+    S_("association")
+    S_("netlink_kobject_uevent_socket")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index 4eef1b654e92..eb9f50823f6e 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -58,6 +58,8 @@
 #define SECCLASS_NETLINK_DNRT_SOCKET                     51
 #define SECCLASS_DBUS                                    52
 #define SECCLASS_NSCD                                    53
+#define SECCLASS_ASSOCIATION                             54
+#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET           55
 /*
 * Security identifier indices for initial entities

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8a2cc75b3948..2ae7d3cb8df4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -672,6 +672,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
672	return SECCLASS_NETLINK_IP6FW_SOCKET;	672	return SECCLASS_NETLINK_IP6FW_SOCKET;
673	case NETLINK_DNRTMSG:	673	case NETLINK_DNRTMSG:
674	return SECCLASS_NETLINK_DNRT_SOCKET;	674	return SECCLASS_NETLINK_DNRT_SOCKET;
		675	case NETLINK_KOBJECT_UEVENT:
		676	return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
675	default:	677	default:
676	return SECCLASS_NETLINK_SOCKET;	678	return SECCLASS_NETLINK_SOCKET;
677	}	679	}


diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h index 9facb27822a1..b0e6b12931c9 100644 --- a/security/selinux/include/av_inherit.h +++ b/security/selinux/include/av_inherit.h
@@ -28,3 +28,4 @@
28	S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)	28	S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
29	S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)	29	S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
30	S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)	30	S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
		31	S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)


diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 903e8b3cc2e9..eb340b45bc6f 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h
@@ -118,6 +118,8 @@
118	S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")	118	S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
119	S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")	119	S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
120	S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")	120	S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
		121	S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
		122	S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
121	S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")	123	S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
122	S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")	124	S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
123	S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")	125	S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
@@ -230,3 +232,5 @@
230	S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")	232	S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")
231	S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")	233	S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")
232	S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")	234	S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
		235	S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
		236	S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")


diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index b0a12ac8f7ee..f9de0f966559 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h
@@ -559,6 +559,8 @@
559	#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL	559	#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
560	#define CAPABILITY__MKNOD 0x08000000UL	560	#define CAPABILITY__MKNOD 0x08000000UL
561	#define CAPABILITY__LEASE 0x10000000UL	561	#define CAPABILITY__LEASE 0x10000000UL
		562	#define CAPABILITY__AUDIT_WRITE 0x20000000UL
		563	#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
562		564
563	#define PASSWD__PASSWD 0x00000001UL	565	#define PASSWD__PASSWD 0x00000001UL
564	#define PASSWD__CHFN 0x00000002UL	566	#define PASSWD__CHFN 0x00000002UL
@@ -900,3 +902,29 @@
900	#define NSCD__SHMEMGRP 0x00000040UL	902	#define NSCD__SHMEMGRP 0x00000040UL
901	#define NSCD__SHMEMHOST 0x00000080UL	903	#define NSCD__SHMEMHOST 0x00000080UL
902		904
		905	#define ASSOCIATION__SENDTO 0x00000001UL
		906	#define ASSOCIATION__RECVFROM 0x00000002UL
		907
		908	#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
		909	#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
		910	#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
		911	#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
		912	#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
		913	#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
		914	#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
		915	#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
		916	#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
		917	#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
		918	#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
		919	#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
		920	#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
		921	#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
		922	#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
		923	#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
		924	#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
		925	#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
		926	#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
		927	#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
		928	#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
		929	#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
		930


diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h index 519a77d7394a..77b2c5996f35 100644 --- a/security/selinux/include/class_to_string.h +++ b/security/selinux/include/class_to_string.h
@@ -56,3 +56,5 @@
56	S_("netlink_dnrt_socket")	56	S_("netlink_dnrt_socket")
57	S_("dbus")	57	S_("dbus")
58	S_("nscd")	58	S_("nscd")
		59	S_("association")
		60	S_("netlink_kobject_uevent_socket")


diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h index 4eef1b654e92..eb9f50823f6e 100644 --- a/security/selinux/include/flask.h +++ b/security/selinux/include/flask.h
@@ -58,6 +58,8 @@
58	#define SECCLASS_NETLINK_DNRT_SOCKET 51	58	#define SECCLASS_NETLINK_DNRT_SOCKET 51
59	#define SECCLASS_DBUS 52	59	#define SECCLASS_DBUS 52
60	#define SECCLASS_NSCD 53	60	#define SECCLASS_NSCD 53
		61	#define SECCLASS_ASSOCIATION 54
		62	#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
61		63
62	/*	64	/*
63	* Security identifier indices for initial entities	65	* Security identifier indices for initial entities