aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Documentation/dontdiff3
-rw-r--r--Documentation/kernel-parameters.txt10
-rw-r--r--drivers/char/tpm/tpm.c2
-rw-r--r--drivers/char/tpm/tpm_tis.c11
-rw-r--r--fs/exec.c4
-rw-r--r--fs/file_table.c2
-rw-r--r--fs/inode.c10
-rw-r--r--fs/namespace.c20
-rw-r--r--fs/open.c27
-rw-r--r--include/linux/Kbuild1
-rw-r--r--include/linux/capability.h2
-rw-r--r--include/linux/init_task.h4
-rw-r--r--include/linux/lsm_audit.h18
-rw-r--r--include/linux/securebits.h24
-rw-r--r--include/linux/security.h48
-rw-r--r--include/linux/tpm.h9
-rw-r--r--kernel/capability.c15
-rw-r--r--kernel/kmod.c8
-rw-r--r--mm/mmap.c4
-rw-r--r--scripts/selinux/Makefile4
-rw-r--r--scripts/selinux/genheaders/.gitignore1
-rw-r--r--scripts/selinux/genheaders/Makefile5
-rw-r--r--scripts/selinux/genheaders/genheaders.c118
-rw-r--r--scripts/selinux/mdp/mdp.c151
-rw-r--r--security/Kconfig54
-rw-r--r--security/Makefile1
-rw-r--r--security/capability.c21
-rw-r--r--security/commoncap.c74
-rw-r--r--security/integrity/ima/Kconfig1
-rw-r--r--security/lsm_audit.c4
-rw-r--r--security/min_addr.c3
-rw-r--r--security/root_plug.c90
-rw-r--r--security/security.c61
-rw-r--r--security/selinux/.gitignore2
-rw-r--r--security/selinux/Makefile10
-rw-r--r--security/selinux/avc.c78
-rw-r--r--security/selinux/hooks.c25
-rw-r--r--security/selinux/include/av_inherit.h34
-rw-r--r--security/selinux/include/av_perm_to_string.h183
-rw-r--r--security/selinux/include/av_permissions.h870
-rw-r--r--security/selinux/include/avc_ss.h21
-rw-r--r--security/selinux/include/class_to_string.h80
-rw-r--r--security/selinux/include/classmap.h150
-rw-r--r--security/selinux/include/common_perm_to_string.h58
-rw-r--r--security/selinux/include/flask.h91
-rw-r--r--security/selinux/include/security.h13
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/Makefile2
-rw-r--r--security/selinux/ss/mls.c2
-rw-r--r--security/selinux/ss/policydb.c47
-rw-r--r--security/selinux/ss/policydb.h7
-rw-r--r--security/selinux/ss/services.c562
-rw-r--r--security/tomoyo/common.c200
-rw-r--r--security/tomoyo/common.h4
-rw-r--r--security/tomoyo/realpath.c13
55 files changed, 1083 insertions, 2183 deletions
diff --git a/Documentation/dontdiff b/Documentation/dontdiff
index e1efc400bed6..e151b2a36267 100644
--- a/Documentation/dontdiff
+++ b/Documentation/dontdiff
@@ -65,6 +65,7 @@ aicdb.h*
65asm-offsets.h 65asm-offsets.h
66asm_offsets.h 66asm_offsets.h
67autoconf.h* 67autoconf.h*
68av_permissions.h
68bbootsect 69bbootsect
69bin2c 70bin2c
70binkernel.spec 71binkernel.spec
@@ -95,12 +96,14 @@ docproc
95elf2ecoff 96elf2ecoff
96elfconfig.h* 97elfconfig.h*
97fixdep 98fixdep
99flask.h
98fore200e_mkfirm 100fore200e_mkfirm
99fore200e_pca_fw.c* 101fore200e_pca_fw.c*
100gconf 102gconf
101gen-devlist 103gen-devlist
102gen_crc32table 104gen_crc32table
103gen_init_cpio 105gen_init_cpio
106genheaders
104genksyms 107genksyms
105*_gray256.c 108*_gray256.c
106ihex2fw 109ihex2fw
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 9107b387e91f..332fe3b47e0c 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -85,7 +85,6 @@ parameter is applicable:
85 PPT Parallel port support is enabled. 85 PPT Parallel port support is enabled.
86 PS2 Appropriate PS/2 support is enabled. 86 PS2 Appropriate PS/2 support is enabled.
87 RAM RAM disk support is enabled. 87 RAM RAM disk support is enabled.
88 ROOTPLUG The example Root Plug LSM is enabled.
89 S390 S390 architecture is enabled. 88 S390 S390 architecture is enabled.
90 SCSI Appropriate SCSI support is enabled. 89 SCSI Appropriate SCSI support is enabled.
91 A lot of drivers has their options described inside of 90 A lot of drivers has their options described inside of
@@ -2164,15 +2163,6 @@ and is between 256 and 4096 characters. It is defined in the file
2164 Useful for devices that are detected asynchronously 2163 Useful for devices that are detected asynchronously
2165 (e.g. USB and MMC devices). 2164 (e.g. USB and MMC devices).
2166 2165
2167 root_plug.vendor_id=
2168 [ROOTPLUG] Override the default vendor ID
2169
2170 root_plug.product_id=
2171 [ROOTPLUG] Override the default product ID
2172
2173 root_plug.debug=
2174 [ROOTPLUG] Enable debugging output
2175
2176 rw [KNL] Mount root device read-write on boot 2166 rw [KNL] Mount root device read-write on boot
2177 2167
2178 S [KNL] Run init in single mode 2168 S [KNL] Run init in single mode
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 47c2d2763456..f06bb37defb1 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -31,7 +31,7 @@
31 31
32enum tpm_const { 32enum tpm_const {
33 TPM_MINOR = 224, /* officially assigned */ 33 TPM_MINOR = 224, /* officially assigned */
34 TPM_BUFSIZE = 2048, 34 TPM_BUFSIZE = 4096,
35 TPM_NUM_DEVICES = 256, 35 TPM_NUM_DEVICES = 256,
36}; 36};
37 37
diff --git a/drivers/char/tpm/tpm_tis.c b/drivers/char/tpm/tpm_tis.c
index 0b73e4ec1add..2405f17b29dd 100644
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -257,6 +257,10 @@ out:
257 return size; 257 return size;
258} 258}
259 259
260static int itpm;
261module_param(itpm, bool, 0444);
262MODULE_PARM_DESC(itpm, "Force iTPM workarounds (found on some Lenovo laptops)");
263
260/* 264/*
261 * If interrupts are used (signaled by an irq set in the vendor structure) 265 * If interrupts are used (signaled by an irq set in the vendor structure)
262 * tpm.c can skip polling for the data to be available as the interrupt is 266 * tpm.c can skip polling for the data to be available as the interrupt is
@@ -293,7 +297,7 @@ static int tpm_tis_send(struct tpm_chip *chip, u8 *buf, size_t len)
293 wait_for_stat(chip, TPM_STS_VALID, chip->vendor.timeout_c, 297 wait_for_stat(chip, TPM_STS_VALID, chip->vendor.timeout_c,
294 &chip->vendor.int_queue); 298 &chip->vendor.int_queue);
295 status = tpm_tis_status(chip); 299 status = tpm_tis_status(chip);
296 if ((status & TPM_STS_DATA_EXPECT) == 0) { 300 if (!itpm && (status & TPM_STS_DATA_EXPECT) == 0) {
297 rc = -EIO; 301 rc = -EIO;
298 goto out_err; 302 goto out_err;
299 } 303 }
@@ -467,6 +471,10 @@ static int tpm_tis_init(struct device *dev, resource_size_t start,
467 "1.2 TPM (device-id 0x%X, rev-id %d)\n", 471 "1.2 TPM (device-id 0x%X, rev-id %d)\n",
468 vendor >> 16, ioread8(chip->vendor.iobase + TPM_RID(0))); 472 vendor >> 16, ioread8(chip->vendor.iobase + TPM_RID(0)));
469 473
474 if (itpm)
475 dev_info(dev, "Intel iTPM workaround enabled\n");
476
477
470 /* Figure out the capabilities */ 478 /* Figure out the capabilities */
471 intfcaps = 479 intfcaps =
472 ioread32(chip->vendor.iobase + 480 ioread32(chip->vendor.iobase +
@@ -629,6 +637,7 @@ static struct pnp_device_id tpm_pnp_tbl[] __devinitdata = {
629 {"", 0}, /* User Specified */ 637 {"", 0}, /* User Specified */
630 {"", 0} /* Terminator */ 638 {"", 0} /* Terminator */
631}; 639};
640MODULE_DEVICE_TABLE(pnp, tpm_pnp_tbl);
632 641
633static __devexit void tpm_tis_pnp_remove(struct pnp_dev *dev) 642static __devexit void tpm_tis_pnp_remove(struct pnp_dev *dev)
634{ 643{
diff --git a/fs/exec.c b/fs/exec.c
index ba112bd4a339..c0c636e34f60 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -46,7 +46,6 @@
46#include <linux/proc_fs.h> 46#include <linux/proc_fs.h>
47#include <linux/mount.h> 47#include <linux/mount.h>
48#include <linux/security.h> 48#include <linux/security.h>
49#include <linux/ima.h>
50#include <linux/syscalls.h> 49#include <linux/syscalls.h>
51#include <linux/tsacct_kern.h> 50#include <linux/tsacct_kern.h>
52#include <linux/cn_proc.h> 51#include <linux/cn_proc.h>
@@ -1209,9 +1208,6 @@ int search_binary_handler(struct linux_binprm *bprm,struct pt_regs *regs)
1209 retval = security_bprm_check(bprm); 1208 retval = security_bprm_check(bprm);
1210 if (retval) 1209 if (retval)
1211 return retval; 1210 return retval;
1212 retval = ima_bprm_check(bprm);
1213 if (retval)
1214 return retval;
1215 1211
1216 /* kernel module loader fixup */ 1212 /* kernel module loader fixup */
1217 /* so we don't try to load run modprobe in kernel space. */ 1213 /* so we don't try to load run modprobe in kernel space. */
diff --git a/fs/file_table.c b/fs/file_table.c
index 8eb44042e009..4bef4c01ec6f 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -13,7 +13,6 @@
13#include <linux/module.h> 13#include <linux/module.h>
14#include <linux/fs.h> 14#include <linux/fs.h>
15#include <linux/security.h> 15#include <linux/security.h>
16#include <linux/ima.h>
17#include <linux/eventpoll.h> 16#include <linux/eventpoll.h>
18#include <linux/rcupdate.h> 17#include <linux/rcupdate.h>
19#include <linux/mount.h> 18#include <linux/mount.h>
@@ -280,7 +279,6 @@ void __fput(struct file *file)
280 if (file->f_op && file->f_op->release) 279 if (file->f_op && file->f_op->release)
281 file->f_op->release(inode, file); 280 file->f_op->release(inode, file);
282 security_file_free(file); 281 security_file_free(file);
283 ima_file_free(file);
284 if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL)) 282 if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
285 cdev_put(inode->i_cdev); 283 cdev_put(inode->i_cdev);
286 fops_put(file->f_op); 284 fops_put(file->f_op);
diff --git a/fs/inode.c b/fs/inode.c
index 4d8e3be55976..06c1f02de611 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -18,7 +18,6 @@
18#include <linux/hash.h> 18#include <linux/hash.h>
19#include <linux/swap.h> 19#include <linux/swap.h>
20#include <linux/security.h> 20#include <linux/security.h>
21#include <linux/ima.h>
22#include <linux/pagemap.h> 21#include <linux/pagemap.h>
23#include <linux/cdev.h> 22#include <linux/cdev.h>
24#include <linux/bootmem.h> 23#include <linux/bootmem.h>
@@ -157,11 +156,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
157 156
158 if (security_inode_alloc(inode)) 157 if (security_inode_alloc(inode))
159 goto out; 158 goto out;
160
161 /* allocate and initialize an i_integrity */
162 if (ima_inode_alloc(inode))
163 goto out_free_security;
164
165 spin_lock_init(&inode->i_lock); 159 spin_lock_init(&inode->i_lock);
166 lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key); 160 lockdep_set_class(&inode->i_lock, &sb->s_type->i_lock_key);
167 161
@@ -201,9 +195,6 @@ int inode_init_always(struct super_block *sb, struct inode *inode)
201#endif 195#endif
202 196
203 return 0; 197 return 0;
204
205out_free_security:
206 security_inode_free(inode);
207out: 198out:
208 return -ENOMEM; 199 return -ENOMEM;
209} 200}
@@ -235,7 +226,6 @@ static struct inode *alloc_inode(struct super_block *sb)
235void __destroy_inode(struct inode *inode) 226void __destroy_inode(struct inode *inode)
236{ 227{
237 BUG_ON(inode_has_buffers(inode)); 228 BUG_ON(inode_has_buffers(inode));
238 ima_inode_free(inode);
239 security_inode_free(inode); 229 security_inode_free(inode);
240 fsnotify_inode_delete(inode); 230 fsnotify_inode_delete(inode);
241#ifdef CONFIG_FS_POSIX_ACL 231#ifdef CONFIG_FS_POSIX_ACL
diff --git a/fs/namespace.c b/fs/namespace.c
index bdc3cb4fd222..7d70d63ceb29 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1921,6 +1921,16 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
1921 if (data_page) 1921 if (data_page)
1922 ((char *)data_page)[PAGE_SIZE - 1] = 0; 1922 ((char *)data_page)[PAGE_SIZE - 1] = 0;
1923 1923
1924 /* ... and get the mountpoint */
1925 retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
1926 if (retval)
1927 return retval;
1928
1929 retval = security_sb_mount(dev_name, &path,
1930 type_page, flags, data_page);
1931 if (retval)
1932 goto dput_out;
1933
1924 /* Default to relatime unless overriden */ 1934 /* Default to relatime unless overriden */
1925 if (!(flags & MS_NOATIME)) 1935 if (!(flags & MS_NOATIME))
1926 mnt_flags |= MNT_RELATIME; 1936 mnt_flags |= MNT_RELATIME;
@@ -1945,16 +1955,6 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
1945 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT | 1955 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
1946 MS_STRICTATIME); 1956 MS_STRICTATIME);
1947 1957
1948 /* ... and get the mountpoint */
1949 retval = kern_path(dir_name, LOOKUP_FOLLOW, &path);
1950 if (retval)
1951 return retval;
1952
1953 retval = security_sb_mount(dev_name, &path,
1954 type_page, flags, data_page);
1955 if (retval)
1956 goto dput_out;
1957
1958 if (flags & MS_REMOUNT) 1958 if (flags & MS_REMOUNT)
1959 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags, 1959 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
1960 data_page); 1960 data_page);
diff --git a/fs/open.c b/fs/open.c
index 4f01e06227c6..b4b31d277f3a 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -587,6 +587,9 @@ SYSCALL_DEFINE1(chroot, const char __user *, filename)
587 error = -EPERM; 587 error = -EPERM;
588 if (!capable(CAP_SYS_CHROOT)) 588 if (!capable(CAP_SYS_CHROOT))
589 goto dput_and_out; 589 goto dput_and_out;
590 error = security_path_chroot(&path);
591 if (error)
592 goto dput_and_out;
590 593
591 set_fs_root(current->fs, &path); 594 set_fs_root(current->fs, &path);
592 error = 0; 595 error = 0;
@@ -617,11 +620,15 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd, mode_t, mode)
617 if (err) 620 if (err)
618 goto out_putf; 621 goto out_putf;
619 mutex_lock(&inode->i_mutex); 622 mutex_lock(&inode->i_mutex);
623 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
624 if (err)
625 goto out_unlock;
620 if (mode == (mode_t) -1) 626 if (mode == (mode_t) -1)
621 mode = inode->i_mode; 627 mode = inode->i_mode;
622 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); 628 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
623 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; 629 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
624 err = notify_change(dentry, &newattrs); 630 err = notify_change(dentry, &newattrs);
631out_unlock:
625 mutex_unlock(&inode->i_mutex); 632 mutex_unlock(&inode->i_mutex);
626 mnt_drop_write(file->f_path.mnt); 633 mnt_drop_write(file->f_path.mnt);
627out_putf: 634out_putf:
@@ -646,11 +653,15 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, const char __user *, filename, mode_t, mode)
646 if (error) 653 if (error)
647 goto dput_and_out; 654 goto dput_and_out;
648 mutex_lock(&inode->i_mutex); 655 mutex_lock(&inode->i_mutex);
656 error = security_path_chmod(path.dentry, path.mnt, mode);
657 if (error)
658 goto out_unlock;
649 if (mode == (mode_t) -1) 659 if (mode == (mode_t) -1)
650 mode = inode->i_mode; 660 mode = inode->i_mode;
651 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO); 661 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
652 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME; 662 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
653 error = notify_change(path.dentry, &newattrs); 663 error = notify_change(path.dentry, &newattrs);
664out_unlock:
654 mutex_unlock(&inode->i_mutex); 665 mutex_unlock(&inode->i_mutex);
655 mnt_drop_write(path.mnt); 666 mnt_drop_write(path.mnt);
656dput_and_out: 667dput_and_out:
@@ -664,9 +675,9 @@ SYSCALL_DEFINE2(chmod, const char __user *, filename, mode_t, mode)
664 return sys_fchmodat(AT_FDCWD, filename, mode); 675 return sys_fchmodat(AT_FDCWD, filename, mode);
665} 676}
666 677
667static int chown_common(struct dentry * dentry, uid_t user, gid_t group) 678static int chown_common(struct path *path, uid_t user, gid_t group)
668{ 679{
669 struct inode *inode = dentry->d_inode; 680 struct inode *inode = path->dentry->d_inode;
670 int error; 681 int error;
671 struct iattr newattrs; 682 struct iattr newattrs;
672 683
@@ -683,7 +694,9 @@ static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
683 newattrs.ia_valid |= 694 newattrs.ia_valid |=
684 ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV; 695 ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_KILL_PRIV;
685 mutex_lock(&inode->i_mutex); 696 mutex_lock(&inode->i_mutex);
686 error = notify_change(dentry, &newattrs); 697 error = security_path_chown(path, user, group);
698 if (!error)
699 error = notify_change(path->dentry, &newattrs);
687 mutex_unlock(&inode->i_mutex); 700 mutex_unlock(&inode->i_mutex);
688 701
689 return error; 702 return error;
@@ -700,7 +713,7 @@ SYSCALL_DEFINE3(chown, const char __user *, filename, uid_t, user, gid_t, group)
700 error = mnt_want_write(path.mnt); 713 error = mnt_want_write(path.mnt);
701 if (error) 714 if (error)
702 goto out_release; 715 goto out_release;
703 error = chown_common(path.dentry, user, group); 716 error = chown_common(&path, user, group);
704 mnt_drop_write(path.mnt); 717 mnt_drop_write(path.mnt);
705out_release: 718out_release:
706 path_put(&path); 719 path_put(&path);
@@ -725,7 +738,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, const char __user *, filename, uid_t, user,
725 error = mnt_want_write(path.mnt); 738 error = mnt_want_write(path.mnt);
726 if (error) 739 if (error)
727 goto out_release; 740 goto out_release;
728 error = chown_common(path.dentry, user, group); 741 error = chown_common(&path, user, group);
729 mnt_drop_write(path.mnt); 742 mnt_drop_write(path.mnt);
730out_release: 743out_release:
731 path_put(&path); 744 path_put(&path);
@@ -744,7 +757,7 @@ SYSCALL_DEFINE3(lchown, const char __user *, filename, uid_t, user, gid_t, group
744 error = mnt_want_write(path.mnt); 757 error = mnt_want_write(path.mnt);
745 if (error) 758 if (error)
746 goto out_release; 759 goto out_release;
747 error = chown_common(path.dentry, user, group); 760 error = chown_common(&path, user, group);
748 mnt_drop_write(path.mnt); 761 mnt_drop_write(path.mnt);
749out_release: 762out_release:
750 path_put(&path); 763 path_put(&path);
@@ -767,7 +780,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group)
767 goto out_fput; 780 goto out_fput;
768 dentry = file->f_path.dentry; 781 dentry = file->f_path.dentry;
769 audit_inode(NULL, dentry); 782 audit_inode(NULL, dentry);
770 error = chown_common(dentry, user, group); 783 error = chown_common(&file->f_path, user, group);
771 mnt_drop_write(file->f_path.mnt); 784 mnt_drop_write(file->f_path.mnt);
772out_fput: 785out_fput:
773 fput(file); 786 fput(file);
diff --git a/include/linux/Kbuild b/include/linux/Kbuild
index 1feed71551c9..5a5385749e16 100644
--- a/include/linux/Kbuild
+++ b/include/linux/Kbuild
@@ -330,6 +330,7 @@ unifdef-y += scc.h
330unifdef-y += sched.h 330unifdef-y += sched.h
331unifdef-y += screen_info.h 331unifdef-y += screen_info.h
332unifdef-y += sdla.h 332unifdef-y += sdla.h
333unifdef-y += securebits.h
333unifdef-y += selinux_netlink.h 334unifdef-y += selinux_netlink.h
334unifdef-y += sem.h 335unifdef-y += sem.h
335unifdef-y += serial_core.h 336unifdef-y += serial_core.h
diff --git a/include/linux/capability.h b/include/linux/capability.h
index c8f2a5f70ed5..39e5ff512fbe 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -92,9 +92,7 @@ struct vfs_cap_data {
92#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3 92#define _KERNEL_CAPABILITY_VERSION _LINUX_CAPABILITY_VERSION_3
93#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3 93#define _KERNEL_CAPABILITY_U32S _LINUX_CAPABILITY_U32S_3
94 94
95#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
96extern int file_caps_enabled; 95extern int file_caps_enabled;
97#endif
98 96
99typedef struct kernel_cap_struct { 97typedef struct kernel_cap_struct {
100 __u32 cap[_KERNEL_CAPABILITY_U32S]; 98 __u32 cap[_KERNEL_CAPABILITY_U32S];
diff --git a/include/linux/init_task.h b/include/linux/init_task.h
index 21a6f5d9af22..8d10aa7fd4c9 100644
--- a/include/linux/init_task.h
+++ b/include/linux/init_task.h
@@ -83,16 +83,12 @@ extern struct group_info init_groups;
83#define INIT_IDS 83#define INIT_IDS
84#endif 84#endif
85 85
86#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
87/* 86/*
88 * Because of the reduced scope of CAP_SETPCAP when filesystem 87 * Because of the reduced scope of CAP_SETPCAP when filesystem
89 * capabilities are in effect, it is safe to allow CAP_SETPCAP to 88 * capabilities are in effect, it is safe to allow CAP_SETPCAP to
90 * be available in the default configuration. 89 * be available in the default configuration.
91 */ 90 */
92# define CAP_INIT_BSET CAP_FULL_SET 91# define CAP_INIT_BSET CAP_FULL_SET
93#else
94# define CAP_INIT_BSET CAP_INIT_EFF_SET
95#endif
96 92
97#ifdef CONFIG_TREE_PREEMPT_RCU 93#ifdef CONFIG_TREE_PREEMPT_RCU
98#define INIT_TASK_RCU_PREEMPT(tsk) \ 94#define INIT_TASK_RCU_PREEMPT(tsk) \
diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
index 190c37854870..f78f83d7663f 100644
--- a/include/linux/lsm_audit.h
+++ b/include/linux/lsm_audit.h
@@ -26,14 +26,15 @@
26 26
27/* Auxiliary data to use in generating the audit record. */ 27/* Auxiliary data to use in generating the audit record. */
28struct common_audit_data { 28struct common_audit_data {
29 char type; 29 char type;
30#define LSM_AUDIT_DATA_FS 1 30#define LSM_AUDIT_DATA_FS 1
31#define LSM_AUDIT_DATA_NET 2 31#define LSM_AUDIT_DATA_NET 2
32#define LSM_AUDIT_DATA_CAP 3 32#define LSM_AUDIT_DATA_CAP 3
33#define LSM_AUDIT_DATA_IPC 4 33#define LSM_AUDIT_DATA_IPC 4
34#define LSM_AUDIT_DATA_TASK 5 34#define LSM_AUDIT_DATA_TASK 5
35#define LSM_AUDIT_DATA_KEY 6 35#define LSM_AUDIT_DATA_KEY 6
36#define LSM_AUDIT_NO_AUDIT 7 36#define LSM_AUDIT_NO_AUDIT 7
37#define LSM_AUDIT_DATA_KMOD 8
37 struct task_struct *tsk; 38 struct task_struct *tsk;
38 union { 39 union {
39 struct { 40 struct {
@@ -66,6 +67,7 @@ struct common_audit_data {
66 char *key_desc; 67 char *key_desc;
67 } key_struct; 68 } key_struct;
68#endif 69#endif
70 char *kmod_name;
69 } u; 71 } u;
70 /* this union contains LSM specific data */ 72 /* this union contains LSM specific data */
71 union { 73 union {
diff --git a/include/linux/securebits.h b/include/linux/securebits.h
index d2c5ed845bcc..33406174cbe8 100644
--- a/include/linux/securebits.h
+++ b/include/linux/securebits.h
@@ -1,6 +1,15 @@
1#ifndef _LINUX_SECUREBITS_H 1#ifndef _LINUX_SECUREBITS_H
2#define _LINUX_SECUREBITS_H 1 2#define _LINUX_SECUREBITS_H 1
3 3
4/* Each securesetting is implemented using two bits. One bit specifies
5 whether the setting is on or off. The other bit specify whether the
6 setting is locked or not. A setting which is locked cannot be
7 changed from user-level. */
8#define issecure_mask(X) (1 << (X))
9#ifdef __KERNEL__
10#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
11#endif
12
4#define SECUREBITS_DEFAULT 0x00000000 13#define SECUREBITS_DEFAULT 0x00000000
5 14
6/* When set UID 0 has no special privileges. When unset, we support 15/* When set UID 0 has no special privileges. When unset, we support
@@ -12,6 +21,9 @@
12#define SECURE_NOROOT 0 21#define SECURE_NOROOT 0
13#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */ 22#define SECURE_NOROOT_LOCKED 1 /* make bit-0 immutable */
14 23
24#define SECBIT_NOROOT (issecure_mask(SECURE_NOROOT))
25#define SECBIT_NOROOT_LOCKED (issecure_mask(SECURE_NOROOT_LOCKED))
26
15/* When set, setuid to/from uid 0 does not trigger capability-"fixup". 27/* When set, setuid to/from uid 0 does not trigger capability-"fixup".
16 When unset, to provide compatiblility with old programs relying on 28 When unset, to provide compatiblility with old programs relying on
17 set*uid to gain/lose privilege, transitions to/from uid 0 cause 29 set*uid to gain/lose privilege, transitions to/from uid 0 cause
@@ -19,6 +31,10 @@
19#define SECURE_NO_SETUID_FIXUP 2 31#define SECURE_NO_SETUID_FIXUP 2
20#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */ 32#define SECURE_NO_SETUID_FIXUP_LOCKED 3 /* make bit-2 immutable */
21 33
34#define SECBIT_NO_SETUID_FIXUP (issecure_mask(SECURE_NO_SETUID_FIXUP))
35#define SECBIT_NO_SETUID_FIXUP_LOCKED \
36 (issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED))
37
22/* When set, a process can retain its capabilities even after 38/* When set, a process can retain its capabilities even after
23 transitioning to a non-root user (the set-uid fixup suppressed by 39 transitioning to a non-root user (the set-uid fixup suppressed by
24 bit 2). Bit-4 is cleared when a process calls exec(); setting both 40 bit 2). Bit-4 is cleared when a process calls exec(); setting both
@@ -27,12 +43,8 @@
27#define SECURE_KEEP_CAPS 4 43#define SECURE_KEEP_CAPS 4
28#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */ 44#define SECURE_KEEP_CAPS_LOCKED 5 /* make bit-4 immutable */
29 45
30/* Each securesetting is implemented using two bits. One bit specifies 46#define SECBIT_KEEP_CAPS (issecure_mask(SECURE_KEEP_CAPS))
31 whether the setting is on or off. The other bit specify whether the 47#define SECBIT_KEEP_CAPS_LOCKED (issecure_mask(SECURE_KEEP_CAPS_LOCKED))
32 setting is locked or not. A setting which is locked cannot be
33 changed from user-level. */
34#define issecure_mask(X) (1 << (X))
35#define issecure(X) (issecure_mask(X) & current_cred_xxx(securebits))
36 48
37#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \ 49#define SECURE_ALL_BITS (issecure_mask(SECURE_NOROOT) | \
38 issecure_mask(SECURE_NO_SETUID_FIXUP) | \ 50 issecure_mask(SECURE_NO_SETUID_FIXUP) | \
diff --git a/include/linux/security.h b/include/linux/security.h
index 239e40d0450b..466cbadbd1ef 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -447,6 +447,22 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
447 * @new_dir contains the path structure for parent of the new link. 447 * @new_dir contains the path structure for parent of the new link.
448 * @new_dentry contains the dentry structure of the new link. 448 * @new_dentry contains the dentry structure of the new link.
449 * Return 0 if permission is granted. 449 * Return 0 if permission is granted.
450 * @path_chmod:
451 * Check for permission to change DAC's permission of a file or directory.
452 * @dentry contains the dentry structure.
453 * @mnt contains the vfsmnt structure.
454 * @mode contains DAC's mode.
455 * Return 0 if permission is granted.
456 * @path_chown:
457 * Check for permission to change owner/group of a file or directory.
458 * @path contains the path structure.
459 * @uid contains new owner's ID.
460 * @gid contains new group's ID.
461 * Return 0 if permission is granted.
462 * @path_chroot:
463 * Check for permission to change root directory.
464 * @path contains the path structure.
465 * Return 0 if permission is granted.
450 * @inode_readlink: 466 * @inode_readlink:
451 * Check the permission to read the symbolic link. 467 * Check the permission to read the symbolic link.
452 * @dentry contains the dentry structure for the file link. 468 * @dentry contains the dentry structure for the file link.
@@ -690,6 +706,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
690 * @kernel_module_request: 706 * @kernel_module_request:
691 * Ability to trigger the kernel to automatically upcall to userspace for 707 * Ability to trigger the kernel to automatically upcall to userspace for
692 * userspace to load a kernel module with the given name. 708 * userspace to load a kernel module with the given name.
709 * @kmod_name name of the module requested by the kernel
693 * Return 0 if successful. 710 * Return 0 if successful.
694 * @task_setuid: 711 * @task_setuid:
695 * Check permission before setting one or more of the user identity 712 * Check permission before setting one or more of the user identity
@@ -1488,6 +1505,10 @@ struct security_operations {
1488 struct dentry *new_dentry); 1505 struct dentry *new_dentry);
1489 int (*path_rename) (struct path *old_dir, struct dentry *old_dentry, 1506 int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
1490 struct path *new_dir, struct dentry *new_dentry); 1507 struct path *new_dir, struct dentry *new_dentry);
1508 int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt,
1509 mode_t mode);
1510 int (*path_chown) (struct path *path, uid_t uid, gid_t gid);
1511 int (*path_chroot) (struct path *path);
1491#endif 1512#endif
1492 1513
1493 int (*inode_alloc_security) (struct inode *inode); 1514 int (*inode_alloc_security) (struct inode *inode);
@@ -1557,7 +1578,7 @@ struct security_operations {
1557 void (*cred_transfer)(struct cred *new, const struct cred *old); 1578 void (*cred_transfer)(struct cred *new, const struct cred *old);
1558 int (*kernel_act_as)(struct cred *new, u32 secid); 1579 int (*kernel_act_as)(struct cred *new, u32 secid);
1559 int (*kernel_create_files_as)(struct cred *new, struct inode *inode); 1580 int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
1560 int (*kernel_module_request)(void); 1581 int (*kernel_module_request)(char *kmod_name);
1561 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); 1582 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
1562 int (*task_fix_setuid) (struct cred *new, const struct cred *old, 1583 int (*task_fix_setuid) (struct cred *new, const struct cred *old,
1563 int flags); 1584 int flags);
@@ -1822,7 +1843,7 @@ void security_commit_creds(struct cred *new, const struct cred *old);
1822void security_transfer_creds(struct cred *new, const struct cred *old); 1843void security_transfer_creds(struct cred *new, const struct cred *old);
1823int security_kernel_act_as(struct cred *new, u32 secid); 1844int security_kernel_act_as(struct cred *new, u32 secid);
1824int security_kernel_create_files_as(struct cred *new, struct inode *inode); 1845int security_kernel_create_files_as(struct cred *new, struct inode *inode);
1825int security_kernel_module_request(void); 1846int security_kernel_module_request(char *kmod_name);
1826int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); 1847int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
1827int security_task_fix_setuid(struct cred *new, const struct cred *old, 1848int security_task_fix_setuid(struct cred *new, const struct cred *old,
1828 int flags); 1849 int flags);
@@ -2387,7 +2408,7 @@ static inline int security_kernel_create_files_as(struct cred *cred,
2387 return 0; 2408 return 0;
2388} 2409}
2389 2410
2390static inline int security_kernel_module_request(void) 2411static inline int security_kernel_module_request(char *kmod_name)
2391{ 2412{
2392 return 0; 2413 return 0;
2393} 2414}
@@ -2952,6 +2973,10 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir,
2952 struct dentry *new_dentry); 2973 struct dentry *new_dentry);
2953int security_path_rename(struct path *old_dir, struct dentry *old_dentry, 2974int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
2954 struct path *new_dir, struct dentry *new_dentry); 2975 struct path *new_dir, struct dentry *new_dentry);
2976int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
2977 mode_t mode);
2978int security_path_chown(struct path *path, uid_t uid, gid_t gid);
2979int security_path_chroot(struct path *path);
2955#else /* CONFIG_SECURITY_PATH */ 2980#else /* CONFIG_SECURITY_PATH */
2956static inline int security_path_unlink(struct path *dir, struct dentry *dentry) 2981static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
2957{ 2982{
@@ -3001,6 +3026,23 @@ static inline int security_path_rename(struct path *old_dir,
3001{ 3026{
3002 return 0; 3027 return 0;
3003} 3028}
3029
3030static inline int security_path_chmod(struct dentry *dentry,
3031 struct vfsmount *mnt,
3032 mode_t mode)
3033{
3034 return 0;
3035}
3036
3037static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid)
3038{
3039 return 0;
3040}
3041
3042static inline int security_path_chroot(struct path *path)
3043{
3044 return 0;
3045}
3004#endif /* CONFIG_SECURITY_PATH */ 3046#endif /* CONFIG_SECURITY_PATH */
3005 3047
3006#ifdef CONFIG_KEYS 3048#ifdef CONFIG_KEYS
diff --git a/include/linux/tpm.h b/include/linux/tpm.h
index 3338b3f5c21a..ac5d1c1285d9 100644
--- a/include/linux/tpm.h
+++ b/include/linux/tpm.h
@@ -27,9 +27,16 @@
27 */ 27 */
28#define TPM_ANY_NUM 0xFFFF 28#define TPM_ANY_NUM 0xFFFF
29 29
30#if defined(CONFIG_TCG_TPM) 30#if defined(CONFIG_TCG_TPM) || defined(CONFIG_TCG_TPM_MODULE)
31 31
32extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf); 32extern int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf);
33extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash); 33extern int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash);
34#else
35static inline int tpm_pcr_read(u32 chip_num, int pcr_idx, u8 *res_buf) {
36 return -ENODEV;
37}
38static inline int tpm_pcr_extend(u32 chip_num, int pcr_idx, const u8 *hash) {
39 return -ENODEV;
40}
34#endif 41#endif
35#endif 42#endif
diff --git a/kernel/capability.c b/kernel/capability.c
index 4e17041963f5..7f876e60521f 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -29,7 +29,6 @@ EXPORT_SYMBOL(__cap_empty_set);
29EXPORT_SYMBOL(__cap_full_set); 29EXPORT_SYMBOL(__cap_full_set);
30EXPORT_SYMBOL(__cap_init_eff_set); 30EXPORT_SYMBOL(__cap_init_eff_set);
31 31
32#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
33int file_caps_enabled = 1; 32int file_caps_enabled = 1;
34 33
35static int __init file_caps_disable(char *str) 34static int __init file_caps_disable(char *str)
@@ -38,7 +37,6 @@ static int __init file_caps_disable(char *str)
38 return 1; 37 return 1;
39} 38}
40__setup("no_file_caps", file_caps_disable); 39__setup("no_file_caps", file_caps_disable);
41#endif
42 40
43/* 41/*
44 * More recent versions of libcap are available from: 42 * More recent versions of libcap are available from:
@@ -169,8 +167,8 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
169 kernel_cap_t pE, pI, pP; 167 kernel_cap_t pE, pI, pP;
170 168
171 ret = cap_validate_magic(header, &tocopy); 169 ret = cap_validate_magic(header, &tocopy);
172 if (ret != 0) 170 if ((dataptr == NULL) || (ret != 0))
173 return ret; 171 return ((dataptr == NULL) && (ret == -EINVAL)) ? 0 : ret;
174 172
175 if (get_user(pid, &header->pid)) 173 if (get_user(pid, &header->pid))
176 return -EFAULT; 174 return -EFAULT;
@@ -238,7 +236,7 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
238SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data) 236SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
239{ 237{
240 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S]; 238 struct __user_cap_data_struct kdata[_KERNEL_CAPABILITY_U32S];
241 unsigned i, tocopy; 239 unsigned i, tocopy, copybytes;
242 kernel_cap_t inheritable, permitted, effective; 240 kernel_cap_t inheritable, permitted, effective;
243 struct cred *new; 241 struct cred *new;
244 int ret; 242 int ret;
@@ -255,8 +253,11 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
255 if (pid != 0 && pid != task_pid_vnr(current)) 253 if (pid != 0 && pid != task_pid_vnr(current))
256 return -EPERM; 254 return -EPERM;
257 255
258 if (copy_from_user(&kdata, data, 256 copybytes = tocopy * sizeof(struct __user_cap_data_struct);
259 tocopy * sizeof(struct __user_cap_data_struct))) 257 if (copybytes > sizeof(kdata))
258 return -EFAULT;
259
260 if (copy_from_user(&kdata, data, copybytes))
260 return -EFAULT; 261 return -EFAULT;
261 262
262 for (i = 0; i < tocopy; i++) { 263 for (i = 0; i < tocopy; i++) {
diff --git a/kernel/kmod.c b/kernel/kmod.c
index 9fcb53a11f87..25b103190364 100644
--- a/kernel/kmod.c
+++ b/kernel/kmod.c
@@ -80,16 +80,16 @@ int __request_module(bool wait, const char *fmt, ...)
80#define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */ 80#define MAX_KMOD_CONCURRENT 50 /* Completely arbitrary value - KAO */
81 static int kmod_loop_msg; 81 static int kmod_loop_msg;
82 82
83 ret = security_kernel_module_request();
84 if (ret)
85 return ret;
86
87 va_start(args, fmt); 83 va_start(args, fmt);
88 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); 84 ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
89 va_end(args); 85 va_end(args);
90 if (ret >= MODULE_NAME_LEN) 86 if (ret >= MODULE_NAME_LEN)
91 return -ENAMETOOLONG; 87 return -ENAMETOOLONG;
92 88
89 ret = security_kernel_module_request(module_name);
90 if (ret)
91 return ret;
92
93 /* If modprobe needs a service that is in a module, we get a recursive 93 /* If modprobe needs a service that is in a module, we get a recursive
94 * loop. Limit the number of running kmod threads to max_threads/2 or 94 * loop. Limit the number of running kmod threads to max_threads/2 or
95 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method 95 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
diff --git a/mm/mmap.c b/mm/mmap.c
index 73f5e4b64010..292ddc3cef9c 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -20,7 +20,6 @@
20#include <linux/fs.h> 20#include <linux/fs.h>
21#include <linux/personality.h> 21#include <linux/personality.h>
22#include <linux/security.h> 22#include <linux/security.h>
23#include <linux/ima.h>
24#include <linux/hugetlb.h> 23#include <linux/hugetlb.h>
25#include <linux/profile.h> 24#include <linux/profile.h>
26#include <linux/module.h> 25#include <linux/module.h>
@@ -1061,9 +1060,6 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
1061 error = security_file_mmap(file, reqprot, prot, flags, addr, 0); 1060 error = security_file_mmap(file, reqprot, prot, flags, addr, 0);
1062 if (error) 1061 if (error)
1063 return error; 1062 return error;
1064 error = ima_file_mmap(file, prot);
1065 if (error)
1066 return error;
1067 1063
1068 return mmap_region(file, addr, len, flags, vm_flags, pgoff); 1064 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
1069} 1065}
diff --git a/scripts/selinux/Makefile b/scripts/selinux/Makefile
index ca4b1ec01822..e8049da1831f 100644
--- a/scripts/selinux/Makefile
+++ b/scripts/selinux/Makefile
@@ -1,2 +1,2 @@
1subdir-y := mdp 1subdir-y := mdp genheaders
2subdir- += mdp 2subdir- += mdp genheaders
diff --git a/scripts/selinux/genheaders/.gitignore b/scripts/selinux/genheaders/.gitignore
new file mode 100644
index 000000000000..4c0b646ff8d5
--- /dev/null
+++ b/scripts/selinux/genheaders/.gitignore
@@ -0,0 +1 @@
genheaders
diff --git a/scripts/selinux/genheaders/Makefile b/scripts/selinux/genheaders/Makefile
new file mode 100644
index 000000000000..417b165008ee
--- /dev/null
+++ b/scripts/selinux/genheaders/Makefile
@@ -0,0 +1,5 @@
1hostprogs-y := genheaders
2HOST_EXTRACFLAGS += -Isecurity/selinux/include
3
4always := $(hostprogs-y)
5clean-files := $(hostprogs-y)
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
new file mode 100644
index 000000000000..24626968055d
--- /dev/null
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -0,0 +1,118 @@
1#include <stdio.h>
2#include <stdlib.h>
3#include <unistd.h>
4#include <string.h>
5#include <errno.h>
6#include <ctype.h>
7
8struct security_class_mapping {
9 const char *name;
10 const char *perms[sizeof(unsigned) * 8 + 1];
11};
12
13#include "classmap.h"
14#include "initial_sid_to_string.h"
15
16#define max(x, y) (((int)(x) > (int)(y)) ? x : y)
17
18const char *progname;
19
20static void usage(void)
21{
22 printf("usage: %s flask.h av_permissions.h\n", progname);
23 exit(1);
24}
25
26static char *stoupperx(const char *s)
27{
28 char *s2 = strdup(s);
29 char *p;
30
31 if (!s2) {
32 fprintf(stderr, "%s: out of memory\n", progname);
33 exit(3);
34 }
35
36 for (p = s2; *p; p++)
37 *p = toupper(*p);
38 return s2;
39}
40
41int main(int argc, char *argv[])
42{
43 int i, j, k;
44 int isids_len;
45 FILE *fout;
46
47 progname = argv[0];
48
49 if (argc < 3)
50 usage();
51
52 fout = fopen(argv[1], "w");
53 if (!fout) {
54 fprintf(stderr, "Could not open %s for writing: %s\n",
55 argv[1], strerror(errno));
56 exit(2);
57 }
58
59 for (i = 0; secclass_map[i].name; i++) {
60 struct security_class_mapping *map = &secclass_map[i];
61 map->name = stoupperx(map->name);
62 for (j = 0; map->perms[j]; j++)
63 map->perms[j] = stoupperx(map->perms[j]);
64 }
65
66 isids_len = sizeof(initial_sid_to_string) / sizeof (char *);
67 for (i = 1; i < isids_len; i++)
68 initial_sid_to_string[i] = stoupperx(initial_sid_to_string[i]);
69
70 fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
71 fprintf(fout, "#ifndef _SELINUX_FLASK_H_\n#define _SELINUX_FLASK_H_\n\n");
72
73 for (i = 0; secclass_map[i].name; i++) {
74 struct security_class_mapping *map = &secclass_map[i];
75 fprintf(fout, "#define SECCLASS_%s", map->name);
76 for (j = 0; j < max(1, 40 - strlen(map->name)); j++)
77 fprintf(fout, " ");
78 fprintf(fout, "%2d\n", i+1);
79 }
80
81 fprintf(fout, "\n");
82
83 for (i = 1; i < isids_len; i++) {
84 char *s = initial_sid_to_string[i];
85 fprintf(fout, "#define SECINITSID_%s", s);
86 for (j = 0; j < max(1, 40 - strlen(s)); j++)
87 fprintf(fout, " ");
88 fprintf(fout, "%2d\n", i);
89 }
90 fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
91 fprintf(fout, "\n#endif\n");
92 fclose(fout);
93
94 fout = fopen(argv[2], "w");
95 if (!fout) {
96 fprintf(stderr, "Could not open %s for writing: %s\n",
97 argv[2], strerror(errno));
98 exit(4);
99 }
100
101 fprintf(fout, "/* This file is automatically generated. Do not edit. */\n");
102 fprintf(fout, "#ifndef _SELINUX_AV_PERMISSIONS_H_\n#define _SELINUX_AV_PERMISSIONS_H_\n\n");
103
104 for (i = 0; secclass_map[i].name; i++) {
105 struct security_class_mapping *map = &secclass_map[i];
106 for (j = 0; map->perms[j]; j++) {
107 fprintf(fout, "#define %s__%s", map->name,
108 map->perms[j]);
109 for (k = 0; k < max(1, 40 - strlen(map->name) - strlen(map->perms[j])); k++)
110 fprintf(fout, " ");
111 fprintf(fout, "0x%08xUL\n", (1<<j));
112 }
113 }
114
115 fprintf(fout, "\n#endif\n");
116 fclose(fout);
117 exit(0);
118}
diff --git a/scripts/selinux/mdp/mdp.c b/scripts/selinux/mdp/mdp.c
index b4ced8562587..62b34ce1f50d 100644
--- a/scripts/selinux/mdp/mdp.c
+++ b/scripts/selinux/mdp/mdp.c
@@ -29,86 +29,27 @@
29#include <unistd.h> 29#include <unistd.h>
30#include <string.h> 30#include <string.h>
31 31
32#include "flask.h"
33
34static void usage(char *name) 32static void usage(char *name)
35{ 33{
36 printf("usage: %s [-m] policy_file context_file\n", name); 34 printf("usage: %s [-m] policy_file context_file\n", name);
37 exit(1); 35 exit(1);
38} 36}
39 37
40static void find_common_name(char *cname, char *dest, int len) 38/* Class/perm mapping support */
41{ 39struct security_class_mapping {
42 char *start, *end; 40 const char *name;
43 41 const char *perms[sizeof(unsigned) * 8 + 1];
44 start = strchr(cname, '_')+1;
45 end = strchr(start, '_');
46 if (!start || !end || start-cname > len || end-start > len) {
47 printf("Error with commons defines\n");
48 exit(1);
49 }
50 strncpy(dest, start, end-start);
51 dest[end-start] = '\0';
52}
53
54#define S_(x) x,
55static char *classlist[] = {
56#include "class_to_string.h"
57 NULL
58}; 42};
59#undef S_
60 43
44#include "classmap.h"
61#include "initial_sid_to_string.h" 45#include "initial_sid_to_string.h"
62 46
63#define TB_(x) char *x[] = {
64#define TE_(x) NULL };
65#define S_(x) x,
66#include "common_perm_to_string.h"
67#undef TB_
68#undef TE_
69#undef S_
70
71struct common {
72 char *cname;
73 char **perms;
74};
75struct common common[] = {
76#define TB_(x) { #x, x },
77#define S_(x)
78#define TE_(x)
79#include "common_perm_to_string.h"
80#undef TB_
81#undef TE_
82#undef S_
83};
84
85#define S_(x, y, z) {x, #y},
86struct av_inherit {
87 int class;
88 char *common;
89};
90struct av_inherit av_inherit[] = {
91#include "av_inherit.h"
92};
93#undef S_
94
95#include "av_permissions.h"
96#define S_(x, y, z) {x, y, z},
97struct av_perms {
98 int class;
99 int perm_i;
100 char *perm_s;
101};
102struct av_perms av_perms[] = {
103#include "av_perm_to_string.h"
104};
105#undef S_
106
107int main(int argc, char *argv[]) 47int main(int argc, char *argv[])
108{ 48{
109 int i, j, mls = 0; 49 int i, j, mls = 0;
50 int initial_sid_to_string_len;
110 char **arg, *polout, *ctxout; 51 char **arg, *polout, *ctxout;
111 int classlist_len, initial_sid_to_string_len; 52
112 FILE *fout; 53 FILE *fout;
113 54
114 if (argc < 3) 55 if (argc < 3)
@@ -127,64 +68,25 @@ int main(int argc, char *argv[])
127 usage(argv[0]); 68 usage(argv[0]);
128 } 69 }
129 70
130 classlist_len = sizeof(classlist) / sizeof(char *);
131 /* print out the classes */ 71 /* print out the classes */
132 for (i=1; i < classlist_len; i++) { 72 for (i = 0; secclass_map[i].name; i++)
133 if(classlist[i]) 73 fprintf(fout, "class %s\n", secclass_map[i].name);
134 fprintf(fout, "class %s\n", classlist[i]);
135 else
136 fprintf(fout, "class user%d\n", i);
137 }
138 fprintf(fout, "\n"); 74 fprintf(fout, "\n");
139 75
140 initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *); 76 initial_sid_to_string_len = sizeof(initial_sid_to_string) / sizeof (char *);
141 /* print out the sids */ 77 /* print out the sids */
142 for (i=1; i < initial_sid_to_string_len; i++) 78 for (i = 1; i < initial_sid_to_string_len; i++)
143 fprintf(fout, "sid %s\n", initial_sid_to_string[i]); 79 fprintf(fout, "sid %s\n", initial_sid_to_string[i]);
144 fprintf(fout, "\n"); 80 fprintf(fout, "\n");
145 81
146 /* print out the commons */
147 for (i=0; i< sizeof(common)/sizeof(struct common); i++) {
148 char cname[101];
149 find_common_name(common[i].cname, cname, 100);
150 cname[100] = '\0';
151 fprintf(fout, "common %s\n{\n", cname);
152 for (j=0; common[i].perms[j]; j++)
153 fprintf(fout, "\t%s\n", common[i].perms[j]);
154 fprintf(fout, "}\n\n");
155 }
156 fprintf(fout, "\n");
157
158 /* print out the class permissions */ 82 /* print out the class permissions */
159 for (i=1; i < classlist_len; i++) { 83 for (i = 0; secclass_map[i].name; i++) {
160 if (classlist[i]) { 84 struct security_class_mapping *map = &secclass_map[i];
161 int firstperm = -1, numperms = 0; 85 fprintf(fout, "class %s\n", map->name);
162 86 fprintf(fout, "{\n");
163 fprintf(fout, "class %s\n", classlist[i]); 87 for (j = 0; map->perms[j]; j++)
164 /* does it inherit from a common? */ 88 fprintf(fout, "\t%s\n", map->perms[j]);
165 for (j=0; j < sizeof(av_inherit)/sizeof(struct av_inherit); j++) 89 fprintf(fout, "}\n\n");
166 if (av_inherit[j].class == i)
167 fprintf(fout, "inherits %s\n", av_inherit[j].common);
168
169 for (j=0; j < sizeof(av_perms)/sizeof(struct av_perms); j++) {
170 if (av_perms[j].class == i) {
171 if (firstperm == -1)
172 firstperm = j;
173 numperms++;
174 }
175 }
176 if (!numperms) {
177 fprintf(fout, "\n");
178 continue;
179 }
180
181 fprintf(fout, "{\n");
182 /* print out the av_perms */
183 for (j=0; j < numperms; j++) {
184 fprintf(fout, "\t%s\n", av_perms[firstperm+j].perm_s);
185 }
186 fprintf(fout, "}\n\n");
187 }
188 } 90 }
189 fprintf(fout, "\n"); 91 fprintf(fout, "\n");
190 92
@@ -197,31 +99,34 @@ int main(int argc, char *argv[])
197 /* types, roles, and allows */ 99 /* types, roles, and allows */
198 fprintf(fout, "type base_t;\n"); 100 fprintf(fout, "type base_t;\n");
199 fprintf(fout, "role base_r types { base_t };\n"); 101 fprintf(fout, "role base_r types { base_t };\n");
200 for (i=1; i < classlist_len; i++) { 102 for (i = 0; secclass_map[i].name; i++)
201 if (classlist[i]) 103 fprintf(fout, "allow base_t base_t:%s *;\n",
202 fprintf(fout, "allow base_t base_t:%s *;\n", classlist[i]); 104 secclass_map[i].name);
203 else
204 fprintf(fout, "allow base_t base_t:user%d *;\n", i);
205 }
206 fprintf(fout, "user user_u roles { base_r };\n"); 105 fprintf(fout, "user user_u roles { base_r };\n");
207 fprintf(fout, "\n"); 106 fprintf(fout, "\n");
208 107
209 /* default sids */ 108 /* default sids */
210 for (i=1; i < initial_sid_to_string_len; i++) 109 for (i = 1; i < initial_sid_to_string_len; i++)
211 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]); 110 fprintf(fout, "sid %s user_u:base_r:base_t\n", initial_sid_to_string[i]);
212 fprintf(fout, "\n"); 111 fprintf(fout, "\n");
213 112
214
215 fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n"); 113 fprintf(fout, "fs_use_xattr ext2 user_u:base_r:base_t;\n");
216 fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n"); 114 fprintf(fout, "fs_use_xattr ext3 user_u:base_r:base_t;\n");
115 fprintf(fout, "fs_use_xattr ext4 user_u:base_r:base_t;\n");
217 fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n"); 116 fprintf(fout, "fs_use_xattr jfs user_u:base_r:base_t;\n");
218 fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n"); 117 fprintf(fout, "fs_use_xattr xfs user_u:base_r:base_t;\n");
219 fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n"); 118 fprintf(fout, "fs_use_xattr reiserfs user_u:base_r:base_t;\n");
119 fprintf(fout, "fs_use_xattr jffs2 user_u:base_r:base_t;\n");
120 fprintf(fout, "fs_use_xattr gfs2 user_u:base_r:base_t;\n");
121 fprintf(fout, "fs_use_xattr lustre user_u:base_r:base_t;\n");
220 122
123 fprintf(fout, "fs_use_task eventpollfs user_u:base_r:base_t;\n");
221 fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n"); 124 fprintf(fout, "fs_use_task pipefs user_u:base_r:base_t;\n");
222 fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n"); 125 fprintf(fout, "fs_use_task sockfs user_u:base_r:base_t;\n");
223 126
127 fprintf(fout, "fs_use_trans mqueue user_u:base_r:base_t;\n");
224 fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n"); 128 fprintf(fout, "fs_use_trans devpts user_u:base_r:base_t;\n");
129 fprintf(fout, "fs_use_trans hugetlbfs user_u:base_r:base_t;\n");
225 fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n"); 130 fprintf(fout, "fs_use_trans tmpfs user_u:base_r:base_t;\n");
226 fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n"); 131 fprintf(fout, "fs_use_trans shm user_u:base_r:base_t;\n");
227 132
diff --git a/security/Kconfig b/security/Kconfig
index fb363cd81cf6..226b9556b25f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -91,28 +91,6 @@ config SECURITY_PATH
91 implement pathname based access controls. 91 implement pathname based access controls.
92 If you are unsure how to answer this question, answer N. 92 If you are unsure how to answer this question, answer N.
93 93
94config SECURITY_FILE_CAPABILITIES
95 bool "File POSIX Capabilities"
96 default n
97 help
98 This enables filesystem capabilities, allowing you to give
99 binaries a subset of root's powers without using setuid 0.
100
101 If in doubt, answer N.
102
103config SECURITY_ROOTPLUG
104 bool "Root Plug Support"
105 depends on USB=y && SECURITY
106 help
107 This is a sample LSM module that should only be used as such.
108 It prevents any programs running with egid == 0 if a specific
109 USB device is not present in the system.
110
111 See <http://www.linuxjournal.com/article.php?sid=6279> for
112 more information about this module.
113
114 If you are unsure how to answer this question, answer N.
115
116config INTEL_TXT 94config INTEL_TXT
117 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 95 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
118 depends on HAVE_INTEL_TXT 96 depends on HAVE_INTEL_TXT
@@ -165,5 +143,37 @@ source security/tomoyo/Kconfig
165 143
166source security/integrity/ima/Kconfig 144source security/integrity/ima/Kconfig
167 145
146choice
147 prompt "Default security module"
148 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
149 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
150 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
151 default DEFAULT_SECURITY_DAC
152
153 help
154 Select the security module that will be used by default if the
155 kernel parameter security= is not specified.
156
157 config DEFAULT_SECURITY_SELINUX
158 bool "SELinux" if SECURITY_SELINUX=y
159
160 config DEFAULT_SECURITY_SMACK
161 bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
162
163 config DEFAULT_SECURITY_TOMOYO
164 bool "TOMOYO" if SECURITY_TOMOYO=y
165
166 config DEFAULT_SECURITY_DAC
167 bool "Unix Discretionary Access Controls"
168
169endchoice
170
171config DEFAULT_SECURITY
172 string
173 default "selinux" if DEFAULT_SECURITY_SELINUX
174 default "smack" if DEFAULT_SECURITY_SMACK
175 default "tomoyo" if DEFAULT_SECURITY_TOMOYO
176 default "" if DEFAULT_SECURITY_DAC
177
168endmenu 178endmenu
169 179
diff --git a/security/Makefile b/security/Makefile
index 95ecc06392d7..bb44e350c618 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -18,7 +18,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o 18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
19obj-$(CONFIG_AUDIT) += lsm_audit.o 19obj-$(CONFIG_AUDIT) += lsm_audit.o
20obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o 20obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
21obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
22obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o 21obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
23 22
24# Object integrity file lists 23# Object integrity file lists
diff --git a/security/capability.c b/security/capability.c
index fce07a7bc825..5c700e1a4fd3 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -308,6 +308,22 @@ static int cap_path_truncate(struct path *path, loff_t length,
308{ 308{
309 return 0; 309 return 0;
310} 310}
311
312static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
313 mode_t mode)
314{
315 return 0;
316}
317
318static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
319{
320 return 0;
321}
322
323static int cap_path_chroot(struct path *root)
324{
325 return 0;
326}
311#endif 327#endif
312 328
313static int cap_file_permission(struct file *file, int mask) 329static int cap_file_permission(struct file *file, int mask)
@@ -405,7 +421,7 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
405 return 0; 421 return 0;
406} 422}
407 423
408static int cap_kernel_module_request(void) 424static int cap_kernel_module_request(char *kmod_name)
409{ 425{
410 return 0; 426 return 0;
411} 427}
@@ -977,6 +993,9 @@ void security_fixup_ops(struct security_operations *ops)
977 set_to_cap_if_null(ops, path_link); 993 set_to_cap_if_null(ops, path_link);
978 set_to_cap_if_null(ops, path_rename); 994 set_to_cap_if_null(ops, path_rename);
979 set_to_cap_if_null(ops, path_truncate); 995 set_to_cap_if_null(ops, path_truncate);
996 set_to_cap_if_null(ops, path_chmod);
997 set_to_cap_if_null(ops, path_chown);
998 set_to_cap_if_null(ops, path_chroot);
980#endif 999#endif
981 set_to_cap_if_null(ops, file_permission); 1000 set_to_cap_if_null(ops, file_permission);
982 set_to_cap_if_null(ops, file_alloc_security); 1001 set_to_cap_if_null(ops, file_alloc_security);
diff --git a/security/commoncap.c b/security/commoncap.c
index fe30751a6cd9..f800fdb3de94 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1,4 +1,4 @@
1/* Common capabilities, needed by capability.o and root_plug.o 1/* Common capabilities, needed by capability.o.
2 * 2 *
3 * This program is free software; you can redistribute it and/or modify 3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by 4 * it under the terms of the GNU General Public License as published by
@@ -173,7 +173,6 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective,
173 */ 173 */
174static inline int cap_inh_is_capped(void) 174static inline int cap_inh_is_capped(void)
175{ 175{
176#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
177 176
178 /* they are so limited unless the current task has the CAP_SETPCAP 177 /* they are so limited unless the current task has the CAP_SETPCAP
179 * capability 178 * capability
@@ -181,7 +180,6 @@ static inline int cap_inh_is_capped(void)
181 if (cap_capable(current, current_cred(), CAP_SETPCAP, 180 if (cap_capable(current, current_cred(), CAP_SETPCAP,
182 SECURITY_CAP_AUDIT) == 0) 181 SECURITY_CAP_AUDIT) == 0)
183 return 0; 182 return 0;
184#endif
185 return 1; 183 return 1;
186} 184}
187 185
@@ -239,8 +237,6 @@ static inline void bprm_clear_caps(struct linux_binprm *bprm)
239 bprm->cap_effective = false; 237 bprm->cap_effective = false;
240} 238}
241 239
242#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
243
244/** 240/**
245 * cap_inode_need_killpriv - Determine if inode change affects privileges 241 * cap_inode_need_killpriv - Determine if inode change affects privileges
246 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV 242 * @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
@@ -421,49 +417,6 @@ out:
421 return rc; 417 return rc;
422} 418}
423 419
424#else
425int cap_inode_need_killpriv(struct dentry *dentry)
426{
427 return 0;
428}
429
430int cap_inode_killpriv(struct dentry *dentry)
431{
432 return 0;
433}
434
435int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
436{
437 memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
438 return -ENODATA;
439}
440
441static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
442{
443 bprm_clear_caps(bprm);
444 return 0;
445}
446#endif
447
448/*
449 * Determine whether a exec'ing process's new permitted capabilities should be
450 * limited to just what it already has.
451 *
452 * This prevents processes that are being ptraced from gaining access to
453 * CAP_SETPCAP, unless the process they're tracing already has it, and the
454 * binary they're executing has filecaps that elevate it.
455 *
456 * Returns 1 if they should be limited, 0 if they are not.
457 */
458static inline int cap_limit_ptraced_target(void)
459{
460#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
461 if (capable(CAP_SETPCAP))
462 return 0;
463#endif
464 return 1;
465}
466
467/** 420/**
468 * cap_bprm_set_creds - Set up the proposed credentials for execve(). 421 * cap_bprm_set_creds - Set up the proposed credentials for execve().
469 * @bprm: The execution parameters, including the proposed creds 422 * @bprm: The execution parameters, including the proposed creds
@@ -523,9 +476,8 @@ skip:
523 new->euid = new->uid; 476 new->euid = new->uid;
524 new->egid = new->gid; 477 new->egid = new->gid;
525 } 478 }
526 if (cap_limit_ptraced_target()) 479 new->cap_permitted = cap_intersect(new->cap_permitted,
527 new->cap_permitted = cap_intersect(new->cap_permitted, 480 old->cap_permitted);
528 old->cap_permitted);
529 } 481 }
530 482
531 new->suid = new->fsuid = new->euid; 483 new->suid = new->fsuid = new->euid;
@@ -739,7 +691,6 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
739 return 0; 691 return 0;
740} 692}
741 693
742#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
743/* 694/*
744 * Rationale: code calling task_setscheduler, task_setioprio, and 695 * Rationale: code calling task_setscheduler, task_setioprio, and
745 * task_setnice, assumes that 696 * task_setnice, assumes that
@@ -820,22 +771,6 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap)
820 return 0; 771 return 0;
821} 772}
822 773
823#else
824int cap_task_setscheduler (struct task_struct *p, int policy,
825 struct sched_param *lp)
826{
827 return 0;
828}
829int cap_task_setioprio (struct task_struct *p, int ioprio)
830{
831 return 0;
832}
833int cap_task_setnice (struct task_struct *p, int nice)
834{
835 return 0;
836}
837#endif
838
839/** 774/**
840 * cap_task_prctl - Implement process control functions for this security module 775 * cap_task_prctl - Implement process control functions for this security module
841 * @option: The process control function requested 776 * @option: The process control function requested
@@ -866,7 +801,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
866 error = !!cap_raised(new->cap_bset, arg2); 801 error = !!cap_raised(new->cap_bset, arg2);
867 goto no_change; 802 goto no_change;
868 803
869#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
870 case PR_CAPBSET_DROP: 804 case PR_CAPBSET_DROP:
871 error = cap_prctl_drop(new, arg2); 805 error = cap_prctl_drop(new, arg2);
872 if (error < 0) 806 if (error < 0)
@@ -917,8 +851,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
917 error = new->securebits; 851 error = new->securebits;
918 goto no_change; 852 goto no_change;
919 853
920#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
921
922 case PR_GET_KEEPCAPS: 854 case PR_GET_KEEPCAPS:
923 if (issecure(SECURE_KEEP_CAPS)) 855 if (issecure(SECURE_KEEP_CAPS))
924 error = 1; 856 error = 1;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 53d9764e8f09..3d7846de8069 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -3,6 +3,7 @@
3config IMA 3config IMA
4 bool "Integrity Measurement Architecture(IMA)" 4 bool "Integrity Measurement Architecture(IMA)"
5 depends on ACPI 5 depends on ACPI
6 depends on SECURITY
6 select SECURITYFS 7 select SECURITYFS
7 select CRYPTO 8 select CRYPTO
8 select CRYPTO_HMAC 9 select CRYPTO_HMAC
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 3bb90b6f1dd3..51bd0fd9c9f0 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -354,6 +354,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
354 } 354 }
355 break; 355 break;
356#endif 356#endif
357 case LSM_AUDIT_DATA_KMOD:
358 audit_log_format(ab, " kmod=");
359 audit_log_untrustedstring(ab, a->u.kmod_name);
360 break;
357 } /* switch (a->type) */ 361 } /* switch (a->type) */
358} 362}
359 363
diff --git a/security/min_addr.c b/security/min_addr.c
index c844eed7915d..fc43c9d37084 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write,
33{ 33{
34 int ret; 34 int ret;
35 35
36 if (!capable(CAP_SYS_RAWIO))
37 return -EPERM;
38
36 ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos); 39 ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
37 40
38 update_mmap_min_addr(); 41 update_mmap_min_addr();
diff --git a/security/root_plug.c b/security/root_plug.c
deleted file mode 100644
index 2f7ffa67c4d2..000000000000
--- a/security/root_plug.c
+++ /dev/null
@@ -1,90 +0,0 @@
1/*
2 * Root Plug sample LSM module
3 *
4 * Originally written for a Linux Journal.
5 *
6 * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
7 *
8 * Prevents any programs running with egid == 0 if a specific USB device
9 * is not present in the system. Yes, it can be gotten around, but is a
10 * nice starting point for people to play with, and learn the LSM
11 * interface.
12 *
13 * If you want to turn this into something with a semblance of security,
14 * you need to hook the task_* functions also.
15 *
16 * See http://www.linuxjournal.com/article.php?sid=6279 for more information
17 * about this code.
18 *
19 * This program is free software; you can redistribute it and/or
20 * modify it under the terms of the GNU General Public License as
21 * published by the Free Software Foundation, version 2 of the
22 * License.
23 */
24
25#include <linux/kernel.h>
26#include <linux/init.h>
27#include <linux/security.h>
28#include <linux/usb.h>
29#include <linux/moduleparam.h>
30
31/* default is a generic type of usb to serial converter */
32static int vendor_id = 0x0557;
33static int product_id = 0x2008;
34
35module_param(vendor_id, uint, 0400);
36module_param(product_id, uint, 0400);
37
38/* should we print out debug messages */
39static int debug = 0;
40
41module_param(debug, bool, 0600);
42
43#define MY_NAME "root_plug"
44
45#define root_dbg(fmt, arg...) \
46 do { \
47 if (debug) \
48 printk(KERN_DEBUG "%s: %s: " fmt , \
49 MY_NAME , __func__ , \
50 ## arg); \
51 } while (0)
52
53static int rootplug_bprm_check_security (struct linux_binprm *bprm)
54{
55 struct usb_device *dev;
56
57 root_dbg("file %s, e_uid = %d, e_gid = %d\n",
58 bprm->filename, bprm->cred->euid, bprm->cred->egid);
59
60 if (bprm->cred->egid == 0) {
61 dev = usb_find_device(vendor_id, product_id);
62 if (!dev) {
63 root_dbg("e_gid = 0, and device not found, "
64 "task not allowed to run...\n");
65 return -EPERM;
66 }
67 usb_put_dev(dev);
68 }
69
70 return 0;
71}
72
73static struct security_operations rootplug_security_ops = {
74 .bprm_check_security = rootplug_bprm_check_security,
75};
76
77static int __init rootplug_init (void)
78{
79 /* register ourselves with the security framework */
80 if (register_security (&rootplug_security_ops)) {
81 printk (KERN_INFO
82 "Failure registering Root Plug module with the kernel\n");
83 return -EINVAL;
84 }
85 printk (KERN_INFO "Root Plug module initialized, "
86 "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
87 return 0;
88}
89
90security_initcall (rootplug_init);
diff --git a/security/security.c b/security/security.c
index c4c673240c1c..24e060be9fa5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -16,9 +16,11 @@
16#include <linux/init.h> 16#include <linux/init.h>
17#include <linux/kernel.h> 17#include <linux/kernel.h>
18#include <linux/security.h> 18#include <linux/security.h>
19#include <linux/ima.h>
19 20
20/* Boot-time LSM user choice */ 21/* Boot-time LSM user choice */
21static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; 22static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
23 CONFIG_DEFAULT_SECURITY;
22 24
23/* things that live in capability.c */ 25/* things that live in capability.c */
24extern struct security_operations default_security_ops; 26extern struct security_operations default_security_ops;
@@ -79,8 +81,10 @@ __setup("security=", choose_lsm);
79 * 81 *
80 * Return true if: 82 * Return true if:
81 * -The passed LSM is the one chosen by user at boot time, 83 * -The passed LSM is the one chosen by user at boot time,
82 * -or user didn't specify a specific LSM and we're the first to ask 84 * -or the passed LSM is configured as the default and the user did not
83 * for registration permission, 85 * choose an alternate LSM at boot time,
86 * -or there is no default LSM set and the user didn't specify a
87 * specific LSM and we're the first to ask for registration permission,
84 * -or the passed LSM is currently loaded. 88 * -or the passed LSM is currently loaded.
85 * Otherwise, return false. 89 * Otherwise, return false.
86 */ 90 */
@@ -235,7 +239,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
235 239
236int security_bprm_check(struct linux_binprm *bprm) 240int security_bprm_check(struct linux_binprm *bprm)
237{ 241{
238 return security_ops->bprm_check_security(bprm); 242 int ret;
243
244 ret = security_ops->bprm_check_security(bprm);
245 if (ret)
246 return ret;
247 return ima_bprm_check(bprm);
239} 248}
240 249
241void security_bprm_committing_creds(struct linux_binprm *bprm) 250void security_bprm_committing_creds(struct linux_binprm *bprm)
@@ -352,12 +361,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
352 361
353int security_inode_alloc(struct inode *inode) 362int security_inode_alloc(struct inode *inode)
354{ 363{
364 int ret;
365
355 inode->i_security = NULL; 366 inode->i_security = NULL;
356 return security_ops->inode_alloc_security(inode); 367 ret = security_ops->inode_alloc_security(inode);
368 if (ret)
369 return ret;
370 ret = ima_inode_alloc(inode);
371 if (ret)
372 security_inode_free(inode);
373 return ret;
357} 374}
358 375
359void security_inode_free(struct inode *inode) 376void security_inode_free(struct inode *inode)
360{ 377{
378 ima_inode_free(inode);
361 security_ops->inode_free_security(inode); 379 security_ops->inode_free_security(inode);
362} 380}
363 381
@@ -434,6 +452,26 @@ int security_path_truncate(struct path *path, loff_t length,
434 return 0; 452 return 0;
435 return security_ops->path_truncate(path, length, time_attrs); 453 return security_ops->path_truncate(path, length, time_attrs);
436} 454}
455
456int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
457 mode_t mode)
458{
459 if (unlikely(IS_PRIVATE(dentry->d_inode)))
460 return 0;
461 return security_ops->path_chmod(dentry, mnt, mode);
462}
463
464int security_path_chown(struct path *path, uid_t uid, gid_t gid)
465{
466 if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
467 return 0;
468 return security_ops->path_chown(path, uid, gid);
469}
470
471int security_path_chroot(struct path *path)
472{
473 return security_ops->path_chroot(path);
474}
437#endif 475#endif
438 476
439int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) 477int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
@@ -628,6 +666,8 @@ int security_file_alloc(struct file *file)
628void security_file_free(struct file *file) 666void security_file_free(struct file *file)
629{ 667{
630 security_ops->file_free_security(file); 668 security_ops->file_free_security(file);
669 if (file->f_dentry)
670 ima_file_free(file);
631} 671}
632 672
633int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 673int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
@@ -639,7 +679,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot,
639 unsigned long prot, unsigned long flags, 679 unsigned long prot, unsigned long flags,
640 unsigned long addr, unsigned long addr_only) 680 unsigned long addr, unsigned long addr_only)
641{ 681{
642 return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only); 682 int ret;
683
684 ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
685 if (ret)
686 return ret;
687 return ima_file_mmap(file, prot);
643} 688}
644 689
645int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 690int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
@@ -719,9 +764,9 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
719 return security_ops->kernel_create_files_as(new, inode); 764 return security_ops->kernel_create_files_as(new, inode);
720} 765}
721 766
722int security_kernel_module_request(void) 767int security_kernel_module_request(char *kmod_name)
723{ 768{
724 return security_ops->kernel_module_request(); 769 return security_ops->kernel_module_request(kmod_name);
725} 770}
726 771
727int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) 772int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore
new file mode 100644
index 000000000000..2e5040a3d48b
--- /dev/null
+++ b/security/selinux/.gitignore
@@ -0,0 +1,2 @@
1av_permissions.h
2flask.h
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index d47fc5e545e0..f013982df417 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -18,5 +18,13 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
18 18
19selinux-$(CONFIG_NETLABEL) += netlabel.o 19selinux-$(CONFIG_NETLABEL) += netlabel.o
20 20
21EXTRA_CFLAGS += -Isecurity/selinux/include 21EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
22 22
23$(obj)/avc.o: $(obj)/flask.h
24
25quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
26 cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
27
28targets += flask.h
29$(obj)/flask.h: $(src)/include/classmap.h FORCE
30 $(call if_changed,flask)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b4b5da1c0a42..f2dde268165a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,43 +31,7 @@
31#include <net/ipv6.h> 31#include <net/ipv6.h>
32#include "avc.h" 32#include "avc.h"
33#include "avc_ss.h" 33#include "avc_ss.h"
34 34#include "classmap.h"
35static const struct av_perm_to_string av_perm_to_string[] = {
36#define S_(c, v, s) { c, v, s },
37#include "av_perm_to_string.h"
38#undef S_
39};
40
41static const char *class_to_string[] = {
42#define S_(s) s,
43#include "class_to_string.h"
44#undef S_
45};
46
47#define TB_(s) static const char *s[] = {
48#define TE_(s) };
49#define S_(s) s,
50#include "common_perm_to_string.h"
51#undef TB_
52#undef TE_
53#undef S_
54
55static const struct av_inherit av_inherit[] = {
56#define S_(c, i, b) { .tclass = c,\
57 .common_pts = common_##i##_perm_to_string,\
58 .common_base = b },
59#include "av_inherit.h"
60#undef S_
61};
62
63const struct selinux_class_perm selinux_class_perm = {
64 .av_perm_to_string = av_perm_to_string,
65 .av_pts_len = ARRAY_SIZE(av_perm_to_string),
66 .class_to_string = class_to_string,
67 .cts_len = ARRAY_SIZE(class_to_string),
68 .av_inherit = av_inherit,
69 .av_inherit_len = ARRAY_SIZE(av_inherit)
70};
71 35
72#define AVC_CACHE_SLOTS 512 36#define AVC_CACHE_SLOTS 512
73#define AVC_DEF_CACHE_THRESHOLD 512 37#define AVC_DEF_CACHE_THRESHOLD 512
@@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
139 */ 103 */
140static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) 104static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
141{ 105{
142 const char **common_pts = NULL; 106 const char **perms;
143 u32 common_base = 0; 107 int i, perm;
144 int i, i2, perm;
145 108
146 if (av == 0) { 109 if (av == 0) {
147 audit_log_format(ab, " null"); 110 audit_log_format(ab, " null");
148 return; 111 return;
149 } 112 }
150 113
151 for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { 114 perms = secclass_map[tclass-1].perms;
152 if (av_inherit[i].tclass == tclass) {
153 common_pts = av_inherit[i].common_pts;
154 common_base = av_inherit[i].common_base;
155 break;
156 }
157 }
158 115
159 audit_log_format(ab, " {"); 116 audit_log_format(ab, " {");
160 i = 0; 117 i = 0;
161 perm = 1; 118 perm = 1;
162 while (perm < common_base) { 119 while (i < (sizeof(av) * 8)) {
163 if (perm & av) { 120 if ((perm & av) && perms[i]) {
164 audit_log_format(ab, " %s", common_pts[i]); 121 audit_log_format(ab, " %s", perms[i]);
165 av &= ~perm; 122 av &= ~perm;
166 } 123 }
167 i++; 124 i++;
168 perm <<= 1; 125 perm <<= 1;
169 } 126 }
170 127
171 while (i < sizeof(av) * 8) {
172 if (perm & av) {
173 for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
174 if ((av_perm_to_string[i2].tclass == tclass) &&
175 (av_perm_to_string[i2].value == perm))
176 break;
177 }
178 if (i2 < ARRAY_SIZE(av_perm_to_string)) {
179 audit_log_format(ab, " %s",
180 av_perm_to_string[i2].name);
181 av &= ~perm;
182 }
183 }
184 i++;
185 perm <<= 1;
186 }
187
188 if (av) 128 if (av)
189 audit_log_format(ab, " 0x%x", av); 129 audit_log_format(ab, " 0x%x", av);
190 130
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
219 kfree(scontext); 159 kfree(scontext);
220 } 160 }
221 161
222 BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); 162 BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
223 audit_log_format(ab, " tclass=%s", class_to_string[tclass]); 163 audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
224} 164}
225 165
226/** 166/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bb230d5d7085..c96d63ec4753 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,7 +91,6 @@
91 91
92#define NUM_SEL_MNT_OPTS 5 92#define NUM_SEL_MNT_OPTS 5
93 93
94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 94extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96extern struct security_operations *security_ops; 95extern struct security_operations *security_ops;
97 96
@@ -3338,9 +3337,18 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3338 return 0; 3337 return 0;
3339} 3338}
3340 3339
3341static int selinux_kernel_module_request(void) 3340static int selinux_kernel_module_request(char *kmod_name)
3342{ 3341{
3343 return task_has_system(current, SYSTEM__MODULE_REQUEST); 3342 u32 sid;
3343 struct common_audit_data ad;
3344
3345 sid = task_sid(current);
3346
3347 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3348 ad.u.kmod_name = kmod_name;
3349
3350 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3351 SYSTEM__MODULE_REQUEST, &ad);
3344} 3352}
3345 3353
3346static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3354static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
@@ -4714,10 +4722,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4714 if (err) 4722 if (err)
4715 return err; 4723 return err;
4716 4724
4717 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4725 return selinux_nlmsg_perm(sk, skb);
4718 err = selinux_nlmsg_perm(sk, skb);
4719
4720 return err;
4721} 4726}
4722 4727
4723static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4728static int selinux_netlink_recv(struct sk_buff *skb, int capability)
@@ -5830,12 +5835,12 @@ int selinux_disable(void)
5830 selinux_disabled = 1; 5835 selinux_disabled = 1;
5831 selinux_enabled = 0; 5836 selinux_enabled = 0;
5832 5837
5833 /* Try to destroy the avc node cache */
5834 avc_disable();
5835
5836 /* Reset security_ops to the secondary module, dummy or capability. */ 5838 /* Reset security_ops to the secondary module, dummy or capability. */
5837 security_ops = secondary_ops; 5839 security_ops = secondary_ops;
5838 5840
5841 /* Try to destroy the avc node cache */
5842 avc_disable();
5843
5839 /* Unregister netfilter hooks. */ 5844 /* Unregister netfilter hooks. */
5840 selinux_nf_ip_exit(); 5845 selinux_nf_ip_exit();
5841 5846
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
deleted file mode 100644
index abedcd704dae..000000000000
--- a/security/selinux/include/av_inherit.h
+++ /dev/null
@@ -1,34 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_DIR, file, 0x00020000UL)
3 S_(SECCLASS_FILE, file, 0x00020000UL)
4 S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
5 S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
6 S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
7 S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
8 S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
9 S_(SECCLASS_SOCKET, socket, 0x00400000UL)
10 S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
11 S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
12 S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
13 S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
14 S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
15 S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
16 S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
17 S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
18 S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
19 S_(SECCLASS_IPC, ipc, 0x00000200UL)
20 S_(SECCLASS_SEM, ipc, 0x00000200UL)
21 S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
22 S_(SECCLASS_SHM, ipc, 0x00000200UL)
23 S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
24 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
25 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
26 S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
27 S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
28 S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
29 S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
30 S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
31 S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
32 S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
33 S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
34 S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
deleted file mode 100644
index 2b683ad83d21..000000000000
--- a/security/selinux/include/av_perm_to_string.h
+++ /dev/null
@@ -1,183 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
3 S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
4 S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
5 S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
6 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
7 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
8 S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
9 S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
10 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
11 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
12 S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
13 S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
14 S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
15 S_(SECCLASS_DIR, DIR__SEARCH, "search")
16 S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
17 S_(SECCLASS_DIR, DIR__OPEN, "open")
18 S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
19 S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
20 S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
21 S_(SECCLASS_FILE, FILE__OPEN, "open")
22 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
23 S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
24 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
25 S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
26 S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
27 S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
28 S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
29 S_(SECCLASS_FD, FD__USE, "use")
30 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
31 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
32 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
33 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
34 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
35 S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
36 S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
37 S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
38 S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
39 S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
40 S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
41 S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
42 S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
43 S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
44 S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
45 S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
46 S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
47 S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
48 S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
49 S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
50 S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
51 S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
52 S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
53 S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
54 S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
55 S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
56 S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
57 S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
58 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
59 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
60 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
61 S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
62 S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
63 S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
64 S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
65 S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
66 S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
67 S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
68 S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
69 S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
70 S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
71 S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
72 S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
73 S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
74 S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
75 S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
76 S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
77 S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
78 S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
79 S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
80 S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
81 S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
82 S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
83 S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
84 S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
85 S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
86 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
87 S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
88 S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
89 S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
90 S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
91 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
92 S_(SECCLASS_MSG, MSG__SEND, "send")
93 S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
94 S_(SECCLASS_SHM, SHM__LOCK, "lock")
95 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
96 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
97 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
98 S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
99 S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
100 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
101 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
102 S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
103 S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
104 S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
105 S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
106 S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
107 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
108 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
109 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
110 S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
111 S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
112 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
113 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
114 S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
115 S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
116 S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
117 S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
118 S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
119 S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
120 S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
121 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
122 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
123 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
124 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
125 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
126 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
127 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
128 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
129 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
130 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
131 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
132 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
133 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
134 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
135 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
136 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
137 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
138 S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
139 S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
140 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
141 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
142 S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
143 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
144 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
145 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
146 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
147 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
148 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
149 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
150 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
151 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
152 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
153 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
154 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
155 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
156 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
157 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
158 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
159 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
160 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
161 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
162 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
163 S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
164 S_(SECCLASS_PACKET, PACKET__SEND, "send")
165 S_(SECCLASS_PACKET, PACKET__RECV, "recv")
166 S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
167 S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
168 S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
169 S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
170 S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
171 S_(SECCLASS_KEY, KEY__VIEW, "view")
172 S_(SECCLASS_KEY, KEY__READ, "read")
173 S_(SECCLASS_KEY, KEY__WRITE, "write")
174 S_(SECCLASS_KEY, KEY__SEARCH, "search")
175 S_(SECCLASS_KEY, KEY__LINK, "link")
176 S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
177 S_(SECCLASS_KEY, KEY__CREATE, "create")
178 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
179 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
180 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
181 S_(SECCLASS_PEER, PEER__RECV, "recv")
182 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
183 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
deleted file mode 100644
index 0546d616ccac..000000000000
--- a/security/selinux/include/av_permissions.h
+++ /dev/null
@@ -1,870 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2#define COMMON_FILE__IOCTL 0x00000001UL
3#define COMMON_FILE__READ 0x00000002UL
4#define COMMON_FILE__WRITE 0x00000004UL
5#define COMMON_FILE__CREATE 0x00000008UL
6#define COMMON_FILE__GETATTR 0x00000010UL
7#define COMMON_FILE__SETATTR 0x00000020UL
8#define COMMON_FILE__LOCK 0x00000040UL
9#define COMMON_FILE__RELABELFROM 0x00000080UL
10#define COMMON_FILE__RELABELTO 0x00000100UL
11#define COMMON_FILE__APPEND 0x00000200UL
12#define COMMON_FILE__UNLINK 0x00000400UL
13#define COMMON_FILE__LINK 0x00000800UL
14#define COMMON_FILE__RENAME 0x00001000UL
15#define COMMON_FILE__EXECUTE 0x00002000UL
16#define COMMON_FILE__SWAPON 0x00004000UL
17#define COMMON_FILE__QUOTAON 0x00008000UL
18#define COMMON_FILE__MOUNTON 0x00010000UL
19#define COMMON_SOCKET__IOCTL 0x00000001UL
20#define COMMON_SOCKET__READ 0x00000002UL
21#define COMMON_SOCKET__WRITE 0x00000004UL
22#define COMMON_SOCKET__CREATE 0x00000008UL
23#define COMMON_SOCKET__GETATTR 0x00000010UL
24#define COMMON_SOCKET__SETATTR 0x00000020UL
25#define COMMON_SOCKET__LOCK 0x00000040UL
26#define COMMON_SOCKET__RELABELFROM 0x00000080UL
27#define COMMON_SOCKET__RELABELTO 0x00000100UL
28#define COMMON_SOCKET__APPEND 0x00000200UL
29#define COMMON_SOCKET__BIND 0x00000400UL
30#define COMMON_SOCKET__CONNECT 0x00000800UL
31#define COMMON_SOCKET__LISTEN 0x00001000UL
32#define COMMON_SOCKET__ACCEPT 0x00002000UL
33#define COMMON_SOCKET__GETOPT 0x00004000UL
34#define COMMON_SOCKET__SETOPT 0x00008000UL
35#define COMMON_SOCKET__SHUTDOWN 0x00010000UL
36#define COMMON_SOCKET__RECVFROM 0x00020000UL
37#define COMMON_SOCKET__SENDTO 0x00040000UL
38#define COMMON_SOCKET__RECV_MSG 0x00080000UL
39#define COMMON_SOCKET__SEND_MSG 0x00100000UL
40#define COMMON_SOCKET__NAME_BIND 0x00200000UL
41#define COMMON_IPC__CREATE 0x00000001UL
42#define COMMON_IPC__DESTROY 0x00000002UL
43#define COMMON_IPC__GETATTR 0x00000004UL
44#define COMMON_IPC__SETATTR 0x00000008UL
45#define COMMON_IPC__READ 0x00000010UL
46#define COMMON_IPC__WRITE 0x00000020UL
47#define COMMON_IPC__ASSOCIATE 0x00000040UL
48#define COMMON_IPC__UNIX_READ 0x00000080UL
49#define COMMON_IPC__UNIX_WRITE 0x00000100UL
50#define FILESYSTEM__MOUNT 0x00000001UL
51#define FILESYSTEM__REMOUNT 0x00000002UL
52#define FILESYSTEM__UNMOUNT 0x00000004UL
53#define FILESYSTEM__GETATTR 0x00000008UL
54#define FILESYSTEM__RELABELFROM 0x00000010UL
55#define FILESYSTEM__RELABELTO 0x00000020UL
56#define FILESYSTEM__TRANSITION 0x00000040UL
57#define FILESYSTEM__ASSOCIATE 0x00000080UL
58#define FILESYSTEM__QUOTAMOD 0x00000100UL
59#define FILESYSTEM__QUOTAGET 0x00000200UL
60#define DIR__IOCTL 0x00000001UL
61#define DIR__READ 0x00000002UL
62#define DIR__WRITE 0x00000004UL
63#define DIR__CREATE 0x00000008UL
64#define DIR__GETATTR 0x00000010UL
65#define DIR__SETATTR 0x00000020UL
66#define DIR__LOCK 0x00000040UL
67#define DIR__RELABELFROM 0x00000080UL
68#define DIR__RELABELTO 0x00000100UL
69#define DIR__APPEND 0x00000200UL
70#define DIR__UNLINK 0x00000400UL
71#define DIR__LINK 0x00000800UL
72#define DIR__RENAME 0x00001000UL
73#define DIR__EXECUTE 0x00002000UL
74#define DIR__SWAPON 0x00004000UL
75#define DIR__QUOTAON 0x00008000UL
76#define DIR__MOUNTON 0x00010000UL
77#define DIR__ADD_NAME 0x00020000UL
78#define DIR__REMOVE_NAME 0x00040000UL
79#define DIR__REPARENT 0x00080000UL
80#define DIR__SEARCH 0x00100000UL
81#define DIR__RMDIR 0x00200000UL
82#define DIR__OPEN 0x00400000UL
83#define FILE__IOCTL 0x00000001UL
84#define FILE__READ 0x00000002UL
85#define FILE__WRITE 0x00000004UL
86#define FILE__CREATE 0x00000008UL
87#define FILE__GETATTR 0x00000010UL
88#define FILE__SETATTR 0x00000020UL
89#define FILE__LOCK 0x00000040UL
90#define FILE__RELABELFROM 0x00000080UL
91#define FILE__RELABELTO 0x00000100UL
92#define FILE__APPEND 0x00000200UL
93#define FILE__UNLINK 0x00000400UL
94#define FILE__LINK 0x00000800UL
95#define FILE__RENAME 0x00001000UL
96#define FILE__EXECUTE 0x00002000UL
97#define FILE__SWAPON 0x00004000UL
98#define FILE__QUOTAON 0x00008000UL
99#define FILE__MOUNTON 0x00010000UL
100#define FILE__EXECUTE_NO_TRANS 0x00020000UL
101#define FILE__ENTRYPOINT 0x00040000UL
102#define FILE__EXECMOD 0x00080000UL
103#define FILE__OPEN 0x00100000UL
104#define LNK_FILE__IOCTL 0x00000001UL
105#define LNK_FILE__READ 0x00000002UL
106#define LNK_FILE__WRITE 0x00000004UL
107#define LNK_FILE__CREATE 0x00000008UL
108#define LNK_FILE__GETATTR 0x00000010UL
109#define LNK_FILE__SETATTR 0x00000020UL
110#define LNK_FILE__LOCK 0x00000040UL
111#define LNK_FILE__RELABELFROM 0x00000080UL
112#define LNK_FILE__RELABELTO 0x00000100UL
113#define LNK_FILE__APPEND 0x00000200UL
114#define LNK_FILE__UNLINK 0x00000400UL
115#define LNK_FILE__LINK 0x00000800UL
116#define LNK_FILE__RENAME 0x00001000UL
117#define LNK_FILE__EXECUTE 0x00002000UL
118#define LNK_FILE__SWAPON 0x00004000UL
119#define LNK_FILE__QUOTAON 0x00008000UL
120#define LNK_FILE__MOUNTON 0x00010000UL
121#define CHR_FILE__IOCTL 0x00000001UL
122#define CHR_FILE__READ 0x00000002UL
123#define CHR_FILE__WRITE 0x00000004UL
124#define CHR_FILE__CREATE 0x00000008UL
125#define CHR_FILE__GETATTR 0x00000010UL
126#define CHR_FILE__SETATTR 0x00000020UL
127#define CHR_FILE__LOCK 0x00000040UL
128#define CHR_FILE__RELABELFROM 0x00000080UL
129#define CHR_FILE__RELABELTO 0x00000100UL
130#define CHR_FILE__APPEND 0x00000200UL
131#define CHR_FILE__UNLINK 0x00000400UL
132#define CHR_FILE__LINK 0x00000800UL
133#define CHR_FILE__RENAME 0x00001000UL
134#define CHR_FILE__EXECUTE 0x00002000UL
135#define CHR_FILE__SWAPON 0x00004000UL
136#define CHR_FILE__QUOTAON 0x00008000UL
137#define CHR_FILE__MOUNTON 0x00010000UL
138#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
139#define CHR_FILE__ENTRYPOINT 0x00040000UL
140#define CHR_FILE__EXECMOD 0x00080000UL
141#define CHR_FILE__OPEN 0x00100000UL
142#define BLK_FILE__IOCTL 0x00000001UL
143#define BLK_FILE__READ 0x00000002UL
144#define BLK_FILE__WRITE 0x00000004UL
145#define BLK_FILE__CREATE 0x00000008UL
146#define BLK_FILE__GETATTR 0x00000010UL
147#define BLK_FILE__SETATTR 0x00000020UL
148#define BLK_FILE__LOCK 0x00000040UL
149#define BLK_FILE__RELABELFROM 0x00000080UL
150#define BLK_FILE__RELABELTO 0x00000100UL
151#define BLK_FILE__APPEND 0x00000200UL
152#define BLK_FILE__UNLINK 0x00000400UL
153#define BLK_FILE__LINK 0x00000800UL
154#define BLK_FILE__RENAME 0x00001000UL
155#define BLK_FILE__EXECUTE 0x00002000UL
156#define BLK_FILE__SWAPON 0x00004000UL
157#define BLK_FILE__QUOTAON 0x00008000UL
158#define BLK_FILE__MOUNTON 0x00010000UL
159#define BLK_FILE__OPEN 0x00020000UL
160#define SOCK_FILE__IOCTL 0x00000001UL
161#define SOCK_FILE__READ 0x00000002UL
162#define SOCK_FILE__WRITE 0x00000004UL
163#define SOCK_FILE__CREATE 0x00000008UL
164#define SOCK_FILE__GETATTR 0x00000010UL
165#define SOCK_FILE__SETATTR 0x00000020UL
166#define SOCK_FILE__LOCK 0x00000040UL
167#define SOCK_FILE__RELABELFROM 0x00000080UL
168#define SOCK_FILE__RELABELTO 0x00000100UL
169#define SOCK_FILE__APPEND 0x00000200UL
170#define SOCK_FILE__UNLINK 0x00000400UL
171#define SOCK_FILE__LINK 0x00000800UL
172#define SOCK_FILE__RENAME 0x00001000UL
173#define SOCK_FILE__EXECUTE 0x00002000UL
174#define SOCK_FILE__SWAPON 0x00004000UL
175#define SOCK_FILE__QUOTAON 0x00008000UL
176#define SOCK_FILE__MOUNTON 0x00010000UL
177#define SOCK_FILE__OPEN 0x00020000UL
178#define FIFO_FILE__IOCTL 0x00000001UL
179#define FIFO_FILE__READ 0x00000002UL
180#define FIFO_FILE__WRITE 0x00000004UL
181#define FIFO_FILE__CREATE 0x00000008UL
182#define FIFO_FILE__GETATTR 0x00000010UL
183#define FIFO_FILE__SETATTR 0x00000020UL
184#define FIFO_FILE__LOCK 0x00000040UL
185#define FIFO_FILE__RELABELFROM 0x00000080UL
186#define FIFO_FILE__RELABELTO 0x00000100UL
187#define FIFO_FILE__APPEND 0x00000200UL
188#define FIFO_FILE__UNLINK 0x00000400UL
189#define FIFO_FILE__LINK 0x00000800UL
190#define FIFO_FILE__RENAME 0x00001000UL
191#define FIFO_FILE__EXECUTE 0x00002000UL
192#define FIFO_FILE__SWAPON 0x00004000UL
193#define FIFO_FILE__QUOTAON 0x00008000UL
194#define FIFO_FILE__MOUNTON 0x00010000UL
195#define FIFO_FILE__OPEN 0x00020000UL
196#define FD__USE 0x00000001UL
197#define SOCKET__IOCTL 0x00000001UL
198#define SOCKET__READ 0x00000002UL
199#define SOCKET__WRITE 0x00000004UL
200#define SOCKET__CREATE 0x00000008UL
201#define SOCKET__GETATTR 0x00000010UL
202#define SOCKET__SETATTR 0x00000020UL
203#define SOCKET__LOCK 0x00000040UL
204#define SOCKET__RELABELFROM 0x00000080UL
205#define SOCKET__RELABELTO 0x00000100UL
206#define SOCKET__APPEND 0x00000200UL
207#define SOCKET__BIND 0x00000400UL
208#define SOCKET__CONNECT 0x00000800UL
209#define SOCKET__LISTEN 0x00001000UL
210#define SOCKET__ACCEPT 0x00002000UL
211#define SOCKET__GETOPT 0x00004000UL
212#define SOCKET__SETOPT 0x00008000UL
213#define SOCKET__SHUTDOWN 0x00010000UL
214#define SOCKET__RECVFROM 0x00020000UL
215#define SOCKET__SENDTO 0x00040000UL
216#define SOCKET__RECV_MSG 0x00080000UL
217#define SOCKET__SEND_MSG 0x00100000UL
218#define SOCKET__NAME_BIND 0x00200000UL
219#define TCP_SOCKET__IOCTL 0x00000001UL
220#define TCP_SOCKET__READ 0x00000002UL
221#define TCP_SOCKET__WRITE 0x00000004UL
222#define TCP_SOCKET__CREATE 0x00000008UL
223#define TCP_SOCKET__GETATTR 0x00000010UL
224#define TCP_SOCKET__SETATTR 0x00000020UL
225#define TCP_SOCKET__LOCK 0x00000040UL
226#define TCP_SOCKET__RELABELFROM 0x00000080UL
227#define TCP_SOCKET__RELABELTO 0x00000100UL
228#define TCP_SOCKET__APPEND 0x00000200UL
229#define TCP_SOCKET__BIND 0x00000400UL
230#define TCP_SOCKET__CONNECT 0x00000800UL
231#define TCP_SOCKET__LISTEN 0x00001000UL
232#define TCP_SOCKET__ACCEPT 0x00002000UL
233#define TCP_SOCKET__GETOPT 0x00004000UL
234#define TCP_SOCKET__SETOPT 0x00008000UL
235#define TCP_SOCKET__SHUTDOWN 0x00010000UL
236#define TCP_SOCKET__RECVFROM 0x00020000UL
237#define TCP_SOCKET__SENDTO 0x00040000UL
238#define TCP_SOCKET__RECV_MSG 0x00080000UL
239#define TCP_SOCKET__SEND_MSG 0x00100000UL
240#define TCP_SOCKET__NAME_BIND 0x00200000UL
241#define TCP_SOCKET__CONNECTTO 0x00400000UL
242#define TCP_SOCKET__NEWCONN 0x00800000UL
243#define TCP_SOCKET__ACCEPTFROM 0x01000000UL
244#define TCP_SOCKET__NODE_BIND 0x02000000UL
245#define TCP_SOCKET__NAME_CONNECT 0x04000000UL
246#define UDP_SOCKET__IOCTL 0x00000001UL
247#define UDP_SOCKET__READ 0x00000002UL
248#define UDP_SOCKET__WRITE 0x00000004UL
249#define UDP_SOCKET__CREATE 0x00000008UL
250#define UDP_SOCKET__GETATTR 0x00000010UL
251#define UDP_SOCKET__SETATTR 0x00000020UL
252#define UDP_SOCKET__LOCK 0x00000040UL
253#define UDP_SOCKET__RELABELFROM 0x00000080UL
254#define UDP_SOCKET__RELABELTO 0x00000100UL
255#define UDP_SOCKET__APPEND 0x00000200UL
256#define UDP_SOCKET__BIND 0x00000400UL
257#define UDP_SOCKET__CONNECT 0x00000800UL
258#define UDP_SOCKET__LISTEN 0x00001000UL
259#define UDP_SOCKET__ACCEPT 0x00002000UL
260#define UDP_SOCKET__GETOPT 0x00004000UL
261#define UDP_SOCKET__SETOPT 0x00008000UL
262#define UDP_SOCKET__SHUTDOWN 0x00010000UL
263#define UDP_SOCKET__RECVFROM 0x00020000UL
264#define UDP_SOCKET__SENDTO 0x00040000UL
265#define UDP_SOCKET__RECV_MSG 0x00080000UL
266#define UDP_SOCKET__SEND_MSG 0x00100000UL
267#define UDP_SOCKET__NAME_BIND 0x00200000UL
268#define UDP_SOCKET__NODE_BIND 0x00400000UL
269#define RAWIP_SOCKET__IOCTL 0x00000001UL
270#define RAWIP_SOCKET__READ 0x00000002UL
271#define RAWIP_SOCKET__WRITE 0x00000004UL
272#define RAWIP_SOCKET__CREATE 0x00000008UL
273#define RAWIP_SOCKET__GETATTR 0x00000010UL
274#define RAWIP_SOCKET__SETATTR 0x00000020UL
275#define RAWIP_SOCKET__LOCK 0x00000040UL
276#define RAWIP_SOCKET__RELABELFROM 0x00000080UL
277#define RAWIP_SOCKET__RELABELTO 0x00000100UL
278#define RAWIP_SOCKET__APPEND 0x00000200UL
279#define RAWIP_SOCKET__BIND 0x00000400UL
280#define RAWIP_SOCKET__CONNECT 0x00000800UL
281#define RAWIP_SOCKET__LISTEN 0x00001000UL
282#define RAWIP_SOCKET__ACCEPT 0x00002000UL
283#define RAWIP_SOCKET__GETOPT 0x00004000UL
284#define RAWIP_SOCKET__SETOPT 0x00008000UL
285#define RAWIP_SOCKET__SHUTDOWN 0x00010000UL
286#define RAWIP_SOCKET__RECVFROM 0x00020000UL
287#define RAWIP_SOCKET__SENDTO 0x00040000UL
288#define RAWIP_SOCKET__RECV_MSG 0x00080000UL
289#define RAWIP_SOCKET__SEND_MSG 0x00100000UL
290#define RAWIP_SOCKET__NAME_BIND 0x00200000UL
291#define RAWIP_SOCKET__NODE_BIND 0x00400000UL
292#define NODE__TCP_RECV 0x00000001UL
293#define NODE__TCP_SEND 0x00000002UL
294#define NODE__UDP_RECV 0x00000004UL
295#define NODE__UDP_SEND 0x00000008UL
296#define NODE__RAWIP_RECV 0x00000010UL
297#define NODE__RAWIP_SEND 0x00000020UL
298#define NODE__ENFORCE_DEST 0x00000040UL
299#define NODE__DCCP_RECV 0x00000080UL
300#define NODE__DCCP_SEND 0x00000100UL
301#define NODE__RECVFROM 0x00000200UL
302#define NODE__SENDTO 0x00000400UL
303#define NETIF__TCP_RECV 0x00000001UL
304#define NETIF__TCP_SEND 0x00000002UL
305#define NETIF__UDP_RECV 0x00000004UL
306#define NETIF__UDP_SEND 0x00000008UL
307#define NETIF__RAWIP_RECV 0x00000010UL
308#define NETIF__RAWIP_SEND 0x00000020UL
309#define NETIF__DCCP_RECV 0x00000040UL
310#define NETIF__DCCP_SEND 0x00000080UL
311#define NETIF__INGRESS 0x00000100UL
312#define NETIF__EGRESS 0x00000200UL
313#define NETLINK_SOCKET__IOCTL 0x00000001UL
314#define NETLINK_SOCKET__READ 0x00000002UL
315#define NETLINK_SOCKET__WRITE 0x00000004UL
316#define NETLINK_SOCKET__CREATE 0x00000008UL
317#define NETLINK_SOCKET__GETATTR 0x00000010UL
318#define NETLINK_SOCKET__SETATTR 0x00000020UL
319#define NETLINK_SOCKET__LOCK 0x00000040UL
320#define NETLINK_SOCKET__RELABELFROM 0x00000080UL
321#define NETLINK_SOCKET__RELABELTO 0x00000100UL
322#define NETLINK_SOCKET__APPEND 0x00000200UL
323#define NETLINK_SOCKET__BIND 0x00000400UL
324#define NETLINK_SOCKET__CONNECT 0x00000800UL
325#define NETLINK_SOCKET__LISTEN 0x00001000UL
326#define NETLINK_SOCKET__ACCEPT 0x00002000UL
327#define NETLINK_SOCKET__GETOPT 0x00004000UL
328#define NETLINK_SOCKET__SETOPT 0x00008000UL
329#define NETLINK_SOCKET__SHUTDOWN 0x00010000UL
330#define NETLINK_SOCKET__RECVFROM 0x00020000UL
331#define NETLINK_SOCKET__SENDTO 0x00040000UL
332#define NETLINK_SOCKET__RECV_MSG 0x00080000UL
333#define NETLINK_SOCKET__SEND_MSG 0x00100000UL
334#define NETLINK_SOCKET__NAME_BIND 0x00200000UL
335#define PACKET_SOCKET__IOCTL 0x00000001UL
336#define PACKET_SOCKET__READ 0x00000002UL
337#define PACKET_SOCKET__WRITE 0x00000004UL
338#define PACKET_SOCKET__CREATE 0x00000008UL
339#define PACKET_SOCKET__GETATTR 0x00000010UL
340#define PACKET_SOCKET__SETATTR 0x00000020UL
341#define PACKET_SOCKET__LOCK 0x00000040UL
342#define PACKET_SOCKET__RELABELFROM 0x00000080UL
343#define PACKET_SOCKET__RELABELTO 0x00000100UL
344#define PACKET_SOCKET__APPEND 0x00000200UL
345#define PACKET_SOCKET__BIND 0x00000400UL
346#define PACKET_SOCKET__CONNECT 0x00000800UL
347#define PACKET_SOCKET__LISTEN 0x00001000UL
348#define PACKET_SOCKET__ACCEPT 0x00002000UL
349#define PACKET_SOCKET__GETOPT 0x00004000UL
350#define PACKET_SOCKET__SETOPT 0x00008000UL
351#define PACKET_SOCKET__SHUTDOWN 0x00010000UL
352#define PACKET_SOCKET__RECVFROM 0x00020000UL
353#define PACKET_SOCKET__SENDTO 0x00040000UL
354#define PACKET_SOCKET__RECV_MSG 0x00080000UL
355#define PACKET_SOCKET__SEND_MSG 0x00100000UL
356#define PACKET_SOCKET__NAME_BIND 0x00200000UL
357#define KEY_SOCKET__IOCTL 0x00000001UL
358#define KEY_SOCKET__READ 0x00000002UL
359#define KEY_SOCKET__WRITE 0x00000004UL
360#define KEY_SOCKET__CREATE 0x00000008UL
361#define KEY_SOCKET__GETATTR 0x00000010UL
362#define KEY_SOCKET__SETATTR 0x00000020UL
363#define KEY_SOCKET__LOCK 0x00000040UL
364#define KEY_SOCKET__RELABELFROM 0x00000080UL
365#define KEY_SOCKET__RELABELTO 0x00000100UL
366#define KEY_SOCKET__APPEND 0x00000200UL
367#define KEY_SOCKET__BIND 0x00000400UL
368#define KEY_SOCKET__CONNECT 0x00000800UL
369#define KEY_SOCKET__LISTEN 0x00001000UL
370#define KEY_SOCKET__ACCEPT 0x00002000UL
371#define KEY_SOCKET__GETOPT 0x00004000UL
372#define KEY_SOCKET__SETOPT 0x00008000UL
373#define KEY_SOCKET__SHUTDOWN 0x00010000UL
374#define KEY_SOCKET__RECVFROM 0x00020000UL
375#define KEY_SOCKET__SENDTO 0x00040000UL
376#define KEY_SOCKET__RECV_MSG 0x00080000UL
377#define KEY_SOCKET__SEND_MSG 0x00100000UL
378#define KEY_SOCKET__NAME_BIND 0x00200000UL
379#define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL
380#define UNIX_STREAM_SOCKET__READ 0x00000002UL
381#define UNIX_STREAM_SOCKET__WRITE 0x00000004UL
382#define UNIX_STREAM_SOCKET__CREATE 0x00000008UL
383#define UNIX_STREAM_SOCKET__GETATTR 0x00000010UL
384#define UNIX_STREAM_SOCKET__SETATTR 0x00000020UL
385#define UNIX_STREAM_SOCKET__LOCK 0x00000040UL
386#define UNIX_STREAM_SOCKET__RELABELFROM 0x00000080UL
387#define UNIX_STREAM_SOCKET__RELABELTO 0x00000100UL
388#define UNIX_STREAM_SOCKET__APPEND 0x00000200UL
389#define UNIX_STREAM_SOCKET__BIND 0x00000400UL
390#define UNIX_STREAM_SOCKET__CONNECT 0x00000800UL
391#define UNIX_STREAM_SOCKET__LISTEN 0x00001000UL
392#define UNIX_STREAM_SOCKET__ACCEPT 0x00002000UL
393#define UNIX_STREAM_SOCKET__GETOPT 0x00004000UL
394#define UNIX_STREAM_SOCKET__SETOPT 0x00008000UL
395#define UNIX_STREAM_SOCKET__SHUTDOWN 0x00010000UL
396#define UNIX_STREAM_SOCKET__RECVFROM 0x00020000UL
397#define UNIX_STREAM_SOCKET__SENDTO 0x00040000UL
398#define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL
399#define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL
400#define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL
401#define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL
402#define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL
403#define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL
404#define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL
405#define UNIX_DGRAM_SOCKET__READ 0x00000002UL
406#define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL
407#define UNIX_DGRAM_SOCKET__CREATE 0x00000008UL
408#define UNIX_DGRAM_SOCKET__GETATTR 0x00000010UL
409#define UNIX_DGRAM_SOCKET__SETATTR 0x00000020UL
410#define UNIX_DGRAM_SOCKET__LOCK 0x00000040UL
411#define UNIX_DGRAM_SOCKET__RELABELFROM 0x00000080UL
412#define UNIX_DGRAM_SOCKET__RELABELTO 0x00000100UL
413#define UNIX_DGRAM_SOCKET__APPEND 0x00000200UL
414#define UNIX_DGRAM_SOCKET__BIND 0x00000400UL
415#define UNIX_DGRAM_SOCKET__CONNECT 0x00000800UL
416#define UNIX_DGRAM_SOCKET__LISTEN 0x00001000UL
417#define UNIX_DGRAM_SOCKET__ACCEPT 0x00002000UL
418#define UNIX_DGRAM_SOCKET__GETOPT 0x00004000UL
419#define UNIX_DGRAM_SOCKET__SETOPT 0x00008000UL
420#define UNIX_DGRAM_SOCKET__SHUTDOWN 0x00010000UL
421#define UNIX_DGRAM_SOCKET__RECVFROM 0x00020000UL
422#define UNIX_DGRAM_SOCKET__SENDTO 0x00040000UL
423#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
424#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
425#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
426#define TUN_SOCKET__IOCTL 0x00000001UL
427#define TUN_SOCKET__READ 0x00000002UL
428#define TUN_SOCKET__WRITE 0x00000004UL
429#define TUN_SOCKET__CREATE 0x00000008UL
430#define TUN_SOCKET__GETATTR 0x00000010UL
431#define TUN_SOCKET__SETATTR 0x00000020UL
432#define TUN_SOCKET__LOCK 0x00000040UL
433#define TUN_SOCKET__RELABELFROM 0x00000080UL
434#define TUN_SOCKET__RELABELTO 0x00000100UL
435#define TUN_SOCKET__APPEND 0x00000200UL
436#define TUN_SOCKET__BIND 0x00000400UL
437#define TUN_SOCKET__CONNECT 0x00000800UL
438#define TUN_SOCKET__LISTEN 0x00001000UL
439#define TUN_SOCKET__ACCEPT 0x00002000UL
440#define TUN_SOCKET__GETOPT 0x00004000UL
441#define TUN_SOCKET__SETOPT 0x00008000UL
442#define TUN_SOCKET__SHUTDOWN 0x00010000UL
443#define TUN_SOCKET__RECVFROM 0x00020000UL
444#define TUN_SOCKET__SENDTO 0x00040000UL
445#define TUN_SOCKET__RECV_MSG 0x00080000UL
446#define TUN_SOCKET__SEND_MSG 0x00100000UL
447#define TUN_SOCKET__NAME_BIND 0x00200000UL
448#define PROCESS__FORK 0x00000001UL
449#define PROCESS__TRANSITION 0x00000002UL
450#define PROCESS__SIGCHLD 0x00000004UL
451#define PROCESS__SIGKILL 0x00000008UL
452#define PROCESS__SIGSTOP 0x00000010UL
453#define PROCESS__SIGNULL 0x00000020UL
454#define PROCESS__SIGNAL 0x00000040UL
455#define PROCESS__PTRACE 0x00000080UL
456#define PROCESS__GETSCHED 0x00000100UL
457#define PROCESS__SETSCHED 0x00000200UL
458#define PROCESS__GETSESSION 0x00000400UL
459#define PROCESS__GETPGID 0x00000800UL
460#define PROCESS__SETPGID 0x00001000UL
461#define PROCESS__GETCAP 0x00002000UL
462#define PROCESS__SETCAP 0x00004000UL
463#define PROCESS__SHARE 0x00008000UL
464#define PROCESS__GETATTR 0x00010000UL
465#define PROCESS__SETEXEC 0x00020000UL
466#define PROCESS__SETFSCREATE 0x00040000UL
467#define PROCESS__NOATSECURE 0x00080000UL
468#define PROCESS__SIGINH 0x00100000UL
469#define PROCESS__SETRLIMIT 0x00200000UL
470#define PROCESS__RLIMITINH 0x00400000UL
471#define PROCESS__DYNTRANSITION 0x00800000UL
472#define PROCESS__SETCURRENT 0x01000000UL
473#define PROCESS__EXECMEM 0x02000000UL
474#define PROCESS__EXECSTACK 0x04000000UL
475#define PROCESS__EXECHEAP 0x08000000UL
476#define PROCESS__SETKEYCREATE 0x10000000UL
477#define PROCESS__SETSOCKCREATE 0x20000000UL
478#define IPC__CREATE 0x00000001UL
479#define IPC__DESTROY 0x00000002UL
480#define IPC__GETATTR 0x00000004UL
481#define IPC__SETATTR 0x00000008UL
482#define IPC__READ 0x00000010UL
483#define IPC__WRITE 0x00000020UL
484#define IPC__ASSOCIATE 0x00000040UL
485#define IPC__UNIX_READ 0x00000080UL
486#define IPC__UNIX_WRITE 0x00000100UL
487#define SEM__CREATE 0x00000001UL
488#define SEM__DESTROY 0x00000002UL
489#define SEM__GETATTR 0x00000004UL
490#define SEM__SETATTR 0x00000008UL
491#define SEM__READ 0x00000010UL
492#define SEM__WRITE 0x00000020UL
493#define SEM__ASSOCIATE 0x00000040UL
494#define SEM__UNIX_READ 0x00000080UL
495#define SEM__UNIX_WRITE 0x00000100UL
496#define MSGQ__CREATE 0x00000001UL
497#define MSGQ__DESTROY 0x00000002UL
498#define MSGQ__GETATTR 0x00000004UL
499#define MSGQ__SETATTR 0x00000008UL
500#define MSGQ__READ 0x00000010UL
501#define MSGQ__WRITE 0x00000020UL
502#define MSGQ__ASSOCIATE 0x00000040UL
503#define MSGQ__UNIX_READ 0x00000080UL
504#define MSGQ__UNIX_WRITE 0x00000100UL
505#define MSGQ__ENQUEUE 0x00000200UL
506#define MSG__SEND 0x00000001UL
507#define MSG__RECEIVE 0x00000002UL
508#define SHM__CREATE 0x00000001UL
509#define SHM__DESTROY 0x00000002UL
510#define SHM__GETATTR 0x00000004UL
511#define SHM__SETATTR 0x00000008UL
512#define SHM__READ 0x00000010UL
513#define SHM__WRITE 0x00000020UL
514#define SHM__ASSOCIATE 0x00000040UL
515#define SHM__UNIX_READ 0x00000080UL
516#define SHM__UNIX_WRITE 0x00000100UL
517#define SHM__LOCK 0x00000200UL
518#define SECURITY__COMPUTE_AV 0x00000001UL
519#define SECURITY__COMPUTE_CREATE 0x00000002UL
520#define SECURITY__COMPUTE_MEMBER 0x00000004UL
521#define SECURITY__CHECK_CONTEXT 0x00000008UL
522#define SECURITY__LOAD_POLICY 0x00000010UL
523#define SECURITY__COMPUTE_RELABEL 0x00000020UL
524#define SECURITY__COMPUTE_USER 0x00000040UL
525#define SECURITY__SETENFORCE 0x00000080UL
526#define SECURITY__SETBOOL 0x00000100UL
527#define SECURITY__SETSECPARAM 0x00000200UL
528#define SECURITY__SETCHECKREQPROT 0x00000400UL
529#define SYSTEM__IPC_INFO 0x00000001UL
530#define SYSTEM__SYSLOG_READ 0x00000002UL
531#define SYSTEM__SYSLOG_MOD 0x00000004UL
532#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL
533#define SYSTEM__MODULE_REQUEST 0x00000010UL
534#define CAPABILITY__CHOWN 0x00000001UL
535#define CAPABILITY__DAC_OVERRIDE 0x00000002UL
536#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL
537#define CAPABILITY__FOWNER 0x00000008UL
538#define CAPABILITY__FSETID 0x00000010UL
539#define CAPABILITY__KILL 0x00000020UL
540#define CAPABILITY__SETGID 0x00000040UL
541#define CAPABILITY__SETUID 0x00000080UL
542#define CAPABILITY__SETPCAP 0x00000100UL
543#define CAPABILITY__LINUX_IMMUTABLE 0x00000200UL
544#define CAPABILITY__NET_BIND_SERVICE 0x00000400UL
545#define CAPABILITY__NET_BROADCAST 0x00000800UL
546#define CAPABILITY__NET_ADMIN 0x00001000UL
547#define CAPABILITY__NET_RAW 0x00002000UL
548#define CAPABILITY__IPC_LOCK 0x00004000UL
549#define CAPABILITY__IPC_OWNER 0x00008000UL
550#define CAPABILITY__SYS_MODULE 0x00010000UL
551#define CAPABILITY__SYS_RAWIO 0x00020000UL
552#define CAPABILITY__SYS_CHROOT 0x00040000UL
553#define CAPABILITY__SYS_PTRACE 0x00080000UL
554#define CAPABILITY__SYS_PACCT 0x00100000UL
555#define CAPABILITY__SYS_ADMIN 0x00200000UL
556#define CAPABILITY__SYS_BOOT 0x00400000UL
557#define CAPABILITY__SYS_NICE 0x00800000UL
558#define CAPABILITY__SYS_RESOURCE 0x01000000UL
559#define CAPABILITY__SYS_TIME 0x02000000UL
560#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
561#define CAPABILITY__MKNOD 0x08000000UL
562#define CAPABILITY__LEASE 0x10000000UL
563#define CAPABILITY__AUDIT_WRITE 0x20000000UL
564#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
565#define CAPABILITY__SETFCAP 0x80000000UL
566#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
567#define CAPABILITY2__MAC_ADMIN 0x00000002UL
568#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
569#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
570#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
571#define NETLINK_ROUTE_SOCKET__CREATE 0x00000008UL
572#define NETLINK_ROUTE_SOCKET__GETATTR 0x00000010UL
573#define NETLINK_ROUTE_SOCKET__SETATTR 0x00000020UL
574#define NETLINK_ROUTE_SOCKET__LOCK 0x00000040UL
575#define NETLINK_ROUTE_SOCKET__RELABELFROM 0x00000080UL
576#define NETLINK_ROUTE_SOCKET__RELABELTO 0x00000100UL
577#define NETLINK_ROUTE_SOCKET__APPEND 0x00000200UL
578#define NETLINK_ROUTE_SOCKET__BIND 0x00000400UL
579#define NETLINK_ROUTE_SOCKET__CONNECT 0x00000800UL
580#define NETLINK_ROUTE_SOCKET__LISTEN 0x00001000UL
581#define NETLINK_ROUTE_SOCKET__ACCEPT 0x00002000UL
582#define NETLINK_ROUTE_SOCKET__GETOPT 0x00004000UL
583#define NETLINK_ROUTE_SOCKET__SETOPT 0x00008000UL
584#define NETLINK_ROUTE_SOCKET__SHUTDOWN 0x00010000UL
585#define NETLINK_ROUTE_SOCKET__RECVFROM 0x00020000UL
586#define NETLINK_ROUTE_SOCKET__SENDTO 0x00040000UL
587#define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL
588#define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL
589#define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL
590#define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL
591#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL
592#define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL
593#define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL
594#define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL
595#define NETLINK_FIREWALL_SOCKET__CREATE 0x00000008UL
596#define NETLINK_FIREWALL_SOCKET__GETATTR 0x00000010UL
597#define NETLINK_FIREWALL_SOCKET__SETATTR 0x00000020UL
598#define NETLINK_FIREWALL_SOCKET__LOCK 0x00000040UL
599#define NETLINK_FIREWALL_SOCKET__RELABELFROM 0x00000080UL
600#define NETLINK_FIREWALL_SOCKET__RELABELTO 0x00000100UL
601#define NETLINK_FIREWALL_SOCKET__APPEND 0x00000200UL
602#define NETLINK_FIREWALL_SOCKET__BIND 0x00000400UL
603#define NETLINK_FIREWALL_SOCKET__CONNECT 0x00000800UL
604#define NETLINK_FIREWALL_SOCKET__LISTEN 0x00001000UL
605#define NETLINK_FIREWALL_SOCKET__ACCEPT 0x00002000UL
606#define NETLINK_FIREWALL_SOCKET__GETOPT 0x00004000UL
607#define NETLINK_FIREWALL_SOCKET__SETOPT 0x00008000UL
608#define NETLINK_FIREWALL_SOCKET__SHUTDOWN 0x00010000UL
609#define NETLINK_FIREWALL_SOCKET__RECVFROM 0x00020000UL
610#define NETLINK_FIREWALL_SOCKET__SENDTO 0x00040000UL
611#define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL
612#define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL
613#define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL
614#define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL
615#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL
616#define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL
617#define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL
618#define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL
619#define NETLINK_TCPDIAG_SOCKET__CREATE 0x00000008UL
620#define NETLINK_TCPDIAG_SOCKET__GETATTR 0x00000010UL
621#define NETLINK_TCPDIAG_SOCKET__SETATTR 0x00000020UL
622#define NETLINK_TCPDIAG_SOCKET__LOCK 0x00000040UL
623#define NETLINK_TCPDIAG_SOCKET__RELABELFROM 0x00000080UL
624#define NETLINK_TCPDIAG_SOCKET__RELABELTO 0x00000100UL
625#define NETLINK_TCPDIAG_SOCKET__APPEND 0x00000200UL
626#define NETLINK_TCPDIAG_SOCKET__BIND 0x00000400UL
627#define NETLINK_TCPDIAG_SOCKET__CONNECT 0x00000800UL
628#define NETLINK_TCPDIAG_SOCKET__LISTEN 0x00001000UL
629#define NETLINK_TCPDIAG_SOCKET__ACCEPT 0x00002000UL
630#define NETLINK_TCPDIAG_SOCKET__GETOPT 0x00004000UL
631#define NETLINK_TCPDIAG_SOCKET__SETOPT 0x00008000UL
632#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN 0x00010000UL
633#define NETLINK_TCPDIAG_SOCKET__RECVFROM 0x00020000UL
634#define NETLINK_TCPDIAG_SOCKET__SENDTO 0x00040000UL
635#define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL
636#define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL
637#define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL
638#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL
639#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL
640#define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL
641#define NETLINK_NFLOG_SOCKET__READ 0x00000002UL
642#define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL
643#define NETLINK_NFLOG_SOCKET__CREATE 0x00000008UL
644#define NETLINK_NFLOG_SOCKET__GETATTR 0x00000010UL
645#define NETLINK_NFLOG_SOCKET__SETATTR 0x00000020UL
646#define NETLINK_NFLOG_SOCKET__LOCK 0x00000040UL
647#define NETLINK_NFLOG_SOCKET__RELABELFROM 0x00000080UL
648#define NETLINK_NFLOG_SOCKET__RELABELTO 0x00000100UL
649#define NETLINK_NFLOG_SOCKET__APPEND 0x00000200UL
650#define NETLINK_NFLOG_SOCKET__BIND 0x00000400UL
651#define NETLINK_NFLOG_SOCKET__CONNECT 0x00000800UL
652#define NETLINK_NFLOG_SOCKET__LISTEN 0x00001000UL
653#define NETLINK_NFLOG_SOCKET__ACCEPT 0x00002000UL
654#define NETLINK_NFLOG_SOCKET__GETOPT 0x00004000UL
655#define NETLINK_NFLOG_SOCKET__SETOPT 0x00008000UL
656#define NETLINK_NFLOG_SOCKET__SHUTDOWN 0x00010000UL
657#define NETLINK_NFLOG_SOCKET__RECVFROM 0x00020000UL
658#define NETLINK_NFLOG_SOCKET__SENDTO 0x00040000UL
659#define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL
660#define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL
661#define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL
662#define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL
663#define NETLINK_XFRM_SOCKET__READ 0x00000002UL
664#define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL
665#define NETLINK_XFRM_SOCKET__CREATE 0x00000008UL
666#define NETLINK_XFRM_SOCKET__GETATTR 0x00000010UL
667#define NETLINK_XFRM_SOCKET__SETATTR 0x00000020UL
668#define NETLINK_XFRM_SOCKET__LOCK 0x00000040UL
669#define NETLINK_XFRM_SOCKET__RELABELFROM 0x00000080UL
670#define NETLINK_XFRM_SOCKET__RELABELTO 0x00000100UL
671#define NETLINK_XFRM_SOCKET__APPEND 0x00000200UL
672#define NETLINK_XFRM_SOCKET__BIND 0x00000400UL
673#define NETLINK_XFRM_SOCKET__CONNECT 0x00000800UL
674#define NETLINK_XFRM_SOCKET__LISTEN 0x00001000UL
675#define NETLINK_XFRM_SOCKET__ACCEPT 0x00002000UL
676#define NETLINK_XFRM_SOCKET__GETOPT 0x00004000UL
677#define NETLINK_XFRM_SOCKET__SETOPT 0x00008000UL
678#define NETLINK_XFRM_SOCKET__SHUTDOWN 0x00010000UL
679#define NETLINK_XFRM_SOCKET__RECVFROM 0x00020000UL
680#define NETLINK_XFRM_SOCKET__SENDTO 0x00040000UL
681#define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL
682#define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL
683#define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL
684#define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL
685#define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL
686#define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL
687#define NETLINK_SELINUX_SOCKET__READ 0x00000002UL
688#define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL
689#define NETLINK_SELINUX_SOCKET__CREATE 0x00000008UL
690#define NETLINK_SELINUX_SOCKET__GETATTR 0x00000010UL
691#define NETLINK_SELINUX_SOCKET__SETATTR 0x00000020UL
692#define NETLINK_SELINUX_SOCKET__LOCK 0x00000040UL
693#define NETLINK_SELINUX_SOCKET__RELABELFROM 0x00000080UL
694#define NETLINK_SELINUX_SOCKET__RELABELTO 0x00000100UL
695#define NETLINK_SELINUX_SOCKET__APPEND 0x00000200UL
696#define NETLINK_SELINUX_SOCKET__BIND 0x00000400UL
697#define NETLINK_SELINUX_SOCKET__CONNECT 0x00000800UL
698#define NETLINK_SELINUX_SOCKET__LISTEN 0x00001000UL
699#define NETLINK_SELINUX_SOCKET__ACCEPT 0x00002000UL
700#define NETLINK_SELINUX_SOCKET__GETOPT 0x00004000UL
701#define NETLINK_SELINUX_SOCKET__SETOPT 0x00008000UL
702#define NETLINK_SELINUX_SOCKET__SHUTDOWN 0x00010000UL
703#define NETLINK_SELINUX_SOCKET__RECVFROM 0x00020000UL
704#define NETLINK_SELINUX_SOCKET__SENDTO 0x00040000UL
705#define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL
706#define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL
707#define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL
708#define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL
709#define NETLINK_AUDIT_SOCKET__READ 0x00000002UL
710#define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL
711#define NETLINK_AUDIT_SOCKET__CREATE 0x00000008UL
712#define NETLINK_AUDIT_SOCKET__GETATTR 0x00000010UL
713#define NETLINK_AUDIT_SOCKET__SETATTR 0x00000020UL
714#define NETLINK_AUDIT_SOCKET__LOCK 0x00000040UL
715#define NETLINK_AUDIT_SOCKET__RELABELFROM 0x00000080UL
716#define NETLINK_AUDIT_SOCKET__RELABELTO 0x00000100UL
717#define NETLINK_AUDIT_SOCKET__APPEND 0x00000200UL
718#define NETLINK_AUDIT_SOCKET__BIND 0x00000400UL
719#define NETLINK_AUDIT_SOCKET__CONNECT 0x00000800UL
720#define NETLINK_AUDIT_SOCKET__LISTEN 0x00001000UL
721#define NETLINK_AUDIT_SOCKET__ACCEPT 0x00002000UL
722#define NETLINK_AUDIT_SOCKET__GETOPT 0x00004000UL
723#define NETLINK_AUDIT_SOCKET__SETOPT 0x00008000UL
724#define NETLINK_AUDIT_SOCKET__SHUTDOWN 0x00010000UL
725#define NETLINK_AUDIT_SOCKET__RECVFROM 0x00020000UL
726#define NETLINK_AUDIT_SOCKET__SENDTO 0x00040000UL
727#define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL
728#define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL
729#define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL
730#define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL
731#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL
732#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL
733#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL
734#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL
735#define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL
736#define NETLINK_IP6FW_SOCKET__READ 0x00000002UL
737#define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL
738#define NETLINK_IP6FW_SOCKET__CREATE 0x00000008UL
739#define NETLINK_IP6FW_SOCKET__GETATTR 0x00000010UL
740#define NETLINK_IP6FW_SOCKET__SETATTR 0x00000020UL
741#define NETLINK_IP6FW_SOCKET__LOCK 0x00000040UL
742#define NETLINK_IP6FW_SOCKET__RELABELFROM 0x00000080UL
743#define NETLINK_IP6FW_SOCKET__RELABELTO 0x00000100UL
744#define NETLINK_IP6FW_SOCKET__APPEND 0x00000200UL
745#define NETLINK_IP6FW_SOCKET__BIND 0x00000400UL
746#define NETLINK_IP6FW_SOCKET__CONNECT 0x00000800UL
747#define NETLINK_IP6FW_SOCKET__LISTEN 0x00001000UL
748#define NETLINK_IP6FW_SOCKET__ACCEPT 0x00002000UL
749#define NETLINK_IP6FW_SOCKET__GETOPT 0x00004000UL
750#define NETLINK_IP6FW_SOCKET__SETOPT 0x00008000UL
751#define NETLINK_IP6FW_SOCKET__SHUTDOWN 0x00010000UL
752#define NETLINK_IP6FW_SOCKET__RECVFROM 0x00020000UL
753#define NETLINK_IP6FW_SOCKET__SENDTO 0x00040000UL
754#define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL
755#define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL
756#define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL
757#define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL
758#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL
759#define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL
760#define NETLINK_DNRT_SOCKET__READ 0x00000002UL
761#define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL
762#define NETLINK_DNRT_SOCKET__CREATE 0x00000008UL
763#define NETLINK_DNRT_SOCKET__GETATTR 0x00000010UL
764#define NETLINK_DNRT_SOCKET__SETATTR 0x00000020UL
765#define NETLINK_DNRT_SOCKET__LOCK 0x00000040UL
766#define NETLINK_DNRT_SOCKET__RELABELFROM 0x00000080UL
767#define NETLINK_DNRT_SOCKET__RELABELTO 0x00000100UL
768#define NETLINK_DNRT_SOCKET__APPEND 0x00000200UL
769#define NETLINK_DNRT_SOCKET__BIND 0x00000400UL
770#define NETLINK_DNRT_SOCKET__CONNECT 0x00000800UL
771#define NETLINK_DNRT_SOCKET__LISTEN 0x00001000UL
772#define NETLINK_DNRT_SOCKET__ACCEPT 0x00002000UL
773#define NETLINK_DNRT_SOCKET__GETOPT 0x00004000UL
774#define NETLINK_DNRT_SOCKET__SETOPT 0x00008000UL
775#define NETLINK_DNRT_SOCKET__SHUTDOWN 0x00010000UL
776#define NETLINK_DNRT_SOCKET__RECVFROM 0x00020000UL
777#define NETLINK_DNRT_SOCKET__SENDTO 0x00040000UL
778#define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL
779#define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL
780#define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL
781#define ASSOCIATION__SENDTO 0x00000001UL
782#define ASSOCIATION__RECVFROM 0x00000002UL
783#define ASSOCIATION__SETCONTEXT 0x00000004UL
784#define ASSOCIATION__POLMATCH 0x00000008UL
785#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
786#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
787#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
788#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
789#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
790#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
791#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
792#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
793#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
794#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
795#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
796#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
797#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
798#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
799#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
800#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
801#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
802#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
803#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
804#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
805#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
806#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
807#define APPLETALK_SOCKET__IOCTL 0x00000001UL
808#define APPLETALK_SOCKET__READ 0x00000002UL
809#define APPLETALK_SOCKET__WRITE 0x00000004UL
810#define APPLETALK_SOCKET__CREATE 0x00000008UL
811#define APPLETALK_SOCKET__GETATTR 0x00000010UL
812#define APPLETALK_SOCKET__SETATTR 0x00000020UL
813#define APPLETALK_SOCKET__LOCK 0x00000040UL
814#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL
815#define APPLETALK_SOCKET__RELABELTO 0x00000100UL
816#define APPLETALK_SOCKET__APPEND 0x00000200UL
817#define APPLETALK_SOCKET__BIND 0x00000400UL
818#define APPLETALK_SOCKET__CONNECT 0x00000800UL
819#define APPLETALK_SOCKET__LISTEN 0x00001000UL
820#define APPLETALK_SOCKET__ACCEPT 0x00002000UL
821#define APPLETALK_SOCKET__GETOPT 0x00004000UL
822#define APPLETALK_SOCKET__SETOPT 0x00008000UL
823#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL
824#define APPLETALK_SOCKET__RECVFROM 0x00020000UL
825#define APPLETALK_SOCKET__SENDTO 0x00040000UL
826#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL
827#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL
828#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL
829#define PACKET__SEND 0x00000001UL
830#define PACKET__RECV 0x00000002UL
831#define PACKET__RELABELTO 0x00000004UL
832#define PACKET__FLOW_IN 0x00000008UL
833#define PACKET__FLOW_OUT 0x00000010UL
834#define PACKET__FORWARD_IN 0x00000020UL
835#define PACKET__FORWARD_OUT 0x00000040UL
836#define KEY__VIEW 0x00000001UL
837#define KEY__READ 0x00000002UL
838#define KEY__WRITE 0x00000004UL
839#define KEY__SEARCH 0x00000008UL
840#define KEY__LINK 0x00000010UL
841#define KEY__SETATTR 0x00000020UL
842#define KEY__CREATE 0x00000040UL
843#define DCCP_SOCKET__IOCTL 0x00000001UL
844#define DCCP_SOCKET__READ 0x00000002UL
845#define DCCP_SOCKET__WRITE 0x00000004UL
846#define DCCP_SOCKET__CREATE 0x00000008UL
847#define DCCP_SOCKET__GETATTR 0x00000010UL
848#define DCCP_SOCKET__SETATTR 0x00000020UL
849#define DCCP_SOCKET__LOCK 0x00000040UL
850#define DCCP_SOCKET__RELABELFROM 0x00000080UL
851#define DCCP_SOCKET__RELABELTO 0x00000100UL
852#define DCCP_SOCKET__APPEND 0x00000200UL
853#define DCCP_SOCKET__BIND 0x00000400UL
854#define DCCP_SOCKET__CONNECT 0x00000800UL
855#define DCCP_SOCKET__LISTEN 0x00001000UL
856#define DCCP_SOCKET__ACCEPT 0x00002000UL
857#define DCCP_SOCKET__GETOPT 0x00004000UL
858#define DCCP_SOCKET__SETOPT 0x00008000UL
859#define DCCP_SOCKET__SHUTDOWN 0x00010000UL
860#define DCCP_SOCKET__RECVFROM 0x00020000UL
861#define DCCP_SOCKET__SENDTO 0x00040000UL
862#define DCCP_SOCKET__RECV_MSG 0x00080000UL
863#define DCCP_SOCKET__SEND_MSG 0x00100000UL
864#define DCCP_SOCKET__NAME_BIND 0x00200000UL
865#define DCCP_SOCKET__NODE_BIND 0x00400000UL
866#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
867#define MEMPROTECT__MMAP_ZERO 0x00000001UL
868#define PEER__RECV 0x00000001UL
869#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
870#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index bb1ec801bdfe..4677aa519b04 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -10,26 +10,13 @@
10 10
11int avc_ss_reset(u32 seqno); 11int avc_ss_reset(u32 seqno);
12 12
13struct av_perm_to_string { 13/* Class/perm mapping support */
14 u16 tclass; 14struct security_class_mapping {
15 u32 value;
16 const char *name; 15 const char *name;
16 const char *perms[sizeof(u32) * 8 + 1];
17}; 17};
18 18
19struct av_inherit { 19extern struct security_class_mapping secclass_map[];
20 const char **common_pts;
21 u32 common_base;
22 u16 tclass;
23};
24
25struct selinux_class_perm {
26 const struct av_perm_to_string *av_perm_to_string;
27 u32 av_pts_len;
28 u32 cts_len;
29 const char **class_to_string;
30 const struct av_inherit *av_inherit;
31 u32 av_inherit_len;
32};
33 20
34#endif /* _SELINUX_AVC_SS_H_ */ 21#endif /* _SELINUX_AVC_SS_H_ */
35 22
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
deleted file mode 100644
index 7ab9299bfb6b..000000000000
--- a/security/selinux/include/class_to_string.h
+++ /dev/null
@@ -1,80 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2/*
3 * Security object class definitions
4 */
5 S_(NULL)
6 S_("security")
7 S_("process")
8 S_("system")
9 S_("capability")
10 S_("filesystem")
11 S_("file")
12 S_("dir")
13 S_("fd")
14 S_("lnk_file")
15 S_("chr_file")
16 S_("blk_file")
17 S_("sock_file")
18 S_("fifo_file")
19 S_("socket")
20 S_("tcp_socket")
21 S_("udp_socket")
22 S_("rawip_socket")
23 S_("node")
24 S_("netif")
25 S_("netlink_socket")
26 S_("packet_socket")
27 S_("key_socket")
28 S_("unix_stream_socket")
29 S_("unix_dgram_socket")
30 S_("sem")
31 S_("msg")
32 S_("msgq")
33 S_("shm")
34 S_("ipc")
35 S_(NULL)
36 S_(NULL)
37 S_(NULL)
38 S_(NULL)
39 S_(NULL)
40 S_(NULL)
41 S_(NULL)
42 S_(NULL)
43 S_(NULL)
44 S_(NULL)
45 S_(NULL)
46 S_(NULL)
47 S_(NULL)
48 S_("netlink_route_socket")
49 S_("netlink_firewall_socket")
50 S_("netlink_tcpdiag_socket")
51 S_("netlink_nflog_socket")
52 S_("netlink_xfrm_socket")
53 S_("netlink_selinux_socket")
54 S_("netlink_audit_socket")
55 S_("netlink_ip6fw_socket")
56 S_("netlink_dnrt_socket")
57 S_(NULL)
58 S_(NULL)
59 S_("association")
60 S_("netlink_kobject_uevent_socket")
61 S_("appletalk_socket")
62 S_("packet")
63 S_("key")
64 S_(NULL)
65 S_("dccp_socket")
66 S_("memprotect")
67 S_(NULL)
68 S_(NULL)
69 S_(NULL)
70 S_(NULL)
71 S_(NULL)
72 S_(NULL)
73 S_("peer")
74 S_("capability2")
75 S_(NULL)
76 S_(NULL)
77 S_(NULL)
78 S_(NULL)
79 S_("kernel_service")
80 S_("tun_socket")
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
new file mode 100644
index 000000000000..8b32e959bb2e
--- /dev/null
+++ b/security/selinux/include/classmap.h
@@ -0,0 +1,150 @@
1#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
2 "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
3
4#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
5 "rename", "execute", "swapon", "quotaon", "mounton"
6
7#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
8 "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
9 "sendto", "recv_msg", "send_msg", "name_bind"
10
11#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
12 "write", "associate", "unix_read", "unix_write"
13
14struct security_class_mapping secclass_map[] = {
15 { "security",
16 { "compute_av", "compute_create", "compute_member",
17 "check_context", "load_policy", "compute_relabel",
18 "compute_user", "setenforce", "setbool", "setsecparam",
19 "setcheckreqprot", NULL } },
20 { "process",
21 { "fork", "transition", "sigchld", "sigkill",
22 "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
23 "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
24 "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
25 "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
26 "execmem", "execstack", "execheap", "setkeycreate",
27 "setsockcreate", NULL } },
28 { "system",
29 { "ipc_info", "syslog_read", "syslog_mod",
30 "syslog_console", "module_request", NULL } },
31 { "capability",
32 { "chown", "dac_override", "dac_read_search",
33 "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
34 "linux_immutable", "net_bind_service", "net_broadcast",
35 "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
36 "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
37 "sys_boot", "sys_nice", "sys_resource", "sys_time",
38 "sys_tty_config", "mknod", "lease", "audit_write",
39 "audit_control", "setfcap", NULL } },
40 { "filesystem",
41 { "mount", "remount", "unmount", "getattr",
42 "relabelfrom", "relabelto", "transition", "associate", "quotamod",
43 "quotaget", NULL } },
44 { "file",
45 { COMMON_FILE_PERMS,
46 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
47 { "dir",
48 { COMMON_FILE_PERMS, "add_name", "remove_name",
49 "reparent", "search", "rmdir", "open", NULL } },
50 { "fd", { "use", NULL } },
51 { "lnk_file",
52 { COMMON_FILE_PERMS, NULL } },
53 { "chr_file",
54 { COMMON_FILE_PERMS,
55 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
56 { "blk_file",
57 { COMMON_FILE_PERMS, "open", NULL } },
58 { "sock_file",
59 { COMMON_FILE_PERMS, "open", NULL } },
60 { "fifo_file",
61 { COMMON_FILE_PERMS, "open", NULL } },
62 { "socket",
63 { COMMON_SOCK_PERMS, NULL } },
64 { "tcp_socket",
65 { COMMON_SOCK_PERMS,
66 "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
67 NULL } },
68 { "udp_socket",
69 { COMMON_SOCK_PERMS,
70 "node_bind", NULL } },
71 { "rawip_socket",
72 { COMMON_SOCK_PERMS,
73 "node_bind", NULL } },
74 { "node",
75 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
76 "rawip_recv", "rawip_send", "enforce_dest",
77 "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
78 { "netif",
79 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
80 "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
81 "ingress", "egress", NULL } },
82 { "netlink_socket",
83 { COMMON_SOCK_PERMS, NULL } },
84 { "packet_socket",
85 { COMMON_SOCK_PERMS, NULL } },
86 { "key_socket",
87 { COMMON_SOCK_PERMS, NULL } },
88 { "unix_stream_socket",
89 { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
90 } },
91 { "unix_dgram_socket",
92 { COMMON_SOCK_PERMS, NULL
93 } },
94 { "sem",
95 { COMMON_IPC_PERMS, NULL } },
96 { "msg", { "send", "receive", NULL } },
97 { "msgq",
98 { COMMON_IPC_PERMS, "enqueue", NULL } },
99 { "shm",
100 { COMMON_IPC_PERMS, "lock", NULL } },
101 { "ipc",
102 { COMMON_IPC_PERMS, NULL } },
103 { "netlink_route_socket",
104 { COMMON_SOCK_PERMS,
105 "nlmsg_read", "nlmsg_write", NULL } },
106 { "netlink_firewall_socket",
107 { COMMON_SOCK_PERMS,
108 "nlmsg_read", "nlmsg_write", NULL } },
109 { "netlink_tcpdiag_socket",
110 { COMMON_SOCK_PERMS,
111 "nlmsg_read", "nlmsg_write", NULL } },
112 { "netlink_nflog_socket",
113 { COMMON_SOCK_PERMS, NULL } },
114 { "netlink_xfrm_socket",
115 { COMMON_SOCK_PERMS,
116 "nlmsg_read", "nlmsg_write", NULL } },
117 { "netlink_selinux_socket",
118 { COMMON_SOCK_PERMS, NULL } },
119 { "netlink_audit_socket",
120 { COMMON_SOCK_PERMS,
121 "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
122 "nlmsg_tty_audit", NULL } },
123 { "netlink_ip6fw_socket",
124 { COMMON_SOCK_PERMS,
125 "nlmsg_read", "nlmsg_write", NULL } },
126 { "netlink_dnrt_socket",
127 { COMMON_SOCK_PERMS, NULL } },
128 { "association",
129 { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
130 { "netlink_kobject_uevent_socket",
131 { COMMON_SOCK_PERMS, NULL } },
132 { "appletalk_socket",
133 { COMMON_SOCK_PERMS, NULL } },
134 { "packet",
135 { "send", "recv", "relabelto", "flow_in", "flow_out",
136 "forward_in", "forward_out", NULL } },
137 { "key",
138 { "view", "read", "write", "search", "link", "setattr", "create",
139 NULL } },
140 { "dccp_socket",
141 { COMMON_SOCK_PERMS,
142 "node_bind", "name_connect", NULL } },
143 { "memprotect", { "mmap_zero", NULL } },
144 { "peer", { "recv", NULL } },
145 { "capability2", { "mac_override", "mac_admin", NULL } },
146 { "kernel_service", { "use_as_override", "create_files_as", NULL } },
147 { "tun_socket",
148 { COMMON_SOCK_PERMS, NULL } },
149 { NULL }
150 };
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h
deleted file mode 100644
index ce5b6e2fe9dd..000000000000
--- a/security/selinux/include/common_perm_to_string.h
+++ /dev/null
@@ -1,58 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2TB_(common_file_perm_to_string)
3 S_("ioctl")
4 S_("read")
5 S_("write")
6 S_("create")
7 S_("getattr")
8 S_("setattr")
9 S_("lock")
10 S_("relabelfrom")
11 S_("relabelto")
12 S_("append")
13 S_("unlink")
14 S_("link")
15 S_("rename")
16 S_("execute")
17 S_("swapon")
18 S_("quotaon")
19 S_("mounton")
20TE_(common_file_perm_to_string)
21
22TB_(common_socket_perm_to_string)
23 S_("ioctl")
24 S_("read")
25 S_("write")
26 S_("create")
27 S_("getattr")
28 S_("setattr")
29 S_("lock")
30 S_("relabelfrom")
31 S_("relabelto")
32 S_("append")
33 S_("bind")
34 S_("connect")
35 S_("listen")
36 S_("accept")
37 S_("getopt")
38 S_("setopt")
39 S_("shutdown")
40 S_("recvfrom")
41 S_("sendto")
42 S_("recv_msg")
43 S_("send_msg")
44 S_("name_bind")
45TE_(common_socket_perm_to_string)
46
47TB_(common_ipc_perm_to_string)
48 S_("create")
49 S_("destroy")
50 S_("getattr")
51 S_("setattr")
52 S_("read")
53 S_("write")
54 S_("associate")
55 S_("unix_read")
56 S_("unix_write")
57TE_(common_ipc_perm_to_string)
58
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
deleted file mode 100644
index f248500a1e3c..000000000000
--- a/security/selinux/include/flask.h
+++ /dev/null
@@ -1,91 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2#ifndef _SELINUX_FLASK_H_
3#define _SELINUX_FLASK_H_
4
5/*
6 * Security object class definitions
7 */
8#define SECCLASS_SECURITY 1
9#define SECCLASS_PROCESS 2
10#define SECCLASS_SYSTEM 3
11#define SECCLASS_CAPABILITY 4
12#define SECCLASS_FILESYSTEM 5
13#define SECCLASS_FILE 6
14#define SECCLASS_DIR 7
15#define SECCLASS_FD 8
16#define SECCLASS_LNK_FILE 9
17#define SECCLASS_CHR_FILE 10
18#define SECCLASS_BLK_FILE 11
19#define SECCLASS_SOCK_FILE 12
20#define SECCLASS_FIFO_FILE 13
21#define SECCLASS_SOCKET 14
22#define SECCLASS_TCP_SOCKET 15
23#define SECCLASS_UDP_SOCKET 16
24#define SECCLASS_RAWIP_SOCKET 17
25#define SECCLASS_NODE 18
26#define SECCLASS_NETIF 19
27#define SECCLASS_NETLINK_SOCKET 20
28#define SECCLASS_PACKET_SOCKET 21
29#define SECCLASS_KEY_SOCKET 22
30#define SECCLASS_UNIX_STREAM_SOCKET 23
31#define SECCLASS_UNIX_DGRAM_SOCKET 24
32#define SECCLASS_SEM 25
33#define SECCLASS_MSG 26
34#define SECCLASS_MSGQ 27
35#define SECCLASS_SHM 28
36#define SECCLASS_IPC 29
37#define SECCLASS_NETLINK_ROUTE_SOCKET 43
38#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
39#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
40#define SECCLASS_NETLINK_NFLOG_SOCKET 46
41#define SECCLASS_NETLINK_XFRM_SOCKET 47
42#define SECCLASS_NETLINK_SELINUX_SOCKET 48
43#define SECCLASS_NETLINK_AUDIT_SOCKET 49
44#define SECCLASS_NETLINK_IP6FW_SOCKET 50
45#define SECCLASS_NETLINK_DNRT_SOCKET 51
46#define SECCLASS_ASSOCIATION 54
47#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
48#define SECCLASS_APPLETALK_SOCKET 56
49#define SECCLASS_PACKET 57
50#define SECCLASS_KEY 58
51#define SECCLASS_DCCP_SOCKET 60
52#define SECCLASS_MEMPROTECT 61
53#define SECCLASS_PEER 68
54#define SECCLASS_CAPABILITY2 69
55#define SECCLASS_KERNEL_SERVICE 74
56#define SECCLASS_TUN_SOCKET 75
57
58/*
59 * Security identifier indices for initial entities
60 */
61#define SECINITSID_KERNEL 1
62#define SECINITSID_SECURITY 2
63#define SECINITSID_UNLABELED 3
64#define SECINITSID_FS 4
65#define SECINITSID_FILE 5
66#define SECINITSID_FILE_LABELS 6
67#define SECINITSID_INIT 7
68#define SECINITSID_ANY_SOCKET 8
69#define SECINITSID_PORT 9
70#define SECINITSID_NETIF 10
71#define SECINITSID_NETMSG 11
72#define SECINITSID_NODE 12
73#define SECINITSID_IGMP_PACKET 13
74#define SECINITSID_ICMP_SOCKET 14
75#define SECINITSID_TCP_SOCKET 15
76#define SECINITSID_SYSCTL_MODPROBE 16
77#define SECINITSID_SYSCTL 17
78#define SECINITSID_SYSCTL_FS 18
79#define SECINITSID_SYSCTL_KERNEL 19
80#define SECINITSID_SYSCTL_NET 20
81#define SECINITSID_SYSCTL_NET_UNIX 21
82#define SECINITSID_SYSCTL_VM 22
83#define SECINITSID_SYSCTL_DEV 23
84#define SECINITSID_KMOD 24
85#define SECINITSID_POLICY 25
86#define SECINITSID_SCMP_PACKET 26
87#define SECINITSID_DEVNULL 27
88
89#define SECINITSID_NUM 27
90
91#endif
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ca835795a8b3..2553266ad793 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -97,11 +97,18 @@ struct av_decision {
97#define AVD_FLAGS_PERMISSIVE 0x0001 97#define AVD_FLAGS_PERMISSIVE 0x0001
98 98
99int security_compute_av(u32 ssid, u32 tsid, 99int security_compute_av(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 100 u16 tclass, u32 requested,
101 struct av_decision *avd); 101 struct av_decision *avd);
102
103int security_compute_av_user(u32 ssid, u32 tsid,
104 u16 tclass, u32 requested,
105 struct av_decision *avd);
102 106
103int security_transition_sid(u32 ssid, u32 tsid, 107int security_transition_sid(u32 ssid, u32 tsid,
104 u16 tclass, u32 *out_sid); 108 u16 tclass, u32 *out_sid);
109
110int security_transition_sid_user(u32 ssid, u32 tsid,
111 u16 tclass, u32 *out_sid);
105 112
106int security_member_sid(u32 ssid, u32 tsid, 113int security_member_sid(u32 ssid, u32 tsid,
107 u16 tclass, u32 *out_sid); 114 u16 tclass, u32 *out_sid);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b4fc506e7a87..fab36fdf2769 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
522 if (length < 0) 522 if (length < 0)
523 goto out2; 523 goto out2;
524 524
525 length = security_compute_av(ssid, tsid, tclass, req, &avd); 525 length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
526 if (length < 0) 526 if (length < 0)
527 goto out2; 527 goto out2;
528 528
@@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
571 if (length < 0) 571 if (length < 0)
572 goto out2; 572 goto out2;
573 573
574 length = security_transition_sid(ssid, tsid, tclass, &newsid); 574 length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
575 if (length < 0) 575 if (length < 0)
576 goto out2; 576 goto out2;
577 577
diff --git a/security/selinux/ss/Makefile b/security/selinux/ss/Makefile
index bad78779b9b0..15d4e62917de 100644
--- a/security/selinux/ss/Makefile
+++ b/security/selinux/ss/Makefile
@@ -2,7 +2,7 @@
2# Makefile for building the SELinux security server as part of the kernel tree. 2# Makefile for building the SELinux security server as part of the kernel tree.
3# 3#
4 4
5EXTRA_CFLAGS += -Isecurity/selinux/include 5EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
6obj-y := ss.o 6obj-y := ss.o
7 7
8ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o 8ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b5407f16c2a4..3f2b2706b5bb 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
532 } 532 }
533 /* Fallthrough */ 533 /* Fallthrough */
534 case AVTAB_CHANGE: 534 case AVTAB_CHANGE:
535 if (tclass == SECCLASS_PROCESS) 535 if (tclass == policydb.process_class)
536 /* Use the process MLS attributes. */ 536 /* Use the process MLS attributes. */
537 return mls_context_cpy(newcontext, scontext); 537 return mls_context_cpy(newcontext, scontext);
538 else 538 else
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 72e4a54973aa..f03667213ea8 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p)
713 ebitmap_destroy(&p->type_attr_map[i]); 713 ebitmap_destroy(&p->type_attr_map[i]);
714 } 714 }
715 kfree(p->type_attr_map); 715 kfree(p->type_attr_map);
716 kfree(p->undefined_perms);
717 ebitmap_destroy(&p->policycaps); 716 ebitmap_destroy(&p->policycaps);
718 ebitmap_destroy(&p->permissive_map); 717 ebitmap_destroy(&p->permissive_map);
719 718
@@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
1640 1639
1641extern int ss_initialized; 1640extern int ss_initialized;
1642 1641
1642u16 string_to_security_class(struct policydb *p, const char *name)
1643{
1644 struct class_datum *cladatum;
1645
1646 cladatum = hashtab_search(p->p_classes.table, name);
1647 if (!cladatum)
1648 return 0;
1649
1650 return cladatum->value;
1651}
1652
1653u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
1654{
1655 struct class_datum *cladatum;
1656 struct perm_datum *perdatum = NULL;
1657 struct common_datum *comdatum;
1658
1659 if (!tclass || tclass > p->p_classes.nprim)
1660 return 0;
1661
1662 cladatum = p->class_val_to_struct[tclass-1];
1663 comdatum = cladatum->comdatum;
1664 if (comdatum)
1665 perdatum = hashtab_search(comdatum->permissions.table,
1666 name);
1667 if (!perdatum)
1668 perdatum = hashtab_search(cladatum->permissions.table,
1669 name);
1670 if (!perdatum)
1671 return 0;
1672
1673 return 1U << (perdatum->value-1);
1674}
1675
1643/* 1676/*
1644 * Read the configuration data from a policy database binary 1677 * Read the configuration data from a policy database binary
1645 * representation file into a policy database structure. 1678 * representation file into a policy database structure.
@@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp)
1861 if (rc) 1894 if (rc)
1862 goto bad; 1895 goto bad;
1863 1896
1897 p->process_class = string_to_security_class(p, "process");
1898 if (!p->process_class)
1899 goto bad;
1900 p->process_trans_perms = string_to_av_perm(p, p->process_class,
1901 "transition");
1902 p->process_trans_perms |= string_to_av_perm(p, p->process_class,
1903 "dyntransition");
1904 if (!p->process_trans_perms)
1905 goto bad;
1906
1864 for (i = 0; i < info->ocon_num; i++) { 1907 for (i = 0; i < info->ocon_num; i++) {
1865 rc = next_entry(buf, fp, sizeof(u32)); 1908 rc = next_entry(buf, fp, sizeof(u32));
1866 if (rc < 0) 1909 if (rc < 0)
@@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp)
2101 goto bad; 2144 goto bad;
2102 rt->target_class = le32_to_cpu(buf[0]); 2145 rt->target_class = le32_to_cpu(buf[0]);
2103 } else 2146 } else
2104 rt->target_class = SECCLASS_PROCESS; 2147 rt->target_class = p->process_class;
2105 if (!policydb_type_isvalid(p, rt->source_type) || 2148 if (!policydb_type_isvalid(p, rt->source_type) ||
2106 !policydb_type_isvalid(p, rt->target_type) || 2149 !policydb_type_isvalid(p, rt->target_type) ||
2107 !policydb_class_isvalid(p, rt->target_class)) { 2150 !policydb_class_isvalid(p, rt->target_class)) {
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 55152d498b53..cdcc5700946f 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -254,7 +254,9 @@ struct policydb {
254 254
255 unsigned int reject_unknown : 1; 255 unsigned int reject_unknown : 1;
256 unsigned int allow_unknown : 1; 256 unsigned int allow_unknown : 1;
257 u32 *undefined_perms; 257
258 u16 process_class;
259 u32 process_trans_perms;
258}; 260};
259 261
260extern void policydb_destroy(struct policydb *p); 262extern void policydb_destroy(struct policydb *p);
@@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
295 return 0; 297 return 0;
296} 298}
297 299
300extern u16 string_to_security_class(struct policydb *p, const char *name);
301extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
302
298#endif /* _SS_POLICYDB_H_ */ 303#endif /* _SS_POLICYDB_H_ */
299 304
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ff17820d35ec..d6bb20cbad62 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -65,16 +65,10 @@
65#include "audit.h" 65#include "audit.h"
66 66
67extern void selnl_notify_policyload(u32 seqno); 67extern void selnl_notify_policyload(u32 seqno);
68unsigned int policydb_loaded_version;
69 68
70int selinux_policycap_netpeer; 69int selinux_policycap_netpeer;
71int selinux_policycap_openperm; 70int selinux_policycap_openperm;
72 71
73/*
74 * This is declared in avc.c
75 */
76extern const struct selinux_class_perm selinux_class_perm;
77
78static DEFINE_RWLOCK(policy_rwlock); 72static DEFINE_RWLOCK(policy_rwlock);
79 73
80static struct sidtab sidtab; 74static struct sidtab sidtab;
@@ -98,6 +92,165 @@ static int context_struct_compute_av(struct context *scontext,
98 u16 tclass, 92 u16 tclass,
99 u32 requested, 93 u32 requested,
100 struct av_decision *avd); 94 struct av_decision *avd);
95
96struct selinux_mapping {
97 u16 value; /* policy value */
98 unsigned num_perms;
99 u32 perms[sizeof(u32) * 8];
100};
101
102static struct selinux_mapping *current_mapping;
103static u16 current_mapping_size;
104
105static int selinux_set_mapping(struct policydb *pol,
106 struct security_class_mapping *map,
107 struct selinux_mapping **out_map_p,
108 u16 *out_map_size)
109{
110 struct selinux_mapping *out_map = NULL;
111 size_t size = sizeof(struct selinux_mapping);
112 u16 i, j;
113 unsigned k;
114 bool print_unknown_handle = false;
115
116 /* Find number of classes in the input mapping */
117 if (!map)
118 return -EINVAL;
119 i = 0;
120 while (map[i].name)
121 i++;
122
123 /* Allocate space for the class records, plus one for class zero */
124 out_map = kcalloc(++i, size, GFP_ATOMIC);
125 if (!out_map)
126 return -ENOMEM;
127
128 /* Store the raw class and permission values */
129 j = 0;
130 while (map[j].name) {
131 struct security_class_mapping *p_in = map + (j++);
132 struct selinux_mapping *p_out = out_map + j;
133
134 /* An empty class string skips ahead */
135 if (!strcmp(p_in->name, "")) {
136 p_out->num_perms = 0;
137 continue;
138 }
139
140 p_out->value = string_to_security_class(pol, p_in->name);
141 if (!p_out->value) {
142 printk(KERN_INFO
143 "SELinux: Class %s not defined in policy.\n",
144 p_in->name);
145 if (pol->reject_unknown)
146 goto err;
147 p_out->num_perms = 0;
148 print_unknown_handle = true;
149 continue;
150 }
151
152 k = 0;
153 while (p_in->perms && p_in->perms[k]) {
154 /* An empty permission string skips ahead */
155 if (!*p_in->perms[k]) {
156 k++;
157 continue;
158 }
159 p_out->perms[k] = string_to_av_perm(pol, p_out->value,
160 p_in->perms[k]);
161 if (!p_out->perms[k]) {
162 printk(KERN_INFO
163 "SELinux: Permission %s in class %s not defined in policy.\n",
164 p_in->perms[k], p_in->name);
165 if (pol->reject_unknown)
166 goto err;
167 print_unknown_handle = true;
168 }
169
170 k++;
171 }
172 p_out->num_perms = k;
173 }
174
175 if (print_unknown_handle)
176 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
177 pol->allow_unknown ? "allowed" : "denied");
178
179 *out_map_p = out_map;
180 *out_map_size = i;
181 return 0;
182err:
183 kfree(out_map);
184 return -EINVAL;
185}
186
187/*
188 * Get real, policy values from mapped values
189 */
190
191static u16 unmap_class(u16 tclass)
192{
193 if (tclass < current_mapping_size)
194 return current_mapping[tclass].value;
195
196 return tclass;
197}
198
199static u32 unmap_perm(u16 tclass, u32 tperm)
200{
201 if (tclass < current_mapping_size) {
202 unsigned i;
203 u32 kperm = 0;
204
205 for (i = 0; i < current_mapping[tclass].num_perms; i++)
206 if (tperm & (1<<i)) {
207 kperm |= current_mapping[tclass].perms[i];
208 tperm &= ~(1<<i);
209 }
210 return kperm;
211 }
212
213 return tperm;
214}
215
216static void map_decision(u16 tclass, struct av_decision *avd,
217 int allow_unknown)
218{
219 if (tclass < current_mapping_size) {
220 unsigned i, n = current_mapping[tclass].num_perms;
221 u32 result;
222
223 for (i = 0, result = 0; i < n; i++) {
224 if (avd->allowed & current_mapping[tclass].perms[i])
225 result |= 1<<i;
226 if (allow_unknown && !current_mapping[tclass].perms[i])
227 result |= 1<<i;
228 }
229 avd->allowed = result;
230
231 for (i = 0, result = 0; i < n; i++)
232 if (avd->auditallow & current_mapping[tclass].perms[i])
233 result |= 1<<i;
234 avd->auditallow = result;
235
236 for (i = 0, result = 0; i < n; i++) {
237 if (avd->auditdeny & current_mapping[tclass].perms[i])
238 result |= 1<<i;
239 if (!allow_unknown && !current_mapping[tclass].perms[i])
240 result |= 1<<i;
241 }
242 /*
243 * In case the kernel has a bug and requests a permission
244 * between num_perms and the maximum permission number, we
245 * should audit that denial
246 */
247 for (; i < (sizeof(u32)*8); i++)
248 result |= 1<<i;
249 avd->auditdeny = result;
250 }
251}
252
253
101/* 254/*
102 * Return the boolean value of a constraint expression 255 * Return the boolean value of a constraint expression
103 * when it is applied to the specified source and target 256 * when it is applied to the specified source and target
@@ -467,21 +620,9 @@ static int context_struct_compute_av(struct context *scontext,
467 struct class_datum *tclass_datum; 620 struct class_datum *tclass_datum;
468 struct ebitmap *sattr, *tattr; 621 struct ebitmap *sattr, *tattr;
469 struct ebitmap_node *snode, *tnode; 622 struct ebitmap_node *snode, *tnode;
470 const struct selinux_class_perm *kdefs = &selinux_class_perm;
471 unsigned int i, j; 623 unsigned int i, j;
472 624
473 /* 625 /*
474 * Remap extended Netlink classes for old policy versions.
475 * Do this here rather than socket_type_to_security_class()
476 * in case a newer policy version is loaded, allowing sockets
477 * to remain in the correct class.
478 */
479 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
480 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
481 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
482 tclass = SECCLASS_NETLINK_SOCKET;
483
484 /*
485 * Initialize the access vectors to the default values. 626 * Initialize the access vectors to the default values.
486 */ 627 */
487 avd->allowed = 0; 628 avd->allowed = 0;
@@ -490,33 +631,11 @@ static int context_struct_compute_av(struct context *scontext,
490 avd->seqno = latest_granting; 631 avd->seqno = latest_granting;
491 avd->flags = 0; 632 avd->flags = 0;
492 633
493 /* 634 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
494 * Check for all the invalid cases. 635 if (printk_ratelimit())
495 * - tclass 0 636 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
496 * - tclass > policy and > kernel 637 return -EINVAL;
497 * - tclass > policy but is a userspace class 638 }
498 * - tclass > policy but we do not allow unknowns
499 */
500 if (unlikely(!tclass))
501 goto inval_class;
502 if (unlikely(tclass > policydb.p_classes.nprim))
503 if (tclass > kdefs->cts_len ||
504 !kdefs->class_to_string[tclass] ||
505 !policydb.allow_unknown)
506 goto inval_class;
507
508 /*
509 * Kernel class and we allow unknown so pad the allow decision
510 * the pad will be all 1 for unknown classes.
511 */
512 if (tclass <= kdefs->cts_len && policydb.allow_unknown)
513 avd->allowed = policydb.undefined_perms[tclass - 1];
514
515 /*
516 * Not in policy. Since decision is completed (all 1 or all 0) return.
517 */
518 if (unlikely(tclass > policydb.p_classes.nprim))
519 return 0;
520 639
521 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 640 tclass_datum = policydb.class_val_to_struct[tclass - 1];
522 641
@@ -568,8 +687,8 @@ static int context_struct_compute_av(struct context *scontext,
568 * role is changing, then check the (current_role, new_role) 687 * role is changing, then check the (current_role, new_role)
569 * pair. 688 * pair.
570 */ 689 */
571 if (tclass == SECCLASS_PROCESS && 690 if (tclass == policydb.process_class &&
572 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 691 (avd->allowed & policydb.process_trans_perms) &&
573 scontext->role != tcontext->role) { 692 scontext->role != tcontext->role) {
574 for (ra = policydb.role_allow; ra; ra = ra->next) { 693 for (ra = policydb.role_allow; ra; ra = ra->next) {
575 if (scontext->role == ra->role && 694 if (scontext->role == ra->role &&
@@ -577,8 +696,7 @@ static int context_struct_compute_av(struct context *scontext,
577 break; 696 break;
578 } 697 }
579 if (!ra) 698 if (!ra)
580 avd->allowed &= ~(PROCESS__TRANSITION | 699 avd->allowed &= ~policydb.process_trans_perms;
581 PROCESS__DYNTRANSITION);
582 } 700 }
583 701
584 /* 702 /*
@@ -590,21 +708,6 @@ static int context_struct_compute_av(struct context *scontext,
590 tclass, requested, avd); 708 tclass, requested, avd);
591 709
592 return 0; 710 return 0;
593
594inval_class:
595 if (!tclass || tclass > kdefs->cts_len ||
596 !kdefs->class_to_string[tclass]) {
597 if (printk_ratelimit())
598 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
599 __func__, tclass);
600 return -EINVAL;
601 }
602
603 /*
604 * Known to the kernel, but not to the policy.
605 * Handle as a denial (allowed is 0).
606 */
607 return 0;
608} 711}
609 712
610static int security_validtrans_handle_fail(struct context *ocontext, 713static int security_validtrans_handle_fail(struct context *ocontext,
@@ -636,13 +739,14 @@ out:
636} 739}
637 740
638int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 741int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
639 u16 tclass) 742 u16 orig_tclass)
640{ 743{
641 struct context *ocontext; 744 struct context *ocontext;
642 struct context *ncontext; 745 struct context *ncontext;
643 struct context *tcontext; 746 struct context *tcontext;
644 struct class_datum *tclass_datum; 747 struct class_datum *tclass_datum;
645 struct constraint_node *constraint; 748 struct constraint_node *constraint;
749 u16 tclass;
646 int rc = 0; 750 int rc = 0;
647 751
648 if (!ss_initialized) 752 if (!ss_initialized)
@@ -650,16 +754,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
650 754
651 read_lock(&policy_rwlock); 755 read_lock(&policy_rwlock);
652 756
653 /* 757 tclass = unmap_class(orig_tclass);
654 * Remap extended Netlink classes for old policy versions.
655 * Do this here rather than socket_type_to_security_class()
656 * in case a newer policy version is loaded, allowing sockets
657 * to remain in the correct class.
658 */
659 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
660 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
661 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
662 tclass = SECCLASS_NETLINK_SOCKET;
663 758
664 if (!tclass || tclass > policydb.p_classes.nprim) { 759 if (!tclass || tclass > policydb.p_classes.nprim) {
665 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 760 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
@@ -792,6 +887,38 @@ out:
792} 887}
793 888
794 889
890static int security_compute_av_core(u32 ssid,
891 u32 tsid,
892 u16 tclass,
893 u32 requested,
894 struct av_decision *avd)
895{
896 struct context *scontext = NULL, *tcontext = NULL;
897 int rc = 0;
898
899 scontext = sidtab_search(&sidtab, ssid);
900 if (!scontext) {
901 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
902 __func__, ssid);
903 return -EINVAL;
904 }
905 tcontext = sidtab_search(&sidtab, tsid);
906 if (!tcontext) {
907 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
908 __func__, tsid);
909 return -EINVAL;
910 }
911
912 rc = context_struct_compute_av(scontext, tcontext, tclass,
913 requested, avd);
914
915 /* permissive domain? */
916 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
917 avd->flags |= AVD_FLAGS_PERMISSIVE;
918
919 return rc;
920}
921
795/** 922/**
796 * security_compute_av - Compute access vector decisions. 923 * security_compute_av - Compute access vector decisions.
797 * @ssid: source security identifier 924 * @ssid: source security identifier
@@ -807,12 +934,49 @@ out:
807 */ 934 */
808int security_compute_av(u32 ssid, 935int security_compute_av(u32 ssid,
809 u32 tsid, 936 u32 tsid,
810 u16 tclass, 937 u16 orig_tclass,
811 u32 requested, 938 u32 orig_requested,
812 struct av_decision *avd) 939 struct av_decision *avd)
813{ 940{
814 struct context *scontext = NULL, *tcontext = NULL; 941 u16 tclass;
815 int rc = 0; 942 u32 requested;
943 int rc;
944
945 read_lock(&policy_rwlock);
946
947 if (!ss_initialized)
948 goto allow;
949
950 requested = unmap_perm(orig_tclass, orig_requested);
951 tclass = unmap_class(orig_tclass);
952 if (unlikely(orig_tclass && !tclass)) {
953 if (policydb.allow_unknown)
954 goto allow;
955 rc = -EINVAL;
956 goto out;
957 }
958 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
959 map_decision(orig_tclass, avd, policydb.allow_unknown);
960out:
961 read_unlock(&policy_rwlock);
962 return rc;
963allow:
964 avd->allowed = 0xffffffff;
965 avd->auditallow = 0;
966 avd->auditdeny = 0xffffffff;
967 avd->seqno = latest_granting;
968 avd->flags = 0;
969 rc = 0;
970 goto out;
971}
972
973int security_compute_av_user(u32 ssid,
974 u32 tsid,
975 u16 tclass,
976 u32 requested,
977 struct av_decision *avd)
978{
979 int rc;
816 980
817 if (!ss_initialized) { 981 if (!ss_initialized) {
818 avd->allowed = 0xffffffff; 982 avd->allowed = 0xffffffff;
@@ -823,29 +987,7 @@ int security_compute_av(u32 ssid,
823 } 987 }
824 988
825 read_lock(&policy_rwlock); 989 read_lock(&policy_rwlock);
826 990 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
827 scontext = sidtab_search(&sidtab, ssid);
828 if (!scontext) {
829 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
830 __func__, ssid);
831 rc = -EINVAL;
832 goto out;
833 }
834 tcontext = sidtab_search(&sidtab, tsid);
835 if (!tcontext) {
836 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
837 __func__, tsid);
838 rc = -EINVAL;
839 goto out;
840 }
841
842 rc = context_struct_compute_av(scontext, tcontext, tclass,
843 requested, avd);
844
845 /* permissive domain? */
846 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
847 avd->flags |= AVD_FLAGS_PERMISSIVE;
848out:
849 read_unlock(&policy_rwlock); 991 read_unlock(&policy_rwlock);
850 return rc; 992 return rc;
851} 993}
@@ -1204,20 +1346,22 @@ out:
1204 1346
1205static int security_compute_sid(u32 ssid, 1347static int security_compute_sid(u32 ssid,
1206 u32 tsid, 1348 u32 tsid,
1207 u16 tclass, 1349 u16 orig_tclass,
1208 u32 specified, 1350 u32 specified,
1209 u32 *out_sid) 1351 u32 *out_sid,
1352 bool kern)
1210{ 1353{
1211 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1354 struct context *scontext = NULL, *tcontext = NULL, newcontext;
1212 struct role_trans *roletr = NULL; 1355 struct role_trans *roletr = NULL;
1213 struct avtab_key avkey; 1356 struct avtab_key avkey;
1214 struct avtab_datum *avdatum; 1357 struct avtab_datum *avdatum;
1215 struct avtab_node *node; 1358 struct avtab_node *node;
1359 u16 tclass;
1216 int rc = 0; 1360 int rc = 0;
1217 1361
1218 if (!ss_initialized) { 1362 if (!ss_initialized) {
1219 switch (tclass) { 1363 switch (orig_tclass) {
1220 case SECCLASS_PROCESS: 1364 case SECCLASS_PROCESS: /* kernel value */
1221 *out_sid = ssid; 1365 *out_sid = ssid;
1222 break; 1366 break;
1223 default: 1367 default:
@@ -1231,6 +1375,11 @@ static int security_compute_sid(u32 ssid,
1231 1375
1232 read_lock(&policy_rwlock); 1376 read_lock(&policy_rwlock);
1233 1377
1378 if (kern)
1379 tclass = unmap_class(orig_tclass);
1380 else
1381 tclass = orig_tclass;
1382
1234 scontext = sidtab_search(&sidtab, ssid); 1383 scontext = sidtab_search(&sidtab, ssid);
1235 if (!scontext) { 1384 if (!scontext) {
1236 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1385 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
@@ -1260,13 +1409,11 @@ static int security_compute_sid(u32 ssid,
1260 } 1409 }
1261 1410
1262 /* Set the role and type to default values. */ 1411 /* Set the role and type to default values. */
1263 switch (tclass) { 1412 if (tclass == policydb.process_class) {
1264 case SECCLASS_PROCESS:
1265 /* Use the current role and type of process. */ 1413 /* Use the current role and type of process. */
1266 newcontext.role = scontext->role; 1414 newcontext.role = scontext->role;
1267 newcontext.type = scontext->type; 1415 newcontext.type = scontext->type;
1268 break; 1416 } else {
1269 default:
1270 /* Use the well-defined object role. */ 1417 /* Use the well-defined object role. */
1271 newcontext.role = OBJECT_R_VAL; 1418 newcontext.role = OBJECT_R_VAL;
1272 /* Use the type of the related object. */ 1419 /* Use the type of the related object. */
@@ -1297,8 +1444,7 @@ static int security_compute_sid(u32 ssid,
1297 } 1444 }
1298 1445
1299 /* Check for class-specific changes. */ 1446 /* Check for class-specific changes. */
1300 switch (tclass) { 1447 if (tclass == policydb.process_class) {
1301 case SECCLASS_PROCESS:
1302 if (specified & AVTAB_TRANSITION) { 1448 if (specified & AVTAB_TRANSITION) {
1303 /* Look for a role transition rule. */ 1449 /* Look for a role transition rule. */
1304 for (roletr = policydb.role_tr; roletr; 1450 for (roletr = policydb.role_tr; roletr;
@@ -1311,9 +1457,6 @@ static int security_compute_sid(u32 ssid,
1311 } 1457 }
1312 } 1458 }
1313 } 1459 }
1314 break;
1315 default:
1316 break;
1317 } 1460 }
1318 1461
1319 /* Set the MLS attributes. 1462 /* Set the MLS attributes.
@@ -1358,7 +1501,17 @@ int security_transition_sid(u32 ssid,
1358 u16 tclass, 1501 u16 tclass,
1359 u32 *out_sid) 1502 u32 *out_sid)
1360{ 1503{
1361 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1504 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1505 out_sid, true);
1506}
1507
1508int security_transition_sid_user(u32 ssid,
1509 u32 tsid,
1510 u16 tclass,
1511 u32 *out_sid)
1512{
1513 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1514 out_sid, false);
1362} 1515}
1363 1516
1364/** 1517/**
@@ -1379,7 +1532,8 @@ int security_member_sid(u32 ssid,
1379 u16 tclass, 1532 u16 tclass,
1380 u32 *out_sid) 1533 u32 *out_sid)
1381{ 1534{
1382 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1535 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
1536 false);
1383} 1537}
1384 1538
1385/** 1539/**
@@ -1400,144 +1554,8 @@ int security_change_sid(u32 ssid,
1400 u16 tclass, 1554 u16 tclass,
1401 u32 *out_sid) 1555 u32 *out_sid)
1402{ 1556{
1403 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1557 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
1404} 1558 false);
1405
1406/*
1407 * Verify that each kernel class that is defined in the
1408 * policy is correct
1409 */
1410static int validate_classes(struct policydb *p)
1411{
1412 int i, j;
1413 struct class_datum *cladatum;
1414 struct perm_datum *perdatum;
1415 u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1416 u16 class_val;
1417 const struct selinux_class_perm *kdefs = &selinux_class_perm;
1418 const char *def_class, *def_perm, *pol_class;
1419 struct symtab *perms;
1420 bool print_unknown_handle = 0;
1421
1422 if (p->allow_unknown) {
1423 u32 num_classes = kdefs->cts_len;
1424 p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
1425 if (!p->undefined_perms)
1426 return -ENOMEM;
1427 }
1428
1429 for (i = 1; i < kdefs->cts_len; i++) {
1430 def_class = kdefs->class_to_string[i];
1431 if (!def_class)
1432 continue;
1433 if (i > p->p_classes.nprim) {
1434 printk(KERN_INFO
1435 "SELinux: class %s not defined in policy\n",
1436 def_class);
1437 if (p->reject_unknown)
1438 return -EINVAL;
1439 if (p->allow_unknown)
1440 p->undefined_perms[i-1] = ~0U;
1441 print_unknown_handle = 1;
1442 continue;
1443 }
1444 pol_class = p->p_class_val_to_name[i-1];
1445 if (strcmp(pol_class, def_class)) {
1446 printk(KERN_ERR
1447 "SELinux: class %d is incorrect, found %s but should be %s\n",
1448 i, pol_class, def_class);
1449 return -EINVAL;
1450 }
1451 }
1452 for (i = 0; i < kdefs->av_pts_len; i++) {
1453 class_val = kdefs->av_perm_to_string[i].tclass;
1454 perm_val = kdefs->av_perm_to_string[i].value;
1455 def_perm = kdefs->av_perm_to_string[i].name;
1456 if (class_val > p->p_classes.nprim)
1457 continue;
1458 pol_class = p->p_class_val_to_name[class_val-1];
1459 cladatum = hashtab_search(p->p_classes.table, pol_class);
1460 BUG_ON(!cladatum);
1461 perms = &cladatum->permissions;
1462 nprim = 1 << (perms->nprim - 1);
1463 if (perm_val > nprim) {
1464 printk(KERN_INFO
1465 "SELinux: permission %s in class %s not defined in policy\n",
1466 def_perm, pol_class);
1467 if (p->reject_unknown)
1468 return -EINVAL;
1469 if (p->allow_unknown)
1470 p->undefined_perms[class_val-1] |= perm_val;
1471 print_unknown_handle = 1;
1472 continue;
1473 }
1474 perdatum = hashtab_search(perms->table, def_perm);
1475 if (perdatum == NULL) {
1476 printk(KERN_ERR
1477 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1478 def_perm, pol_class);
1479 return -EINVAL;
1480 }
1481 pol_val = 1 << (perdatum->value - 1);
1482 if (pol_val != perm_val) {
1483 printk(KERN_ERR
1484 "SELinux: permission %s in class %s has incorrect value\n",
1485 def_perm, pol_class);
1486 return -EINVAL;
1487 }
1488 }
1489 for (i = 0; i < kdefs->av_inherit_len; i++) {
1490 class_val = kdefs->av_inherit[i].tclass;
1491 if (class_val > p->p_classes.nprim)
1492 continue;
1493 pol_class = p->p_class_val_to_name[class_val-1];
1494 cladatum = hashtab_search(p->p_classes.table, pol_class);
1495 BUG_ON(!cladatum);
1496 if (!cladatum->comdatum) {
1497 printk(KERN_ERR
1498 "SELinux: class %s should have an inherits clause but does not\n",
1499 pol_class);
1500 return -EINVAL;
1501 }
1502 tmp = kdefs->av_inherit[i].common_base;
1503 common_pts_len = 0;
1504 while (!(tmp & 0x01)) {
1505 common_pts_len++;
1506 tmp >>= 1;
1507 }
1508 perms = &cladatum->comdatum->permissions;
1509 for (j = 0; j < common_pts_len; j++) {
1510 def_perm = kdefs->av_inherit[i].common_pts[j];
1511 if (j >= perms->nprim) {
1512 printk(KERN_INFO
1513 "SELinux: permission %s in class %s not defined in policy\n",
1514 def_perm, pol_class);
1515 if (p->reject_unknown)
1516 return -EINVAL;
1517 if (p->allow_unknown)
1518 p->undefined_perms[class_val-1] |= (1 << j);
1519 print_unknown_handle = 1;
1520 continue;
1521 }
1522 perdatum = hashtab_search(perms->table, def_perm);
1523 if (perdatum == NULL) {
1524 printk(KERN_ERR
1525 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1526 def_perm, pol_class);
1527 return -EINVAL;
1528 }
1529 if (perdatum->value != j + 1) {
1530 printk(KERN_ERR
1531 "SELinux: permission %s in class %s has incorrect value\n",
1532 def_perm, pol_class);
1533 return -EINVAL;
1534 }
1535 }
1536 }
1537 if (print_unknown_handle)
1538 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
1539 (security_get_allow_unknown() ? "allowed" : "denied"));
1540 return 0;
1541} 1559}
1542 1560
1543/* Clone the SID into the new SID table. */ 1561/* Clone the SID into the new SID table. */
@@ -1710,8 +1728,10 @@ int security_load_policy(void *data, size_t len)
1710{ 1728{
1711 struct policydb oldpolicydb, newpolicydb; 1729 struct policydb oldpolicydb, newpolicydb;
1712 struct sidtab oldsidtab, newsidtab; 1730 struct sidtab oldsidtab, newsidtab;
1731 struct selinux_mapping *oldmap, *map = NULL;
1713 struct convert_context_args args; 1732 struct convert_context_args args;
1714 u32 seqno; 1733 u32 seqno;
1734 u16 map_size;
1715 int rc = 0; 1735 int rc = 0;
1716 struct policy_file file = { data, len }, *fp = &file; 1736 struct policy_file file = { data, len }, *fp = &file;
1717 1737
@@ -1721,22 +1741,19 @@ int security_load_policy(void *data, size_t len)
1721 avtab_cache_destroy(); 1741 avtab_cache_destroy();
1722 return -EINVAL; 1742 return -EINVAL;
1723 } 1743 }
1724 if (policydb_load_isids(&policydb, &sidtab)) { 1744 if (selinux_set_mapping(&policydb, secclass_map,
1745 &current_mapping,
1746 &current_mapping_size)) {
1725 policydb_destroy(&policydb); 1747 policydb_destroy(&policydb);
1726 avtab_cache_destroy(); 1748 avtab_cache_destroy();
1727 return -EINVAL; 1749 return -EINVAL;
1728 } 1750 }
1729 /* Verify that the kernel defined classes are correct. */ 1751 if (policydb_load_isids(&policydb, &sidtab)) {
1730 if (validate_classes(&policydb)) {
1731 printk(KERN_ERR
1732 "SELinux: the definition of a class is incorrect\n");
1733 sidtab_destroy(&sidtab);
1734 policydb_destroy(&policydb); 1752 policydb_destroy(&policydb);
1735 avtab_cache_destroy(); 1753 avtab_cache_destroy();
1736 return -EINVAL; 1754 return -EINVAL;
1737 } 1755 }
1738 security_load_policycaps(); 1756 security_load_policycaps();
1739 policydb_loaded_version = policydb.policyvers;
1740 ss_initialized = 1; 1757 ss_initialized = 1;
1741 seqno = ++latest_granting; 1758 seqno = ++latest_granting;
1742 selinux_complete_init(); 1759 selinux_complete_init();
@@ -1759,13 +1776,9 @@ int security_load_policy(void *data, size_t len)
1759 return -ENOMEM; 1776 return -ENOMEM;
1760 } 1777 }
1761 1778
1762 /* Verify that the kernel defined classes are correct. */ 1779 if (selinux_set_mapping(&newpolicydb, secclass_map,
1763 if (validate_classes(&newpolicydb)) { 1780 &map, &map_size))
1764 printk(KERN_ERR
1765 "SELinux: the definition of a class is incorrect\n");
1766 rc = -EINVAL;
1767 goto err; 1781 goto err;
1768 }
1769 1782
1770 rc = security_preserve_bools(&newpolicydb); 1783 rc = security_preserve_bools(&newpolicydb);
1771 if (rc) { 1784 if (rc) {
@@ -1799,13 +1812,16 @@ int security_load_policy(void *data, size_t len)
1799 memcpy(&policydb, &newpolicydb, sizeof policydb); 1812 memcpy(&policydb, &newpolicydb, sizeof policydb);
1800 sidtab_set(&sidtab, &newsidtab); 1813 sidtab_set(&sidtab, &newsidtab);
1801 security_load_policycaps(); 1814 security_load_policycaps();
1815 oldmap = current_mapping;
1816 current_mapping = map;
1817 current_mapping_size = map_size;
1802 seqno = ++latest_granting; 1818 seqno = ++latest_granting;
1803 policydb_loaded_version = policydb.policyvers;
1804 write_unlock_irq(&policy_rwlock); 1819 write_unlock_irq(&policy_rwlock);
1805 1820
1806 /* Free the old policydb and SID table. */ 1821 /* Free the old policydb and SID table. */
1807 policydb_destroy(&oldpolicydb); 1822 policydb_destroy(&oldpolicydb);
1808 sidtab_destroy(&oldsidtab); 1823 sidtab_destroy(&oldsidtab);
1824 kfree(oldmap);
1809 1825
1810 avc_ss_reset(seqno); 1826 avc_ss_reset(seqno);
1811 selnl_notify_policyload(seqno); 1827 selnl_notify_policyload(seqno);
@@ -1815,6 +1831,7 @@ int security_load_policy(void *data, size_t len)
1815 return 0; 1831 return 0;
1816 1832
1817err: 1833err:
1834 kfree(map);
1818 sidtab_destroy(&newsidtab); 1835 sidtab_destroy(&newsidtab);
1819 policydb_destroy(&newpolicydb); 1836 policydb_destroy(&newpolicydb);
1820 return rc; 1837 return rc;
@@ -2091,7 +2108,7 @@ out_unlock:
2091 } 2108 }
2092 for (i = 0, j = 0; i < mynel; i++) { 2109 for (i = 0, j = 0; i < mynel; i++) {
2093 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2110 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2094 SECCLASS_PROCESS, 2111 SECCLASS_PROCESS, /* kernel value */
2095 PROCESS__TRANSITION, AVC_STRICT, 2112 PROCESS__TRANSITION, AVC_STRICT,
2096 NULL); 2113 NULL);
2097 if (!rc) 2114 if (!rc)
@@ -2119,10 +2136,11 @@ out:
2119 */ 2136 */
2120int security_genfs_sid(const char *fstype, 2137int security_genfs_sid(const char *fstype,
2121 char *path, 2138 char *path,
2122 u16 sclass, 2139 u16 orig_sclass,
2123 u32 *sid) 2140 u32 *sid)
2124{ 2141{
2125 int len; 2142 int len;
2143 u16 sclass;
2126 struct genfs *genfs; 2144 struct genfs *genfs;
2127 struct ocontext *c; 2145 struct ocontext *c;
2128 int rc = 0, cmp = 0; 2146 int rc = 0, cmp = 0;
@@ -2132,6 +2150,8 @@ int security_genfs_sid(const char *fstype,
2132 2150
2133 read_lock(&policy_rwlock); 2151 read_lock(&policy_rwlock);
2134 2152
2153 sclass = unmap_class(orig_sclass);
2154
2135 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2155 for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2136 cmp = strcmp(fstype, genfs->fstype); 2156 cmp = strcmp(fstype, genfs->fstype);
2137 if (cmp <= 0) 2157 if (cmp <= 0)
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 3c8bd8ee0b95..e0d0354008b7 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -187,6 +187,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
187 const s8 pattern_type, const s8 end_type, 187 const s8 pattern_type, const s8 end_type,
188 const char *function) 188 const char *function)
189{ 189{
190 const char *const start = filename;
191 bool in_repetition = false;
190 bool contains_pattern = false; 192 bool contains_pattern = false;
191 unsigned char c; 193 unsigned char c;
192 unsigned char d; 194 unsigned char d;
@@ -212,9 +214,13 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
212 if (c == '/') 214 if (c == '/')
213 goto out; 215 goto out;
214 } 216 }
215 while ((c = *filename++) != '\0') { 217 while (1) {
218 c = *filename++;
219 if (!c)
220 break;
216 if (c == '\\') { 221 if (c == '\\') {
217 switch ((c = *filename++)) { 222 c = *filename++;
223 switch (c) {
218 case '\\': /* "\\" */ 224 case '\\': /* "\\" */
219 continue; 225 continue;
220 case '$': /* "\$" */ 226 case '$': /* "\$" */
@@ -231,6 +237,22 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
231 break; /* Must not contain pattern */ 237 break; /* Must not contain pattern */
232 contains_pattern = true; 238 contains_pattern = true;
233 continue; 239 continue;
240 case '{': /* "/\{" */
241 if (filename - 3 < start ||
242 *(filename - 3) != '/')
243 break;
244 if (pattern_type == -1)
245 break; /* Must not contain pattern */
246 contains_pattern = true;
247 in_repetition = true;
248 continue;
249 case '}': /* "\}/" */
250 if (*filename != '/')
251 break;
252 if (!in_repetition)
253 break;
254 in_repetition = false;
255 continue;
234 case '0': /* "\ooo" */ 256 case '0': /* "\ooo" */
235 case '1': 257 case '1':
236 case '2': 258 case '2':
@@ -246,6 +268,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
246 continue; /* pattern is not \000 */ 268 continue; /* pattern is not \000 */
247 } 269 }
248 goto out; 270 goto out;
271 } else if (in_repetition && c == '/') {
272 goto out;
249 } else if (tomoyo_is_invalid(c)) { 273 } else if (tomoyo_is_invalid(c)) {
250 goto out; 274 goto out;
251 } 275 }
@@ -254,6 +278,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
254 if (!contains_pattern) 278 if (!contains_pattern)
255 goto out; 279 goto out;
256 } 280 }
281 if (in_repetition)
282 goto out;
257 return true; 283 return true;
258 out: 284 out:
259 printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function, 285 printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function,
@@ -360,33 +386,6 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
360} 386}
361 387
362/** 388/**
363 * tomoyo_path_depth - Evaluate the number of '/' in a string.
364 *
365 * @pathname: The string to evaluate.
366 *
367 * Returns path depth of the string.
368 *
369 * I score 2 for each of the '/' in the @pathname
370 * and score 1 if the @pathname ends with '/'.
371 */
372static int tomoyo_path_depth(const char *pathname)
373{
374 int i = 0;
375
376 if (pathname) {
377 const char *ep = pathname + strlen(pathname);
378 if (pathname < ep--) {
379 if (*ep != '/')
380 i++;
381 while (pathname <= ep)
382 if (*ep-- == '/')
383 i += 2;
384 }
385 }
386 return i;
387}
388
389/**
390 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token. 389 * tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
391 * 390 *
392 * @filename: The string to evaluate. 391 * @filename: The string to evaluate.
@@ -444,11 +443,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
444 ptr->is_dir = len && (name[len - 1] == '/'); 443 ptr->is_dir = len && (name[len - 1] == '/');
445 ptr->is_patterned = (ptr->const_len < len); 444 ptr->is_patterned = (ptr->const_len < len);
446 ptr->hash = full_name_hash(name, len); 445 ptr->hash = full_name_hash(name, len);
447 ptr->depth = tomoyo_path_depth(name);
448} 446}
449 447
450/** 448/**
451 * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character 449 * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
452 * and "\-" pattern. 450 * and "\-" pattern.
453 * 451 *
454 * @filename: The start of string to check. 452 * @filename: The start of string to check.
@@ -458,10 +456,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
458 * 456 *
459 * Returns true if @filename matches @pattern, false otherwise. 457 * Returns true if @filename matches @pattern, false otherwise.
460 */ 458 */
461static bool tomoyo_file_matches_to_pattern2(const char *filename, 459static bool tomoyo_file_matches_pattern2(const char *filename,
462 const char *filename_end, 460 const char *filename_end,
463 const char *pattern, 461 const char *pattern,
464 const char *pattern_end) 462 const char *pattern_end)
465{ 463{
466 while (filename < filename_end && pattern < pattern_end) { 464 while (filename < filename_end && pattern < pattern_end) {
467 char c; 465 char c;
@@ -519,7 +517,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
519 case '*': 517 case '*':
520 case '@': 518 case '@':
521 for (i = 0; i <= filename_end - filename; i++) { 519 for (i = 0; i <= filename_end - filename; i++) {
522 if (tomoyo_file_matches_to_pattern2( 520 if (tomoyo_file_matches_pattern2(
523 filename + i, filename_end, 521 filename + i, filename_end,
524 pattern + 1, pattern_end)) 522 pattern + 1, pattern_end))
525 return true; 523 return true;
@@ -550,7 +548,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
550 j++; 548 j++;
551 } 549 }
552 for (i = 1; i <= j; i++) { 550 for (i = 1; i <= j; i++) {
553 if (tomoyo_file_matches_to_pattern2( 551 if (tomoyo_file_matches_pattern2(
554 filename + i, filename_end, 552 filename + i, filename_end,
555 pattern + 1, pattern_end)) 553 pattern + 1, pattern_end))
556 return true; 554 return true;
@@ -567,7 +565,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
567} 565}
568 566
569/** 567/**
570 * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character. 568 * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
571 * 569 *
572 * @filename: The start of string to check. 570 * @filename: The start of string to check.
573 * @filename_end: The end of string to check. 571 * @filename_end: The end of string to check.
@@ -576,7 +574,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
576 * 574 *
577 * Returns true if @filename matches @pattern, false otherwise. 575 * Returns true if @filename matches @pattern, false otherwise.
578 */ 576 */
579static bool tomoyo_file_matches_to_pattern(const char *filename, 577static bool tomoyo_file_matches_pattern(const char *filename,
580 const char *filename_end, 578 const char *filename_end,
581 const char *pattern, 579 const char *pattern,
582 const char *pattern_end) 580 const char *pattern_end)
@@ -589,10 +587,10 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
589 /* Split at "\-" pattern. */ 587 /* Split at "\-" pattern. */
590 if (*pattern++ != '\\' || *pattern++ != '-') 588 if (*pattern++ != '\\' || *pattern++ != '-')
591 continue; 589 continue;
592 result = tomoyo_file_matches_to_pattern2(filename, 590 result = tomoyo_file_matches_pattern2(filename,
593 filename_end, 591 filename_end,
594 pattern_start, 592 pattern_start,
595 pattern - 2); 593 pattern - 2);
596 if (first) 594 if (first)
597 result = !result; 595 result = !result;
598 if (result) 596 if (result)
@@ -600,13 +598,79 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
600 first = false; 598 first = false;
601 pattern_start = pattern; 599 pattern_start = pattern;
602 } 600 }
603 result = tomoyo_file_matches_to_pattern2(filename, filename_end, 601 result = tomoyo_file_matches_pattern2(filename, filename_end,
604 pattern_start, pattern_end); 602 pattern_start, pattern_end);
605 return first ? result : !result; 603 return first ? result : !result;
606} 604}
607 605
608/** 606/**
607 * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
608 *
609 * @f: The start of string to check.
610 * @p: The start of pattern to compare.
611 *
612 * Returns true if @f matches @p, false otherwise.
613 */
614static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
615{
616 const char *f_delimiter;
617 const char *p_delimiter;
618
619 while (*f && *p) {
620 f_delimiter = strchr(f, '/');
621 if (!f_delimiter)
622 f_delimiter = f + strlen(f);
623 p_delimiter = strchr(p, '/');
624 if (!p_delimiter)
625 p_delimiter = p + strlen(p);
626 if (*p == '\\' && *(p + 1) == '{')
627 goto recursive;
628 if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
629 p_delimiter))
630 return false;
631 f = f_delimiter;
632 if (*f)
633 f++;
634 p = p_delimiter;
635 if (*p)
636 p++;
637 }
638 /* Ignore trailing "\*" and "\@" in @pattern. */
639 while (*p == '\\' &&
640 (*(p + 1) == '*' || *(p + 1) == '@'))
641 p += 2;
642 return !*f && !*p;
643 recursive:
644 /*
645 * The "\{" pattern is permitted only after '/' character.
646 * This guarantees that below "*(p - 1)" is safe.
647 * Also, the "\}" pattern is permitted only before '/' character
648 * so that "\{" + "\}" pair will not break the "\-" operator.
649 */
650 if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
651 *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
652 return false; /* Bad pattern. */
653 do {
654 /* Compare current component with pattern. */
655 if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
656 p_delimiter - 2))
657 break;
658 /* Proceed to next component. */
659 f = f_delimiter;
660 if (!*f)
661 break;
662 f++;
663 /* Continue comparison. */
664 if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
665 return true;
666 f_delimiter = strchr(f, '/');
667 } while (f_delimiter);
668 return false; /* Not matched. */
669}
670
671/**
609 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern. 672 * tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
673 *
610 * @filename: The filename to check. 674 * @filename: The filename to check.
611 * @pattern: The pattern to compare. 675 * @pattern: The pattern to compare.
612 * 676 *
@@ -615,24 +679,24 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
615 * The following patterns are available. 679 * The following patterns are available.
616 * \\ \ itself. 680 * \\ \ itself.
617 * \ooo Octal representation of a byte. 681 * \ooo Octal representation of a byte.
618 * \* More than or equals to 0 character other than '/'. 682 * \* Zero or more repetitions of characters other than '/'.
619 * \@ More than or equals to 0 character other than '/' or '.'. 683 * \@ Zero or more repetitions of characters other than '/' or '.'.
620 * \? 1 byte character other than '/'. 684 * \? 1 byte character other than '/'.
621 * \$ More than or equals to 1 decimal digit. 685 * \$ One or more repetitions of decimal digits.
622 * \+ 1 decimal digit. 686 * \+ 1 decimal digit.
623 * \X More than or equals to 1 hexadecimal digit. 687 * \X One or more repetitions of hexadecimal digits.
624 * \x 1 hexadecimal digit. 688 * \x 1 hexadecimal digit.
625 * \A More than or equals to 1 alphabet character. 689 * \A One or more repetitions of alphabet characters.
626 * \a 1 alphabet character. 690 * \a 1 alphabet character.
691 *
627 * \- Subtraction operator. 692 * \- Subtraction operator.
693 *
694 * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
695 * /dir/dir/dir/ ).
628 */ 696 */
629bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename, 697bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
630 const struct tomoyo_path_info *pattern) 698 const struct tomoyo_path_info *pattern)
631{ 699{
632 /*
633 if (!filename || !pattern)
634 return false;
635 */
636 const char *f = filename->name; 700 const char *f = filename->name;
637 const char *p = pattern->name; 701 const char *p = pattern->name;
638 const int len = pattern->const_len; 702 const int len = pattern->const_len;
@@ -640,37 +704,15 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
640 /* If @pattern doesn't contain pattern, I can use strcmp(). */ 704 /* If @pattern doesn't contain pattern, I can use strcmp(). */
641 if (!pattern->is_patterned) 705 if (!pattern->is_patterned)
642 return !tomoyo_pathcmp(filename, pattern); 706 return !tomoyo_pathcmp(filename, pattern);
643 /* Dont compare if the number of '/' differs. */ 707 /* Don't compare directory and non-directory. */
644 if (filename->depth != pattern->depth) 708 if (filename->is_dir != pattern->is_dir)
645 return false; 709 return false;
646 /* Compare the initial length without patterns. */ 710 /* Compare the initial length without patterns. */
647 if (strncmp(f, p, len)) 711 if (strncmp(f, p, len))
648 return false; 712 return false;
649 f += len; 713 f += len;
650 p += len; 714 p += len;
651 /* Main loop. Compare each directory component. */ 715 return tomoyo_path_matches_pattern2(f, p);
652 while (*f && *p) {
653 const char *f_delimiter = strchr(f, '/');
654 const char *p_delimiter = strchr(p, '/');
655 if (!f_delimiter)
656 f_delimiter = f + strlen(f);
657 if (!p_delimiter)
658 p_delimiter = p + strlen(p);
659 if (!tomoyo_file_matches_to_pattern(f, f_delimiter,
660 p, p_delimiter))
661 return false;
662 f = f_delimiter;
663 if (*f)
664 f++;
665 p = p_delimiter;
666 if (*p)
667 p++;
668 }
669 /* Ignore trailing "\*" and "\@" in @pattern. */
670 while (*p == '\\' &&
671 (*(p + 1) == '*' || *(p + 1) == '@'))
672 p += 2;
673 return !*f && !*p;
674} 716}
675 717
676/** 718/**
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 31df541911f7..92169d29b2db 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -56,9 +56,6 @@ struct tomoyo_page_buffer {
56 * (5) "is_patterned" is a bool which is true if "name" contains wildcard 56 * (5) "is_patterned" is a bool which is true if "name" contains wildcard
57 * characters, false otherwise. This allows TOMOYO to use "hash" and 57 * characters, false otherwise. This allows TOMOYO to use "hash" and
58 * strcmp() for string comparison if "is_patterned" is false. 58 * strcmp() for string comparison if "is_patterned" is false.
59 * (6) "depth" is calculated using the number of "/" characters in "name".
60 * This allows TOMOYO to avoid comparing two pathnames which never match
61 * (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$").
62 */ 59 */
63struct tomoyo_path_info { 60struct tomoyo_path_info {
64 const char *name; 61 const char *name;
@@ -66,7 +63,6 @@ struct tomoyo_path_info {
66 u16 const_len; /* = tomoyo_const_part_length(name) */ 63 u16 const_len; /* = tomoyo_const_part_length(name) */
67 bool is_dir; /* = tomoyo_strendswith(name, "/") */ 64 bool is_dir; /* = tomoyo_strendswith(name, "/") */
68 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */ 65 bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
69 u16 depth; /* = tomoyo_path_depth(name) */
70}; 66};
71 67
72/* 68/*
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index 5f2e33263371..917f564cdab1 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -13,6 +13,8 @@
13#include <linux/mount.h> 13#include <linux/mount.h>
14#include <linux/mnt_namespace.h> 14#include <linux/mnt_namespace.h>
15#include <linux/fs_struct.h> 15#include <linux/fs_struct.h>
16#include <linux/hash.h>
17
16#include "common.h" 18#include "common.h"
17#include "realpath.h" 19#include "realpath.h"
18 20
@@ -263,7 +265,8 @@ static unsigned int tomoyo_quota_for_savename;
263 * table. Frequency of appending strings is very low. So we don't need 265 * table. Frequency of appending strings is very low. So we don't need
264 * large (e.g. 64k) hash size. 256 will be sufficient. 266 * large (e.g. 64k) hash size. 256 will be sufficient.
265 */ 267 */
266#define TOMOYO_MAX_HASH 256 268#define TOMOYO_HASH_BITS 8
269#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
267 270
268/* 271/*
269 * tomoyo_name_entry is a structure which is used for linking 272 * tomoyo_name_entry is a structure which is used for linking
@@ -315,6 +318,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
315 struct tomoyo_free_memory_block_list *fmb; 318 struct tomoyo_free_memory_block_list *fmb;
316 int len; 319 int len;
317 char *cp; 320 char *cp;
321 struct list_head *head;
318 322
319 if (!name) 323 if (!name)
320 return NULL; 324 return NULL;
@@ -325,9 +329,10 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
325 return NULL; 329 return NULL;
326 } 330 }
327 hash = full_name_hash((const unsigned char *) name, len - 1); 331 hash = full_name_hash((const unsigned char *) name, len - 1);
332 head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)];
333
328 mutex_lock(&lock); 334 mutex_lock(&lock);
329 list_for_each_entry(ptr, &tomoyo_name_list[hash % TOMOYO_MAX_HASH], 335 list_for_each_entry(ptr, head, list) {
330 list) {
331 if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name)) 336 if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name))
332 goto out; 337 goto out;
333 } 338 }
@@ -365,7 +370,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
365 tomoyo_fill_path_info(&ptr->entry); 370 tomoyo_fill_path_info(&ptr->entry);
366 fmb->ptr += len; 371 fmb->ptr += len;
367 fmb->len -= len; 372 fmb->len -= len;
368 list_add_tail(&ptr->list, &tomoyo_name_list[hash % TOMOYO_MAX_HASH]); 373 list_add_tail(&ptr->list, head);
369 if (fmb->len == 0) { 374 if (fmb->len == 0) {
370 list_del(&fmb->list); 375 list_del(&fmb->list);
371 kfree(fmb); 376 kfree(fmb);