aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/.gitignore2
-rw-r--r--security/selinux/Makefile10
-rw-r--r--security/selinux/avc.c320
-rw-r--r--security/selinux/exports.c6
-rw-r--r--security/selinux/hooks.c341
-rw-r--r--security/selinux/include/av_inherit.h33
-rw-r--r--security/selinux/include/av_perm_to_string.h182
-rw-r--r--security/selinux/include/av_permissions.h847
-rw-r--r--security/selinux/include/avc.h55
-rw-r--r--security/selinux/include/avc_ss.h21
-rw-r--r--security/selinux/include/class_to_string.h79
-rw-r--r--security/selinux/include/classmap.h150
-rw-r--r--security/selinux/include/common_perm_to_string.h58
-rw-r--r--security/selinux/include/flask.h90
-rw-r--r--security/selinux/include/netlabel.h4
-rw-r--r--security/selinux/include/security.h13
-rw-r--r--security/selinux/include/xfrm.h8
-rw-r--r--security/selinux/netlabel.c2
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/Makefile2
-rw-r--r--security/selinux/ss/mls.c2
-rw-r--r--security/selinux/ss/policydb.c47
-rw-r--r--security/selinux/ss/policydb.h7
-rw-r--r--security/selinux/ss/services.c700
-rw-r--r--security/selinux/xfrm.c4
25 files changed, 993 insertions, 1994 deletions
diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore
new file mode 100644
index 000000000000..2e5040a3d48b
--- /dev/null
+++ b/security/selinux/.gitignore
@@ -0,0 +1,2 @@
1av_permissions.h
2flask.h
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index d47fc5e545e0..f013982df417 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -18,5 +18,13 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
18 18
19selinux-$(CONFIG_NETLABEL) += netlabel.o 19selinux-$(CONFIG_NETLABEL) += netlabel.o
20 20
21EXTRA_CFLAGS += -Isecurity/selinux/include 21EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
22 22
23$(obj)/avc.o: $(obj)/flask.h
24
25quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
26 cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
27
28targets += flask.h
29$(obj)/flask.h: $(src)/include/classmap.h FORCE
30 $(call if_changed,flask)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b2ab60859832..f2dde268165a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,43 +31,7 @@
31#include <net/ipv6.h> 31#include <net/ipv6.h>
32#include "avc.h" 32#include "avc.h"
33#include "avc_ss.h" 33#include "avc_ss.h"
34 34#include "classmap.h"
35static const struct av_perm_to_string av_perm_to_string[] = {
36#define S_(c, v, s) { c, v, s },
37#include "av_perm_to_string.h"
38#undef S_
39};
40
41static const char *class_to_string[] = {
42#define S_(s) s,
43#include "class_to_string.h"
44#undef S_
45};
46
47#define TB_(s) static const char *s[] = {
48#define TE_(s) };
49#define S_(s) s,
50#include "common_perm_to_string.h"
51#undef TB_
52#undef TE_
53#undef S_
54
55static const struct av_inherit av_inherit[] = {
56#define S_(c, i, b) { .tclass = c,\
57 .common_pts = common_##i##_perm_to_string,\
58 .common_base = b },
59#include "av_inherit.h"
60#undef S_
61};
62
63const struct selinux_class_perm selinux_class_perm = {
64 .av_perm_to_string = av_perm_to_string,
65 .av_pts_len = ARRAY_SIZE(av_perm_to_string),
66 .class_to_string = class_to_string,
67 .cts_len = ARRAY_SIZE(class_to_string),
68 .av_inherit = av_inherit,
69 .av_inherit_len = ARRAY_SIZE(av_inherit)
70};
71 35
72#define AVC_CACHE_SLOTS 512 36#define AVC_CACHE_SLOTS 512
73#define AVC_DEF_CACHE_THRESHOLD 512 37#define AVC_DEF_CACHE_THRESHOLD 512
@@ -137,54 +101,30 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
137 * @tclass: target security class 101 * @tclass: target security class
138 * @av: access vector 102 * @av: access vector
139 */ 103 */
140void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) 104static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
141{ 105{
142 const char **common_pts = NULL; 106 const char **perms;
143 u32 common_base = 0; 107 int i, perm;
144 int i, i2, perm;
145 108
146 if (av == 0) { 109 if (av == 0) {
147 audit_log_format(ab, " null"); 110 audit_log_format(ab, " null");
148 return; 111 return;
149 } 112 }
150 113
151 for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { 114 perms = secclass_map[tclass-1].perms;
152 if (av_inherit[i].tclass == tclass) {
153 common_pts = av_inherit[i].common_pts;
154 common_base = av_inherit[i].common_base;
155 break;
156 }
157 }
158 115
159 audit_log_format(ab, " {"); 116 audit_log_format(ab, " {");
160 i = 0; 117 i = 0;
161 perm = 1; 118 perm = 1;
162 while (perm < common_base) { 119 while (i < (sizeof(av) * 8)) {
163 if (perm & av) { 120 if ((perm & av) && perms[i]) {
164 audit_log_format(ab, " %s", common_pts[i]); 121 audit_log_format(ab, " %s", perms[i]);
165 av &= ~perm; 122 av &= ~perm;
166 } 123 }
167 i++; 124 i++;
168 perm <<= 1; 125 perm <<= 1;
169 } 126 }
170 127
171 while (i < sizeof(av) * 8) {
172 if (perm & av) {
173 for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
174 if ((av_perm_to_string[i2].tclass == tclass) &&
175 (av_perm_to_string[i2].value == perm))
176 break;
177 }
178 if (i2 < ARRAY_SIZE(av_perm_to_string)) {
179 audit_log_format(ab, " %s",
180 av_perm_to_string[i2].name);
181 av &= ~perm;
182 }
183 }
184 i++;
185 perm <<= 1;
186 }
187
188 if (av) 128 if (av)
189 audit_log_format(ab, " 0x%x", av); 129 audit_log_format(ab, " 0x%x", av);
190 130
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
219 kfree(scontext); 159 kfree(scontext);
220 } 160 }
221 161
222 BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); 162 BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
223 audit_log_format(ab, " tclass=%s", class_to_string[tclass]); 163 audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
224} 164}
225 165
226/** 166/**
@@ -492,23 +432,35 @@ out:
492 return node; 432 return node;
493} 433}
494 434
495static inline void avc_print_ipv6_addr(struct audit_buffer *ab, 435/**
496 struct in6_addr *addr, __be16 port, 436 * avc_audit_pre_callback - SELinux specific information
497 char *name1, char *name2) 437 * will be called by generic audit code
438 * @ab: the audit buffer
439 * @a: audit_data
440 */
441static void avc_audit_pre_callback(struct audit_buffer *ab, void *a)
498{ 442{
499 if (!ipv6_addr_any(addr)) 443 struct common_audit_data *ad = a;
500 audit_log_format(ab, " %s=%pI6", name1, addr); 444 audit_log_format(ab, "avc: %s ",
501 if (port) 445 ad->selinux_audit_data.denied ? "denied" : "granted");
502 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 446 avc_dump_av(ab, ad->selinux_audit_data.tclass,
447 ad->selinux_audit_data.audited);
448 audit_log_format(ab, " for ");
503} 449}
504 450
505static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr, 451/**
506 __be16 port, char *name1, char *name2) 452 * avc_audit_post_callback - SELinux specific information
453 * will be called by generic audit code
454 * @ab: the audit buffer
455 * @a: audit_data
456 */
457static void avc_audit_post_callback(struct audit_buffer *ab, void *a)
507{ 458{
508 if (addr) 459 struct common_audit_data *ad = a;
509 audit_log_format(ab, " %s=%pI4", name1, &addr); 460 audit_log_format(ab, " ");
510 if (port) 461 avc_dump_query(ab, ad->selinux_audit_data.ssid,
511 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 462 ad->selinux_audit_data.tsid,
463 ad->selinux_audit_data.tclass);
512} 464}
513 465
514/** 466/**
@@ -532,13 +484,10 @@ static inline void avc_print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
532 */ 484 */
533void avc_audit(u32 ssid, u32 tsid, 485void avc_audit(u32 ssid, u32 tsid,
534 u16 tclass, u32 requested, 486 u16 tclass, u32 requested,
535 struct av_decision *avd, int result, struct avc_audit_data *a) 487 struct av_decision *avd, int result, struct common_audit_data *a)
536{ 488{
537 struct task_struct *tsk = current; 489 struct common_audit_data stack_data;
538 struct inode *inode = NULL;
539 u32 denied, audited; 490 u32 denied, audited;
540 struct audit_buffer *ab;
541
542 denied = requested & ~avd->allowed; 491 denied = requested & ~avd->allowed;
543 if (denied) { 492 if (denied) {
544 audited = denied; 493 audited = denied;
@@ -551,144 +500,20 @@ void avc_audit(u32 ssid, u32 tsid,
551 if (!(audited & avd->auditallow)) 500 if (!(audited & avd->auditallow))
552 return; 501 return;
553 } 502 }
554 503 if (!a) {
555 ab = audit_log_start(current->audit_context, GFP_ATOMIC, AUDIT_AVC); 504 a = &stack_data;
556 if (!ab) 505 memset(a, 0, sizeof(*a));
557 return; /* audit_panic has been called */ 506 a->type = LSM_AUDIT_NO_AUDIT;
558 audit_log_format(ab, "avc: %s ", denied ? "denied" : "granted");
559 avc_dump_av(ab, tclass, audited);
560 audit_log_format(ab, " for ");
561 if (a && a->tsk)
562 tsk = a->tsk;
563 if (tsk && tsk->pid) {
564 audit_log_format(ab, " pid=%d comm=", tsk->pid);
565 audit_log_untrustedstring(ab, tsk->comm);
566 }
567 if (a) {
568 switch (a->type) {
569 case AVC_AUDIT_DATA_IPC:
570 audit_log_format(ab, " key=%d", a->u.ipc_id);
571 break;
572 case AVC_AUDIT_DATA_CAP:
573 audit_log_format(ab, " capability=%d", a->u.cap);
574 break;
575 case AVC_AUDIT_DATA_FS:
576 if (a->u.fs.path.dentry) {
577 struct dentry *dentry = a->u.fs.path.dentry;
578 if (a->u.fs.path.mnt) {
579 audit_log_d_path(ab, "path=",
580 &a->u.fs.path);
581 } else {
582 audit_log_format(ab, " name=");
583 audit_log_untrustedstring(ab, dentry->d_name.name);
584 }
585 inode = dentry->d_inode;
586 } else if (a->u.fs.inode) {
587 struct dentry *dentry;
588 inode = a->u.fs.inode;
589 dentry = d_find_alias(inode);
590 if (dentry) {
591 audit_log_format(ab, " name=");
592 audit_log_untrustedstring(ab, dentry->d_name.name);
593 dput(dentry);
594 }
595 }
596 if (inode)
597 audit_log_format(ab, " dev=%s ino=%lu",
598 inode->i_sb->s_id,
599 inode->i_ino);
600 break;
601 case AVC_AUDIT_DATA_NET:
602 if (a->u.net.sk) {
603 struct sock *sk = a->u.net.sk;
604 struct unix_sock *u;
605 int len = 0;
606 char *p = NULL;
607
608 switch (sk->sk_family) {
609 case AF_INET: {
610 struct inet_sock *inet = inet_sk(sk);
611
612 avc_print_ipv4_addr(ab, inet->rcv_saddr,
613 inet->sport,
614 "laddr", "lport");
615 avc_print_ipv4_addr(ab, inet->daddr,
616 inet->dport,
617 "faddr", "fport");
618 break;
619 }
620 case AF_INET6: {
621 struct inet_sock *inet = inet_sk(sk);
622 struct ipv6_pinfo *inet6 = inet6_sk(sk);
623
624 avc_print_ipv6_addr(ab, &inet6->rcv_saddr,
625 inet->sport,
626 "laddr", "lport");
627 avc_print_ipv6_addr(ab, &inet6->daddr,
628 inet->dport,
629 "faddr", "fport");
630 break;
631 }
632 case AF_UNIX:
633 u = unix_sk(sk);
634 if (u->dentry) {
635 struct path path = {
636 .dentry = u->dentry,
637 .mnt = u->mnt
638 };
639 audit_log_d_path(ab, "path=",
640 &path);
641 break;
642 }
643 if (!u->addr)
644 break;
645 len = u->addr->len-sizeof(short);
646 p = &u->addr->name->sun_path[0];
647 audit_log_format(ab, " path=");
648 if (*p)
649 audit_log_untrustedstring(ab, p);
650 else
651 audit_log_n_hex(ab, p, len);
652 break;
653 }
654 }
655
656 switch (a->u.net.family) {
657 case AF_INET:
658 avc_print_ipv4_addr(ab, a->u.net.v4info.saddr,
659 a->u.net.sport,
660 "saddr", "src");
661 avc_print_ipv4_addr(ab, a->u.net.v4info.daddr,
662 a->u.net.dport,
663 "daddr", "dest");
664 break;
665 case AF_INET6:
666 avc_print_ipv6_addr(ab, &a->u.net.v6info.saddr,
667 a->u.net.sport,
668 "saddr", "src");
669 avc_print_ipv6_addr(ab, &a->u.net.v6info.daddr,
670 a->u.net.dport,
671 "daddr", "dest");
672 break;
673 }
674 if (a->u.net.netif > 0) {
675 struct net_device *dev;
676
677 /* NOTE: we always use init's namespace */
678 dev = dev_get_by_index(&init_net,
679 a->u.net.netif);
680 if (dev) {
681 audit_log_format(ab, " netif=%s",
682 dev->name);
683 dev_put(dev);
684 }
685 }
686 break;
687 }
688 } 507 }
689 audit_log_format(ab, " "); 508 a->selinux_audit_data.tclass = tclass;
690 avc_dump_query(ab, ssid, tsid, tclass); 509 a->selinux_audit_data.requested = requested;
691 audit_log_end(ab); 510 a->selinux_audit_data.ssid = ssid;
511 a->selinux_audit_data.tsid = tsid;
512 a->selinux_audit_data.audited = audited;
513 a->selinux_audit_data.denied = denied;
514 a->lsm_pre_audit = avc_audit_pre_callback;
515 a->lsm_post_audit = avc_audit_post_callback;
516 common_lsm_audit(a);
692} 517}
693 518
694/** 519/**
@@ -824,18 +649,16 @@ out:
824} 649}
825 650
826/** 651/**
827 * avc_ss_reset - Flush the cache and revalidate migrated permissions. 652 * avc_flush - Flush the cache
828 * @seqno: policy sequence number
829 */ 653 */
830int avc_ss_reset(u32 seqno) 654static void avc_flush(void)
831{ 655{
832 struct avc_callback_node *c;
833 int i, rc = 0, tmprc;
834 unsigned long flag;
835 struct avc_node *node;
836 struct hlist_head *head; 656 struct hlist_head *head;
837 struct hlist_node *next; 657 struct hlist_node *next;
658 struct avc_node *node;
838 spinlock_t *lock; 659 spinlock_t *lock;
660 unsigned long flag;
661 int i;
839 662
840 for (i = 0; i < AVC_CACHE_SLOTS; i++) { 663 for (i = 0; i < AVC_CACHE_SLOTS; i++) {
841 head = &avc_cache.slots[i]; 664 head = &avc_cache.slots[i];
@@ -852,6 +675,18 @@ int avc_ss_reset(u32 seqno)
852 rcu_read_unlock(); 675 rcu_read_unlock();
853 spin_unlock_irqrestore(lock, flag); 676 spin_unlock_irqrestore(lock, flag);
854 } 677 }
678}
679
680/**
681 * avc_ss_reset - Flush the cache and revalidate migrated permissions.
682 * @seqno: policy sequence number
683 */
684int avc_ss_reset(u32 seqno)
685{
686 struct avc_callback_node *c;
687 int rc = 0, tmprc;
688
689 avc_flush();
855 690
856 for (c = avc_callbacks; c; c = c->next) { 691 for (c = avc_callbacks; c; c = c->next) {
857 if (c->events & AVC_CALLBACK_RESET) { 692 if (c->events & AVC_CALLBACK_RESET) {
@@ -956,7 +791,7 @@ out:
956 * another -errno upon other errors. 791 * another -errno upon other errors.
957 */ 792 */
958int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, 793int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
959 u32 requested, struct avc_audit_data *auditdata) 794 u32 requested, struct common_audit_data *auditdata)
960{ 795{
961 struct av_decision avd; 796 struct av_decision avd;
962 int rc; 797 int rc;
@@ -970,3 +805,22 @@ u32 avc_policy_seqno(void)
970{ 805{
971 return avc_cache.latest_notif; 806 return avc_cache.latest_notif;
972} 807}
808
809void avc_disable(void)
810{
811 /*
812 * If you are looking at this because you have realized that we are
813 * not destroying the avc_node_cachep it might be easy to fix, but
814 * I don't know the memory barrier semantics well enough to know. It's
815 * possible that some other task dereferenced security_ops when
816 * it still pointed to selinux operations. If that is the case it's
817 * possible that it is about to use the avc and is about to need the
818 * avc_node_cachep. I know I could wrap the security.c security_ops call
819 * in an rcu_lock, but seriously, it's not worth it. Instead I just flush
820 * the cache and get that memory back.
821 */
822 if (avc_node_cachep) {
823 avc_flush();
824 /* kmem_cache_destroy(avc_node_cachep); */
825 }
826}
diff --git a/security/selinux/exports.c b/security/selinux/exports.c
index c73aeaa008e8..c0a454aee1e0 100644
--- a/security/selinux/exports.c
+++ b/security/selinux/exports.c
@@ -63,3 +63,9 @@ void selinux_secmark_refcount_dec(void)
63 atomic_dec(&selinux_secmark_refcount); 63 atomic_dec(&selinux_secmark_refcount);
64} 64}
65EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec); 65EXPORT_SYMBOL_GPL(selinux_secmark_refcount_dec);
66
67bool selinux_is_enabled(void)
68{
69 return selinux_enabled;
70}
71EXPORT_SYMBOL_GPL(selinux_is_enabled);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8d8b69c5664e..7a374c2eb043 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -13,8 +13,8 @@
13 * Eric Paris <eparis@redhat.com> 13 * Eric Paris <eparis@redhat.com>
14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc. 14 * Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15 * <dgoeddel@trustedcs.com> 15 * <dgoeddel@trustedcs.com>
16 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 16 * Copyright (C) 2006, 2007, 2009 Hewlett-Packard Development Company, L.P.
17 * Paul Moore <paul.moore@hp.com> 17 * Paul Moore <paul.moore@hp.com>
18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd. 18 * Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19 * Yuichi Nakamura <ynakam@hitachisoft.jp> 19 * Yuichi Nakamura <ynakam@hitachisoft.jp>
20 * 20 *
@@ -91,7 +91,6 @@
91 91
92#define NUM_SEL_MNT_OPTS 5 92#define NUM_SEL_MNT_OPTS 5
93 93
94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 94extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96extern struct security_operations *security_ops; 95extern struct security_operations *security_ops;
97 96
@@ -448,6 +447,10 @@ static int sb_finish_set_opts(struct super_block *sb)
448 sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) 447 sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
449 sbsec->flags &= ~SE_SBLABELSUPP; 448 sbsec->flags &= ~SE_SBLABELSUPP;
450 449
450 /* Special handling for sysfs. Is genfs but also has setxattr handler*/
451 if (strncmp(sb->s_type->name, "sysfs", sizeof("sysfs")) == 0)
452 sbsec->flags |= SE_SBLABELSUPP;
453
451 /* Initialize the root inode. */ 454 /* Initialize the root inode. */
452 rc = inode_doinit_with_dentry(root_inode, root); 455 rc = inode_doinit_with_dentry(root_inode, root);
453 456
@@ -1479,14 +1482,14 @@ static int task_has_capability(struct task_struct *tsk,
1479 const struct cred *cred, 1482 const struct cred *cred,
1480 int cap, int audit) 1483 int cap, int audit)
1481{ 1484{
1482 struct avc_audit_data ad; 1485 struct common_audit_data ad;
1483 struct av_decision avd; 1486 struct av_decision avd;
1484 u16 sclass; 1487 u16 sclass;
1485 u32 sid = cred_sid(cred); 1488 u32 sid = cred_sid(cred);
1486 u32 av = CAP_TO_MASK(cap); 1489 u32 av = CAP_TO_MASK(cap);
1487 int rc; 1490 int rc;
1488 1491
1489 AVC_AUDIT_DATA_INIT(&ad, CAP); 1492 COMMON_AUDIT_DATA_INIT(&ad, CAP);
1490 ad.tsk = tsk; 1493 ad.tsk = tsk;
1491 ad.u.cap = cap; 1494 ad.u.cap = cap;
1492 1495
@@ -1525,12 +1528,14 @@ static int task_has_system(struct task_struct *tsk,
1525static int inode_has_perm(const struct cred *cred, 1528static int inode_has_perm(const struct cred *cred,
1526 struct inode *inode, 1529 struct inode *inode,
1527 u32 perms, 1530 u32 perms,
1528 struct avc_audit_data *adp) 1531 struct common_audit_data *adp)
1529{ 1532{
1530 struct inode_security_struct *isec; 1533 struct inode_security_struct *isec;
1531 struct avc_audit_data ad; 1534 struct common_audit_data ad;
1532 u32 sid; 1535 u32 sid;
1533 1536
1537 validate_creds(cred);
1538
1534 if (unlikely(IS_PRIVATE(inode))) 1539 if (unlikely(IS_PRIVATE(inode)))
1535 return 0; 1540 return 0;
1536 1541
@@ -1539,7 +1544,7 @@ static int inode_has_perm(const struct cred *cred,
1539 1544
1540 if (!adp) { 1545 if (!adp) {
1541 adp = &ad; 1546 adp = &ad;
1542 AVC_AUDIT_DATA_INIT(&ad, FS); 1547 COMMON_AUDIT_DATA_INIT(&ad, FS);
1543 ad.u.fs.inode = inode; 1548 ad.u.fs.inode = inode;
1544 } 1549 }
1545 1550
@@ -1555,9 +1560,9 @@ static inline int dentry_has_perm(const struct cred *cred,
1555 u32 av) 1560 u32 av)
1556{ 1561{
1557 struct inode *inode = dentry->d_inode; 1562 struct inode *inode = dentry->d_inode;
1558 struct avc_audit_data ad; 1563 struct common_audit_data ad;
1559 1564
1560 AVC_AUDIT_DATA_INIT(&ad, FS); 1565 COMMON_AUDIT_DATA_INIT(&ad, FS);
1561 ad.u.fs.path.mnt = mnt; 1566 ad.u.fs.path.mnt = mnt;
1562 ad.u.fs.path.dentry = dentry; 1567 ad.u.fs.path.dentry = dentry;
1563 return inode_has_perm(cred, inode, av, &ad); 1568 return inode_has_perm(cred, inode, av, &ad);
@@ -1577,11 +1582,11 @@ static int file_has_perm(const struct cred *cred,
1577{ 1582{
1578 struct file_security_struct *fsec = file->f_security; 1583 struct file_security_struct *fsec = file->f_security;
1579 struct inode *inode = file->f_path.dentry->d_inode; 1584 struct inode *inode = file->f_path.dentry->d_inode;
1580 struct avc_audit_data ad; 1585 struct common_audit_data ad;
1581 u32 sid = cred_sid(cred); 1586 u32 sid = cred_sid(cred);
1582 int rc; 1587 int rc;
1583 1588
1584 AVC_AUDIT_DATA_INIT(&ad, FS); 1589 COMMON_AUDIT_DATA_INIT(&ad, FS);
1585 ad.u.fs.path = file->f_path; 1590 ad.u.fs.path = file->f_path;
1586 1591
1587 if (sid != fsec->sid) { 1592 if (sid != fsec->sid) {
@@ -1612,7 +1617,7 @@ static int may_create(struct inode *dir,
1612 struct inode_security_struct *dsec; 1617 struct inode_security_struct *dsec;
1613 struct superblock_security_struct *sbsec; 1618 struct superblock_security_struct *sbsec;
1614 u32 sid, newsid; 1619 u32 sid, newsid;
1615 struct avc_audit_data ad; 1620 struct common_audit_data ad;
1616 int rc; 1621 int rc;
1617 1622
1618 dsec = dir->i_security; 1623 dsec = dir->i_security;
@@ -1621,7 +1626,7 @@ static int may_create(struct inode *dir,
1621 sid = tsec->sid; 1626 sid = tsec->sid;
1622 newsid = tsec->create_sid; 1627 newsid = tsec->create_sid;
1623 1628
1624 AVC_AUDIT_DATA_INIT(&ad, FS); 1629 COMMON_AUDIT_DATA_INIT(&ad, FS);
1625 ad.u.fs.path.dentry = dentry; 1630 ad.u.fs.path.dentry = dentry;
1626 1631
1627 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, 1632 rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
@@ -1665,7 +1670,7 @@ static int may_link(struct inode *dir,
1665 1670
1666{ 1671{
1667 struct inode_security_struct *dsec, *isec; 1672 struct inode_security_struct *dsec, *isec;
1668 struct avc_audit_data ad; 1673 struct common_audit_data ad;
1669 u32 sid = current_sid(); 1674 u32 sid = current_sid();
1670 u32 av; 1675 u32 av;
1671 int rc; 1676 int rc;
@@ -1673,7 +1678,7 @@ static int may_link(struct inode *dir,
1673 dsec = dir->i_security; 1678 dsec = dir->i_security;
1674 isec = dentry->d_inode->i_security; 1679 isec = dentry->d_inode->i_security;
1675 1680
1676 AVC_AUDIT_DATA_INIT(&ad, FS); 1681 COMMON_AUDIT_DATA_INIT(&ad, FS);
1677 ad.u.fs.path.dentry = dentry; 1682 ad.u.fs.path.dentry = dentry;
1678 1683
1679 av = DIR__SEARCH; 1684 av = DIR__SEARCH;
@@ -1708,7 +1713,7 @@ static inline int may_rename(struct inode *old_dir,
1708 struct dentry *new_dentry) 1713 struct dentry *new_dentry)
1709{ 1714{
1710 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec; 1715 struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1711 struct avc_audit_data ad; 1716 struct common_audit_data ad;
1712 u32 sid = current_sid(); 1717 u32 sid = current_sid();
1713 u32 av; 1718 u32 av;
1714 int old_is_dir, new_is_dir; 1719 int old_is_dir, new_is_dir;
@@ -1719,7 +1724,7 @@ static inline int may_rename(struct inode *old_dir,
1719 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode); 1724 old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1720 new_dsec = new_dir->i_security; 1725 new_dsec = new_dir->i_security;
1721 1726
1722 AVC_AUDIT_DATA_INIT(&ad, FS); 1727 COMMON_AUDIT_DATA_INIT(&ad, FS);
1723 1728
1724 ad.u.fs.path.dentry = old_dentry; 1729 ad.u.fs.path.dentry = old_dentry;
1725 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR, 1730 rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
@@ -1761,7 +1766,7 @@ static inline int may_rename(struct inode *old_dir,
1761static int superblock_has_perm(const struct cred *cred, 1766static int superblock_has_perm(const struct cred *cred,
1762 struct super_block *sb, 1767 struct super_block *sb,
1763 u32 perms, 1768 u32 perms,
1764 struct avc_audit_data *ad) 1769 struct common_audit_data *ad)
1765{ 1770{
1766 struct superblock_security_struct *sbsec; 1771 struct superblock_security_struct *sbsec;
1767 u32 sid = cred_sid(cred); 1772 u32 sid = cred_sid(cred);
@@ -1855,12 +1860,12 @@ static inline u32 open_file_to_av(struct file *file)
1855 1860
1856/* Hook functions begin here. */ 1861/* Hook functions begin here. */
1857 1862
1858static int selinux_ptrace_may_access(struct task_struct *child, 1863static int selinux_ptrace_access_check(struct task_struct *child,
1859 unsigned int mode) 1864 unsigned int mode)
1860{ 1865{
1861 int rc; 1866 int rc;
1862 1867
1863 rc = cap_ptrace_may_access(child, mode); 1868 rc = cap_ptrace_access_check(child, mode);
1864 if (rc) 1869 if (rc)
1865 return rc; 1870 return rc;
1866 1871
@@ -2101,7 +2106,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2101 const struct task_security_struct *old_tsec; 2106 const struct task_security_struct *old_tsec;
2102 struct task_security_struct *new_tsec; 2107 struct task_security_struct *new_tsec;
2103 struct inode_security_struct *isec; 2108 struct inode_security_struct *isec;
2104 struct avc_audit_data ad; 2109 struct common_audit_data ad;
2105 struct inode *inode = bprm->file->f_path.dentry->d_inode; 2110 struct inode *inode = bprm->file->f_path.dentry->d_inode;
2106 int rc; 2111 int rc;
2107 2112
@@ -2139,7 +2144,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2139 return rc; 2144 return rc;
2140 } 2145 }
2141 2146
2142 AVC_AUDIT_DATA_INIT(&ad, FS); 2147 COMMON_AUDIT_DATA_INIT(&ad, FS);
2143 ad.u.fs.path = bprm->file->f_path; 2148 ad.u.fs.path = bprm->file->f_path;
2144 2149
2145 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) 2150 if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
@@ -2232,7 +2237,7 @@ extern struct dentry *selinux_null;
2232static inline void flush_unauthorized_files(const struct cred *cred, 2237static inline void flush_unauthorized_files(const struct cred *cred,
2233 struct files_struct *files) 2238 struct files_struct *files)
2234{ 2239{
2235 struct avc_audit_data ad; 2240 struct common_audit_data ad;
2236 struct file *file, *devnull = NULL; 2241 struct file *file, *devnull = NULL;
2237 struct tty_struct *tty; 2242 struct tty_struct *tty;
2238 struct fdtable *fdt; 2243 struct fdtable *fdt;
@@ -2266,7 +2271,7 @@ static inline void flush_unauthorized_files(const struct cred *cred,
2266 2271
2267 /* Revalidate access to inherited open files. */ 2272 /* Revalidate access to inherited open files. */
2268 2273
2269 AVC_AUDIT_DATA_INIT(&ad, FS); 2274 COMMON_AUDIT_DATA_INIT(&ad, FS);
2270 2275
2271 spin_lock(&files->file_lock); 2276 spin_lock(&files->file_lock);
2272 for (;;) { 2277 for (;;) {
@@ -2405,7 +2410,7 @@ static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2405 /* Wake up the parent if it is waiting so that it can recheck 2410 /* Wake up the parent if it is waiting so that it can recheck
2406 * wait permission to the new task SID. */ 2411 * wait permission to the new task SID. */
2407 read_lock(&tasklist_lock); 2412 read_lock(&tasklist_lock);
2408 wake_up_interruptible(&current->real_parent->signal->wait_chldexit); 2413 __wake_up_parent(current, current->real_parent);
2409 read_unlock(&tasklist_lock); 2414 read_unlock(&tasklist_lock);
2410} 2415}
2411 2416
@@ -2515,7 +2520,7 @@ out:
2515static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data) 2520static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2516{ 2521{
2517 const struct cred *cred = current_cred(); 2522 const struct cred *cred = current_cred();
2518 struct avc_audit_data ad; 2523 struct common_audit_data ad;
2519 int rc; 2524 int rc;
2520 2525
2521 rc = superblock_doinit(sb, data); 2526 rc = superblock_doinit(sb, data);
@@ -2526,7 +2531,7 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2526 if (flags & MS_KERNMOUNT) 2531 if (flags & MS_KERNMOUNT)
2527 return 0; 2532 return 0;
2528 2533
2529 AVC_AUDIT_DATA_INIT(&ad, FS); 2534 COMMON_AUDIT_DATA_INIT(&ad, FS);
2530 ad.u.fs.path.dentry = sb->s_root; 2535 ad.u.fs.path.dentry = sb->s_root;
2531 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad); 2536 return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2532} 2537}
@@ -2534,9 +2539,9 @@ static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2534static int selinux_sb_statfs(struct dentry *dentry) 2539static int selinux_sb_statfs(struct dentry *dentry)
2535{ 2540{
2536 const struct cred *cred = current_cred(); 2541 const struct cred *cred = current_cred();
2537 struct avc_audit_data ad; 2542 struct common_audit_data ad;
2538 2543
2539 AVC_AUDIT_DATA_INIT(&ad, FS); 2544 COMMON_AUDIT_DATA_INIT(&ad, FS);
2540 ad.u.fs.path.dentry = dentry->d_sb->s_root; 2545 ad.u.fs.path.dentry = dentry->d_sb->s_root;
2541 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); 2546 return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2542} 2547}
@@ -2711,12 +2716,18 @@ static int selinux_inode_permission(struct inode *inode, int mask)
2711static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) 2716static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2712{ 2717{
2713 const struct cred *cred = current_cred(); 2718 const struct cred *cred = current_cred();
2719 unsigned int ia_valid = iattr->ia_valid;
2720
2721 /* ATTR_FORCE is just used for ATTR_KILL_S[UG]ID. */
2722 if (ia_valid & ATTR_FORCE) {
2723 ia_valid &= ~(ATTR_KILL_SUID | ATTR_KILL_SGID | ATTR_MODE |
2724 ATTR_FORCE);
2725 if (!ia_valid)
2726 return 0;
2727 }
2714 2728
2715 if (iattr->ia_valid & ATTR_FORCE) 2729 if (ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2716 return 0; 2730 ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET))
2717
2718 if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2719 ATTR_ATIME_SET | ATTR_MTIME_SET))
2720 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR); 2731 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2721 2732
2722 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE); 2733 return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
@@ -2756,7 +2767,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2756 struct inode *inode = dentry->d_inode; 2767 struct inode *inode = dentry->d_inode;
2757 struct inode_security_struct *isec = inode->i_security; 2768 struct inode_security_struct *isec = inode->i_security;
2758 struct superblock_security_struct *sbsec; 2769 struct superblock_security_struct *sbsec;
2759 struct avc_audit_data ad; 2770 struct common_audit_data ad;
2760 u32 newsid, sid = current_sid(); 2771 u32 newsid, sid = current_sid();
2761 int rc = 0; 2772 int rc = 0;
2762 2773
@@ -2770,7 +2781,7 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2770 if (!is_owner_or_cap(inode)) 2781 if (!is_owner_or_cap(inode))
2771 return -EPERM; 2782 return -EPERM;
2772 2783
2773 AVC_AUDIT_DATA_INIT(&ad, FS); 2784 COMMON_AUDIT_DATA_INIT(&ad, FS);
2774 ad.u.fs.path.dentry = dentry; 2785 ad.u.fs.path.dentry = dentry;
2775 2786
2776 rc = avc_has_perm(sid, isec->sid, isec->sclass, 2787 rc = avc_has_perm(sid, isec->sid, isec->sclass,
@@ -2915,6 +2926,7 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2915 return rc; 2926 return rc;
2916 2927
2917 isec->sid = newsid; 2928 isec->sid = newsid;
2929 isec->initialized = 1;
2918 return 0; 2930 return 0;
2919} 2931}
2920 2932
@@ -2939,11 +2951,6 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2939 const struct cred *cred = current_cred(); 2951 const struct cred *cred = current_cred();
2940 struct inode *inode = file->f_path.dentry->d_inode; 2952 struct inode *inode = file->f_path.dentry->d_inode;
2941 2953
2942 if (!mask) {
2943 /* No permission to check. Existence test. */
2944 return 0;
2945 }
2946
2947 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */ 2954 /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2948 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE)) 2955 if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2949 mask |= MAY_APPEND; 2956 mask |= MAY_APPEND;
@@ -2954,10 +2961,20 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
2954 2961
2955static int selinux_file_permission(struct file *file, int mask) 2962static int selinux_file_permission(struct file *file, int mask)
2956{ 2963{
2964 struct inode *inode = file->f_path.dentry->d_inode;
2965 struct file_security_struct *fsec = file->f_security;
2966 struct inode_security_struct *isec = inode->i_security;
2967 u32 sid = current_sid();
2968
2957 if (!mask) 2969 if (!mask)
2958 /* No permission to check. Existence test. */ 2970 /* No permission to check. Existence test. */
2959 return 0; 2971 return 0;
2960 2972
2973 if (sid == fsec->sid && fsec->isid == isec->sid &&
2974 fsec->pseqno == avc_policy_seqno())
2975 /* No change since dentry_open check. */
2976 return 0;
2977
2961 return selinux_revalidate_file_permission(file, mask); 2978 return selinux_revalidate_file_permission(file, mask);
2962} 2979}
2963 2980
@@ -3220,12 +3237,29 @@ static int selinux_task_create(unsigned long clone_flags)
3220} 3237}
3221 3238
3222/* 3239/*
3240 * allocate the SELinux part of blank credentials
3241 */
3242static int selinux_cred_alloc_blank(struct cred *cred, gfp_t gfp)
3243{
3244 struct task_security_struct *tsec;
3245
3246 tsec = kzalloc(sizeof(struct task_security_struct), gfp);
3247 if (!tsec)
3248 return -ENOMEM;
3249
3250 cred->security = tsec;
3251 return 0;
3252}
3253
3254/*
3223 * detach and free the LSM part of a set of credentials 3255 * detach and free the LSM part of a set of credentials
3224 */ 3256 */
3225static void selinux_cred_free(struct cred *cred) 3257static void selinux_cred_free(struct cred *cred)
3226{ 3258{
3227 struct task_security_struct *tsec = cred->security; 3259 struct task_security_struct *tsec = cred->security;
3228 cred->security = NULL; 3260
3261 BUG_ON((unsigned long) cred->security < PAGE_SIZE);
3262 cred->security = (void *) 0x7UL;
3229 kfree(tsec); 3263 kfree(tsec);
3230} 3264}
3231 3265
@@ -3249,6 +3283,17 @@ static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3249} 3283}
3250 3284
3251/* 3285/*
3286 * transfer the SELinux data to a blank set of creds
3287 */
3288static void selinux_cred_transfer(struct cred *new, const struct cred *old)
3289{
3290 const struct task_security_struct *old_tsec = old->security;
3291 struct task_security_struct *tsec = new->security;
3292
3293 *tsec = *old_tsec;
3294}
3295
3296/*
3252 * set the security data for a kernel service 3297 * set the security data for a kernel service
3253 * - all the creation contexts are set to unlabelled 3298 * - all the creation contexts are set to unlabelled
3254 */ 3299 */
@@ -3292,6 +3337,20 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3292 return 0; 3337 return 0;
3293} 3338}
3294 3339
3340static int selinux_kernel_module_request(char *kmod_name)
3341{
3342 u32 sid;
3343 struct common_audit_data ad;
3344
3345 sid = task_sid(current);
3346
3347 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3348 ad.u.kmod_name = kmod_name;
3349
3350 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3351 SYSTEM__MODULE_REQUEST, &ad);
3352}
3353
3295static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3354static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3296{ 3355{
3297 return current_has_perm(p, PROCESS__SETPGID); 3356 return current_has_perm(p, PROCESS__SETPGID);
@@ -3409,7 +3468,7 @@ static void selinux_task_to_inode(struct task_struct *p,
3409 3468
3410/* Returns error only if unable to parse addresses */ 3469/* Returns error only if unable to parse addresses */
3411static int selinux_parse_skb_ipv4(struct sk_buff *skb, 3470static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3412 struct avc_audit_data *ad, u8 *proto) 3471 struct common_audit_data *ad, u8 *proto)
3413{ 3472{
3414 int offset, ihlen, ret = -EINVAL; 3473 int offset, ihlen, ret = -EINVAL;
3415 struct iphdr _iph, *ih; 3474 struct iphdr _iph, *ih;
@@ -3490,7 +3549,7 @@ out:
3490 3549
3491/* Returns error only if unable to parse addresses */ 3550/* Returns error only if unable to parse addresses */
3492static int selinux_parse_skb_ipv6(struct sk_buff *skb, 3551static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3493 struct avc_audit_data *ad, u8 *proto) 3552 struct common_audit_data *ad, u8 *proto)
3494{ 3553{
3495 u8 nexthdr; 3554 u8 nexthdr;
3496 int ret = -EINVAL, offset; 3555 int ret = -EINVAL, offset;
@@ -3561,7 +3620,7 @@ out:
3561 3620
3562#endif /* IPV6 */ 3621#endif /* IPV6 */
3563 3622
3564static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad, 3623static int selinux_parse_skb(struct sk_buff *skb, struct common_audit_data *ad,
3565 char **_addrp, int src, u8 *proto) 3624 char **_addrp, int src, u8 *proto)
3566{ 3625{
3567 char *addrp; 3626 char *addrp;
@@ -3643,7 +3702,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3643 u32 perms) 3702 u32 perms)
3644{ 3703{
3645 struct inode_security_struct *isec; 3704 struct inode_security_struct *isec;
3646 struct avc_audit_data ad; 3705 struct common_audit_data ad;
3647 u32 sid; 3706 u32 sid;
3648 int err = 0; 3707 int err = 0;
3649 3708
@@ -3653,7 +3712,7 @@ static int socket_has_perm(struct task_struct *task, struct socket *sock,
3653 goto out; 3712 goto out;
3654 sid = task_sid(task); 3713 sid = task_sid(task);
3655 3714
3656 AVC_AUDIT_DATA_INIT(&ad, NET); 3715 COMMON_AUDIT_DATA_INIT(&ad, NET);
3657 ad.u.net.sk = sock->sk; 3716 ad.u.net.sk = sock->sk;
3658 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 3717 err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3659 3718
@@ -3740,7 +3799,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3740 if (family == PF_INET || family == PF_INET6) { 3799 if (family == PF_INET || family == PF_INET6) {
3741 char *addrp; 3800 char *addrp;
3742 struct inode_security_struct *isec; 3801 struct inode_security_struct *isec;
3743 struct avc_audit_data ad; 3802 struct common_audit_data ad;
3744 struct sockaddr_in *addr4 = NULL; 3803 struct sockaddr_in *addr4 = NULL;
3745 struct sockaddr_in6 *addr6 = NULL; 3804 struct sockaddr_in6 *addr6 = NULL;
3746 unsigned short snum; 3805 unsigned short snum;
@@ -3769,7 +3828,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3769 snum, &sid); 3828 snum, &sid);
3770 if (err) 3829 if (err)
3771 goto out; 3830 goto out;
3772 AVC_AUDIT_DATA_INIT(&ad, NET); 3831 COMMON_AUDIT_DATA_INIT(&ad, NET);
3773 ad.u.net.sport = htons(snum); 3832 ad.u.net.sport = htons(snum);
3774 ad.u.net.family = family; 3833 ad.u.net.family = family;
3775 err = avc_has_perm(isec->sid, sid, 3834 err = avc_has_perm(isec->sid, sid,
@@ -3802,7 +3861,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
3802 if (err) 3861 if (err)
3803 goto out; 3862 goto out;
3804 3863
3805 AVC_AUDIT_DATA_INIT(&ad, NET); 3864 COMMON_AUDIT_DATA_INIT(&ad, NET);
3806 ad.u.net.sport = htons(snum); 3865 ad.u.net.sport = htons(snum);
3807 ad.u.net.family = family; 3866 ad.u.net.family = family;
3808 3867
@@ -3836,7 +3895,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3836 isec = SOCK_INODE(sock)->i_security; 3895 isec = SOCK_INODE(sock)->i_security;
3837 if (isec->sclass == SECCLASS_TCP_SOCKET || 3896 if (isec->sclass == SECCLASS_TCP_SOCKET ||
3838 isec->sclass == SECCLASS_DCCP_SOCKET) { 3897 isec->sclass == SECCLASS_DCCP_SOCKET) {
3839 struct avc_audit_data ad; 3898 struct common_audit_data ad;
3840 struct sockaddr_in *addr4 = NULL; 3899 struct sockaddr_in *addr4 = NULL;
3841 struct sockaddr_in6 *addr6 = NULL; 3900 struct sockaddr_in6 *addr6 = NULL;
3842 unsigned short snum; 3901 unsigned short snum;
@@ -3861,7 +3920,7 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
3861 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ? 3920 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3862 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT; 3921 TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3863 3922
3864 AVC_AUDIT_DATA_INIT(&ad, NET); 3923 COMMON_AUDIT_DATA_INIT(&ad, NET);
3865 ad.u.net.dport = htons(snum); 3924 ad.u.net.dport = htons(snum);
3866 ad.u.net.family = sk->sk_family; 3925 ad.u.net.family = sk->sk_family;
3867 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad); 3926 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
@@ -3951,13 +4010,13 @@ static int selinux_socket_unix_stream_connect(struct socket *sock,
3951 struct sk_security_struct *ssec; 4010 struct sk_security_struct *ssec;
3952 struct inode_security_struct *isec; 4011 struct inode_security_struct *isec;
3953 struct inode_security_struct *other_isec; 4012 struct inode_security_struct *other_isec;
3954 struct avc_audit_data ad; 4013 struct common_audit_data ad;
3955 int err; 4014 int err;
3956 4015
3957 isec = SOCK_INODE(sock)->i_security; 4016 isec = SOCK_INODE(sock)->i_security;
3958 other_isec = SOCK_INODE(other)->i_security; 4017 other_isec = SOCK_INODE(other)->i_security;
3959 4018
3960 AVC_AUDIT_DATA_INIT(&ad, NET); 4019 COMMON_AUDIT_DATA_INIT(&ad, NET);
3961 ad.u.net.sk = other->sk; 4020 ad.u.net.sk = other->sk;
3962 4021
3963 err = avc_has_perm(isec->sid, other_isec->sid, 4022 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -3983,13 +4042,13 @@ static int selinux_socket_unix_may_send(struct socket *sock,
3983{ 4042{
3984 struct inode_security_struct *isec; 4043 struct inode_security_struct *isec;
3985 struct inode_security_struct *other_isec; 4044 struct inode_security_struct *other_isec;
3986 struct avc_audit_data ad; 4045 struct common_audit_data ad;
3987 int err; 4046 int err;
3988 4047
3989 isec = SOCK_INODE(sock)->i_security; 4048 isec = SOCK_INODE(sock)->i_security;
3990 other_isec = SOCK_INODE(other)->i_security; 4049 other_isec = SOCK_INODE(other)->i_security;
3991 4050
3992 AVC_AUDIT_DATA_INIT(&ad, NET); 4051 COMMON_AUDIT_DATA_INIT(&ad, NET);
3993 ad.u.net.sk = other->sk; 4052 ad.u.net.sk = other->sk;
3994 4053
3995 err = avc_has_perm(isec->sid, other_isec->sid, 4054 err = avc_has_perm(isec->sid, other_isec->sid,
@@ -4002,7 +4061,7 @@ static int selinux_socket_unix_may_send(struct socket *sock,
4002 4061
4003static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family, 4062static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4004 u32 peer_sid, 4063 u32 peer_sid,
4005 struct avc_audit_data *ad) 4064 struct common_audit_data *ad)
4006{ 4065{
4007 int err; 4066 int err;
4008 u32 if_sid; 4067 u32 if_sid;
@@ -4030,11 +4089,11 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4030 struct sk_security_struct *sksec = sk->sk_security; 4089 struct sk_security_struct *sksec = sk->sk_security;
4031 u32 peer_sid; 4090 u32 peer_sid;
4032 u32 sk_sid = sksec->sid; 4091 u32 sk_sid = sksec->sid;
4033 struct avc_audit_data ad; 4092 struct common_audit_data ad;
4034 char *addrp; 4093 char *addrp;
4035 4094
4036 AVC_AUDIT_DATA_INIT(&ad, NET); 4095 COMMON_AUDIT_DATA_INIT(&ad, NET);
4037 ad.u.net.netif = skb->iif; 4096 ad.u.net.netif = skb->skb_iif;
4038 ad.u.net.family = family; 4097 ad.u.net.family = family;
4039 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4098 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4040 if (err) 4099 if (err)
@@ -4071,7 +4130,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4071 struct sk_security_struct *sksec = sk->sk_security; 4130 struct sk_security_struct *sksec = sk->sk_security;
4072 u16 family = sk->sk_family; 4131 u16 family = sk->sk_family;
4073 u32 sk_sid = sksec->sid; 4132 u32 sk_sid = sksec->sid;
4074 struct avc_audit_data ad; 4133 struct common_audit_data ad;
4075 char *addrp; 4134 char *addrp;
4076 u8 secmark_active; 4135 u8 secmark_active;
4077 u8 peerlbl_active; 4136 u8 peerlbl_active;
@@ -4095,8 +4154,8 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4095 if (!secmark_active && !peerlbl_active) 4154 if (!secmark_active && !peerlbl_active)
4096 return 0; 4155 return 0;
4097 4156
4098 AVC_AUDIT_DATA_INIT(&ad, NET); 4157 COMMON_AUDIT_DATA_INIT(&ad, NET);
4099 ad.u.net.netif = skb->iif; 4158 ad.u.net.netif = skb->skb_iif;
4100 ad.u.net.family = family; 4159 ad.u.net.family = family;
4101 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4160 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4102 if (err) 4161 if (err)
@@ -4108,7 +4167,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4108 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4167 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4109 if (err) 4168 if (err)
4110 return err; 4169 return err;
4111 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4170 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4112 peer_sid, &ad); 4171 peer_sid, &ad);
4113 if (err) { 4172 if (err) {
4114 selinux_netlbl_err(skb, err, 0); 4173 selinux_netlbl_err(skb, err, 0);
@@ -4309,6 +4368,59 @@ static void selinux_req_classify_flow(const struct request_sock *req,
4309 fl->secid = req->secid; 4368 fl->secid = req->secid;
4310} 4369}
4311 4370
4371static int selinux_tun_dev_create(void)
4372{
4373 u32 sid = current_sid();
4374
4375 /* we aren't taking into account the "sockcreate" SID since the socket
4376 * that is being created here is not a socket in the traditional sense,
4377 * instead it is a private sock, accessible only to the kernel, and
4378 * representing a wide range of network traffic spanning multiple
4379 * connections unlike traditional sockets - check the TUN driver to
4380 * get a better understanding of why this socket is special */
4381
4382 return avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET, TUN_SOCKET__CREATE,
4383 NULL);
4384}
4385
4386static void selinux_tun_dev_post_create(struct sock *sk)
4387{
4388 struct sk_security_struct *sksec = sk->sk_security;
4389
4390 /* we don't currently perform any NetLabel based labeling here and it
4391 * isn't clear that we would want to do so anyway; while we could apply
4392 * labeling without the support of the TUN user the resulting labeled
4393 * traffic from the other end of the connection would almost certainly
4394 * cause confusion to the TUN user that had no idea network labeling
4395 * protocols were being used */
4396
4397 /* see the comments in selinux_tun_dev_create() about why we don't use
4398 * the sockcreate SID here */
4399
4400 sksec->sid = current_sid();
4401 sksec->sclass = SECCLASS_TUN_SOCKET;
4402}
4403
4404static int selinux_tun_dev_attach(struct sock *sk)
4405{
4406 struct sk_security_struct *sksec = sk->sk_security;
4407 u32 sid = current_sid();
4408 int err;
4409
4410 err = avc_has_perm(sid, sksec->sid, SECCLASS_TUN_SOCKET,
4411 TUN_SOCKET__RELABELFROM, NULL);
4412 if (err)
4413 return err;
4414 err = avc_has_perm(sid, sid, SECCLASS_TUN_SOCKET,
4415 TUN_SOCKET__RELABELTO, NULL);
4416 if (err)
4417 return err;
4418
4419 sksec->sid = sid;
4420
4421 return 0;
4422}
4423
4312static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb) 4424static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4313{ 4425{
4314 int err = 0; 4426 int err = 0;
@@ -4353,7 +4465,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4353 int err; 4465 int err;
4354 char *addrp; 4466 char *addrp;
4355 u32 peer_sid; 4467 u32 peer_sid;
4356 struct avc_audit_data ad; 4468 struct common_audit_data ad;
4357 u8 secmark_active; 4469 u8 secmark_active;
4358 u8 netlbl_active; 4470 u8 netlbl_active;
4359 u8 peerlbl_active; 4471 u8 peerlbl_active;
@@ -4370,7 +4482,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4370 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0) 4482 if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4371 return NF_DROP; 4483 return NF_DROP;
4372 4484
4373 AVC_AUDIT_DATA_INIT(&ad, NET); 4485 COMMON_AUDIT_DATA_INIT(&ad, NET);
4374 ad.u.net.netif = ifindex; 4486 ad.u.net.netif = ifindex;
4375 ad.u.net.family = family; 4487 ad.u.net.family = family;
4376 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0) 4488 if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
@@ -4458,7 +4570,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4458{ 4570{
4459 struct sock *sk = skb->sk; 4571 struct sock *sk = skb->sk;
4460 struct sk_security_struct *sksec; 4572 struct sk_security_struct *sksec;
4461 struct avc_audit_data ad; 4573 struct common_audit_data ad;
4462 char *addrp; 4574 char *addrp;
4463 u8 proto; 4575 u8 proto;
4464 4576
@@ -4466,7 +4578,7 @@ static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4466 return NF_ACCEPT; 4578 return NF_ACCEPT;
4467 sksec = sk->sk_security; 4579 sksec = sk->sk_security;
4468 4580
4469 AVC_AUDIT_DATA_INIT(&ad, NET); 4581 COMMON_AUDIT_DATA_INIT(&ad, NET);
4470 ad.u.net.netif = ifindex; 4582 ad.u.net.netif = ifindex;
4471 ad.u.net.family = family; 4583 ad.u.net.family = family;
4472 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto)) 4584 if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
@@ -4490,7 +4602,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4490 u32 secmark_perm; 4602 u32 secmark_perm;
4491 u32 peer_sid; 4603 u32 peer_sid;
4492 struct sock *sk; 4604 struct sock *sk;
4493 struct avc_audit_data ad; 4605 struct common_audit_data ad;
4494 char *addrp; 4606 char *addrp;
4495 u8 secmark_active; 4607 u8 secmark_active;
4496 u8 peerlbl_active; 4608 u8 peerlbl_active;
@@ -4549,7 +4661,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4549 secmark_perm = PACKET__SEND; 4661 secmark_perm = PACKET__SEND;
4550 } 4662 }
4551 4663
4552 AVC_AUDIT_DATA_INIT(&ad, NET); 4664 COMMON_AUDIT_DATA_INIT(&ad, NET);
4553 ad.u.net.netif = ifindex; 4665 ad.u.net.netif = ifindex;
4554 ad.u.net.family = family; 4666 ad.u.net.family = family;
4555 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL)) 4667 if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
@@ -4610,22 +4722,19 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4610 if (err) 4722 if (err)
4611 return err; 4723 return err;
4612 4724
4613 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4725 return selinux_nlmsg_perm(sk, skb);
4614 err = selinux_nlmsg_perm(sk, skb);
4615
4616 return err;
4617} 4726}
4618 4727
4619static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4728static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4620{ 4729{
4621 int err; 4730 int err;
4622 struct avc_audit_data ad; 4731 struct common_audit_data ad;
4623 4732
4624 err = cap_netlink_recv(skb, capability); 4733 err = cap_netlink_recv(skb, capability);
4625 if (err) 4734 if (err)
4626 return err; 4735 return err;
4627 4736
4628 AVC_AUDIT_DATA_INIT(&ad, CAP); 4737 COMMON_AUDIT_DATA_INIT(&ad, CAP);
4629 ad.u.cap = capability; 4738 ad.u.cap = capability;
4630 4739
4631 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid, 4740 return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
@@ -4684,12 +4793,12 @@ static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4684 u32 perms) 4793 u32 perms)
4685{ 4794{
4686 struct ipc_security_struct *isec; 4795 struct ipc_security_struct *isec;
4687 struct avc_audit_data ad; 4796 struct common_audit_data ad;
4688 u32 sid = current_sid(); 4797 u32 sid = current_sid();
4689 4798
4690 isec = ipc_perms->security; 4799 isec = ipc_perms->security;
4691 4800
4692 AVC_AUDIT_DATA_INIT(&ad, IPC); 4801 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4693 ad.u.ipc_id = ipc_perms->key; 4802 ad.u.ipc_id = ipc_perms->key;
4694 4803
4695 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad); 4804 return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
@@ -4709,7 +4818,7 @@ static void selinux_msg_msg_free_security(struct msg_msg *msg)
4709static int selinux_msg_queue_alloc_security(struct msg_queue *msq) 4818static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4710{ 4819{
4711 struct ipc_security_struct *isec; 4820 struct ipc_security_struct *isec;
4712 struct avc_audit_data ad; 4821 struct common_audit_data ad;
4713 u32 sid = current_sid(); 4822 u32 sid = current_sid();
4714 int rc; 4823 int rc;
4715 4824
@@ -4719,7 +4828,7 @@ static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4719 4828
4720 isec = msq->q_perm.security; 4829 isec = msq->q_perm.security;
4721 4830
4722 AVC_AUDIT_DATA_INIT(&ad, IPC); 4831 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4723 ad.u.ipc_id = msq->q_perm.key; 4832 ad.u.ipc_id = msq->q_perm.key;
4724 4833
4725 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4834 rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4739,12 +4848,12 @@ static void selinux_msg_queue_free_security(struct msg_queue *msq)
4739static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg) 4848static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4740{ 4849{
4741 struct ipc_security_struct *isec; 4850 struct ipc_security_struct *isec;
4742 struct avc_audit_data ad; 4851 struct common_audit_data ad;
4743 u32 sid = current_sid(); 4852 u32 sid = current_sid();
4744 4853
4745 isec = msq->q_perm.security; 4854 isec = msq->q_perm.security;
4746 4855
4747 AVC_AUDIT_DATA_INIT(&ad, IPC); 4856 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4748 ad.u.ipc_id = msq->q_perm.key; 4857 ad.u.ipc_id = msq->q_perm.key;
4749 4858
4750 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ, 4859 return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
@@ -4783,7 +4892,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4783{ 4892{
4784 struct ipc_security_struct *isec; 4893 struct ipc_security_struct *isec;
4785 struct msg_security_struct *msec; 4894 struct msg_security_struct *msec;
4786 struct avc_audit_data ad; 4895 struct common_audit_data ad;
4787 u32 sid = current_sid(); 4896 u32 sid = current_sid();
4788 int rc; 4897 int rc;
4789 4898
@@ -4804,7 +4913,7 @@ static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
4804 return rc; 4913 return rc;
4805 } 4914 }
4806 4915
4807 AVC_AUDIT_DATA_INIT(&ad, IPC); 4916 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4808 ad.u.ipc_id = msq->q_perm.key; 4917 ad.u.ipc_id = msq->q_perm.key;
4809 4918
4810 /* Can this process write to the queue? */ 4919 /* Can this process write to the queue? */
@@ -4828,14 +4937,14 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4828{ 4937{
4829 struct ipc_security_struct *isec; 4938 struct ipc_security_struct *isec;
4830 struct msg_security_struct *msec; 4939 struct msg_security_struct *msec;
4831 struct avc_audit_data ad; 4940 struct common_audit_data ad;
4832 u32 sid = task_sid(target); 4941 u32 sid = task_sid(target);
4833 int rc; 4942 int rc;
4834 4943
4835 isec = msq->q_perm.security; 4944 isec = msq->q_perm.security;
4836 msec = msg->security; 4945 msec = msg->security;
4837 4946
4838 AVC_AUDIT_DATA_INIT(&ad, IPC); 4947 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4839 ad.u.ipc_id = msq->q_perm.key; 4948 ad.u.ipc_id = msq->q_perm.key;
4840 4949
4841 rc = avc_has_perm(sid, isec->sid, 4950 rc = avc_has_perm(sid, isec->sid,
@@ -4850,7 +4959,7 @@ static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
4850static int selinux_shm_alloc_security(struct shmid_kernel *shp) 4959static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4851{ 4960{
4852 struct ipc_security_struct *isec; 4961 struct ipc_security_struct *isec;
4853 struct avc_audit_data ad; 4962 struct common_audit_data ad;
4854 u32 sid = current_sid(); 4963 u32 sid = current_sid();
4855 int rc; 4964 int rc;
4856 4965
@@ -4860,7 +4969,7 @@ static int selinux_shm_alloc_security(struct shmid_kernel *shp)
4860 4969
4861 isec = shp->shm_perm.security; 4970 isec = shp->shm_perm.security;
4862 4971
4863 AVC_AUDIT_DATA_INIT(&ad, IPC); 4972 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4864 ad.u.ipc_id = shp->shm_perm.key; 4973 ad.u.ipc_id = shp->shm_perm.key;
4865 4974
4866 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM, 4975 rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -4880,12 +4989,12 @@ static void selinux_shm_free_security(struct shmid_kernel *shp)
4880static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg) 4989static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
4881{ 4990{
4882 struct ipc_security_struct *isec; 4991 struct ipc_security_struct *isec;
4883 struct avc_audit_data ad; 4992 struct common_audit_data ad;
4884 u32 sid = current_sid(); 4993 u32 sid = current_sid();
4885 4994
4886 isec = shp->shm_perm.security; 4995 isec = shp->shm_perm.security;
4887 4996
4888 AVC_AUDIT_DATA_INIT(&ad, IPC); 4997 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4889 ad.u.ipc_id = shp->shm_perm.key; 4998 ad.u.ipc_id = shp->shm_perm.key;
4890 4999
4891 return avc_has_perm(sid, isec->sid, SECCLASS_SHM, 5000 return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
@@ -4942,7 +5051,7 @@ static int selinux_shm_shmat(struct shmid_kernel *shp,
4942static int selinux_sem_alloc_security(struct sem_array *sma) 5051static int selinux_sem_alloc_security(struct sem_array *sma)
4943{ 5052{
4944 struct ipc_security_struct *isec; 5053 struct ipc_security_struct *isec;
4945 struct avc_audit_data ad; 5054 struct common_audit_data ad;
4946 u32 sid = current_sid(); 5055 u32 sid = current_sid();
4947 int rc; 5056 int rc;
4948 5057
@@ -4952,7 +5061,7 @@ static int selinux_sem_alloc_security(struct sem_array *sma)
4952 5061
4953 isec = sma->sem_perm.security; 5062 isec = sma->sem_perm.security;
4954 5063
4955 AVC_AUDIT_DATA_INIT(&ad, IPC); 5064 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4956 ad.u.ipc_id = sma->sem_perm.key; 5065 ad.u.ipc_id = sma->sem_perm.key;
4957 5066
4958 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5067 rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
@@ -4972,12 +5081,12 @@ static void selinux_sem_free_security(struct sem_array *sma)
4972static int selinux_sem_associate(struct sem_array *sma, int semflg) 5081static int selinux_sem_associate(struct sem_array *sma, int semflg)
4973{ 5082{
4974 struct ipc_security_struct *isec; 5083 struct ipc_security_struct *isec;
4975 struct avc_audit_data ad; 5084 struct common_audit_data ad;
4976 u32 sid = current_sid(); 5085 u32 sid = current_sid();
4977 5086
4978 isec = sma->sem_perm.security; 5087 isec = sma->sem_perm.security;
4979 5088
4980 AVC_AUDIT_DATA_INIT(&ad, IPC); 5089 COMMON_AUDIT_DATA_INIT(&ad, IPC);
4981 ad.u.ipc_id = sma->sem_perm.key; 5090 ad.u.ipc_id = sma->sem_perm.key;
4982 5091
4983 return avc_has_perm(sid, isec->sid, SECCLASS_SEM, 5092 return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
@@ -5195,7 +5304,7 @@ static int selinux_setprocattr(struct task_struct *p,
5195 5304
5196 /* Only allow single threaded processes to change context */ 5305 /* Only allow single threaded processes to change context */
5197 error = -EPERM; 5306 error = -EPERM;
5198 if (!is_single_threaded(p)) { 5307 if (!current_is_single_threaded()) {
5199 error = security_bounded_transition(tsec->sid, sid); 5308 error = security_bounded_transition(tsec->sid, sid);
5200 if (error) 5309 if (error)
5201 goto abort_change; 5310 goto abort_change;
@@ -5252,6 +5361,32 @@ static void selinux_release_secctx(char *secdata, u32 seclen)
5252 kfree(secdata); 5361 kfree(secdata);
5253} 5362}
5254 5363
5364/*
5365 * called with inode->i_mutex locked
5366 */
5367static int selinux_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
5368{
5369 return selinux_inode_setsecurity(inode, XATTR_SELINUX_SUFFIX, ctx, ctxlen, 0);
5370}
5371
5372/*
5373 * called with inode->i_mutex locked
5374 */
5375static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
5376{
5377 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SELINUX, ctx, ctxlen, 0);
5378}
5379
5380static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
5381{
5382 int len = 0;
5383 len = selinux_inode_getsecurity(inode, XATTR_SELINUX_SUFFIX,
5384 ctx, true);
5385 if (len < 0)
5386 return len;
5387 *ctxlen = len;
5388 return 0;
5389}
5255#ifdef CONFIG_KEYS 5390#ifdef CONFIG_KEYS
5256 5391
5257static int selinux_key_alloc(struct key *k, const struct cred *cred, 5392static int selinux_key_alloc(struct key *k, const struct cred *cred,
@@ -5323,7 +5458,7 @@ static int selinux_key_getsecurity(struct key *key, char **_buffer)
5323static struct security_operations selinux_ops = { 5458static struct security_operations selinux_ops = {
5324 .name = "selinux", 5459 .name = "selinux",
5325 5460
5326 .ptrace_may_access = selinux_ptrace_may_access, 5461 .ptrace_access_check = selinux_ptrace_access_check,
5327 .ptrace_traceme = selinux_ptrace_traceme, 5462 .ptrace_traceme = selinux_ptrace_traceme,
5328 .capget = selinux_capget, 5463 .capget = selinux_capget,
5329 .capset = selinux_capset, 5464 .capset = selinux_capset,
@@ -5396,10 +5531,13 @@ static struct security_operations selinux_ops = {
5396 .dentry_open = selinux_dentry_open, 5531 .dentry_open = selinux_dentry_open,
5397 5532
5398 .task_create = selinux_task_create, 5533 .task_create = selinux_task_create,
5534 .cred_alloc_blank = selinux_cred_alloc_blank,
5399 .cred_free = selinux_cred_free, 5535 .cred_free = selinux_cred_free,
5400 .cred_prepare = selinux_cred_prepare, 5536 .cred_prepare = selinux_cred_prepare,
5537 .cred_transfer = selinux_cred_transfer,
5401 .kernel_act_as = selinux_kernel_act_as, 5538 .kernel_act_as = selinux_kernel_act_as,
5402 .kernel_create_files_as = selinux_kernel_create_files_as, 5539 .kernel_create_files_as = selinux_kernel_create_files_as,
5540 .kernel_module_request = selinux_kernel_module_request,
5403 .task_setpgid = selinux_task_setpgid, 5541 .task_setpgid = selinux_task_setpgid,
5404 .task_getpgid = selinux_task_getpgid, 5542 .task_getpgid = selinux_task_getpgid,
5405 .task_getsid = selinux_task_getsid, 5543 .task_getsid = selinux_task_getsid,
@@ -5448,6 +5586,9 @@ static struct security_operations selinux_ops = {
5448 .secid_to_secctx = selinux_secid_to_secctx, 5586 .secid_to_secctx = selinux_secid_to_secctx,
5449 .secctx_to_secid = selinux_secctx_to_secid, 5587 .secctx_to_secid = selinux_secctx_to_secid,
5450 .release_secctx = selinux_release_secctx, 5588 .release_secctx = selinux_release_secctx,
5589 .inode_notifysecctx = selinux_inode_notifysecctx,
5590 .inode_setsecctx = selinux_inode_setsecctx,
5591 .inode_getsecctx = selinux_inode_getsecctx,
5451 5592
5452 .unix_stream_connect = selinux_socket_unix_stream_connect, 5593 .unix_stream_connect = selinux_socket_unix_stream_connect,
5453 .unix_may_send = selinux_socket_unix_may_send, 5594 .unix_may_send = selinux_socket_unix_may_send,
@@ -5477,6 +5618,9 @@ static struct security_operations selinux_ops = {
5477 .inet_csk_clone = selinux_inet_csk_clone, 5618 .inet_csk_clone = selinux_inet_csk_clone,
5478 .inet_conn_established = selinux_inet_conn_established, 5619 .inet_conn_established = selinux_inet_conn_established,
5479 .req_classify_flow = selinux_req_classify_flow, 5620 .req_classify_flow = selinux_req_classify_flow,
5621 .tun_dev_create = selinux_tun_dev_create,
5622 .tun_dev_post_create = selinux_tun_dev_post_create,
5623 .tun_dev_attach = selinux_tun_dev_attach,
5480 5624
5481#ifdef CONFIG_SECURITY_NETWORK_XFRM 5625#ifdef CONFIG_SECURITY_NETWORK_XFRM
5482 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc, 5626 .xfrm_policy_alloc_security = selinux_xfrm_policy_alloc,
@@ -5694,6 +5838,9 @@ int selinux_disable(void)
5694 /* Reset security_ops to the secondary module, dummy or capability. */ 5838 /* Reset security_ops to the secondary module, dummy or capability. */
5695 security_ops = secondary_ops; 5839 security_ops = secondary_ops;
5696 5840
5841 /* Try to destroy the avc node cache */
5842 avc_disable();
5843
5697 /* Unregister netfilter hooks. */ 5844 /* Unregister netfilter hooks. */
5698 selinux_nf_ip_exit(); 5845 selinux_nf_ip_exit();
5699 5846
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
deleted file mode 100644
index 8377a4ba3b95..000000000000
--- a/security/selinux/include/av_inherit.h
+++ /dev/null
@@ -1,33 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_DIR, file, 0x00020000UL)
3 S_(SECCLASS_FILE, file, 0x00020000UL)
4 S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
5 S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
6 S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
7 S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
8 S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
9 S_(SECCLASS_SOCKET, socket, 0x00400000UL)
10 S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
11 S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
12 S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
13 S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
14 S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
15 S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
16 S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
17 S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
18 S_(SECCLASS_IPC, ipc, 0x00000200UL)
19 S_(SECCLASS_SEM, ipc, 0x00000200UL)
20 S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
21 S_(SECCLASS_SHM, ipc, 0x00000200UL)
22 S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
23 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
24 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
25 S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
26 S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
27 S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
28 S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
29 S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
30 S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
31 S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
32 S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
33 S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
deleted file mode 100644
index 31df1d7c1aee..000000000000
--- a/security/selinux/include/av_perm_to_string.h
+++ /dev/null
@@ -1,182 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
3 S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
4 S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
5 S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
6 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
7 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
8 S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
9 S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
10 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
11 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
12 S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
13 S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
14 S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
15 S_(SECCLASS_DIR, DIR__SEARCH, "search")
16 S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
17 S_(SECCLASS_DIR, DIR__OPEN, "open")
18 S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
19 S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
20 S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
21 S_(SECCLASS_FILE, FILE__OPEN, "open")
22 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
23 S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
24 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
25 S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
26 S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
27 S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
28 S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
29 S_(SECCLASS_FD, FD__USE, "use")
30 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
31 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
32 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
33 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
34 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
35 S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
36 S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
37 S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
38 S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
39 S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
40 S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
41 S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
42 S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
43 S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
44 S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
45 S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
46 S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
47 S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
48 S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
49 S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
50 S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
51 S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
52 S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
53 S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
54 S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
55 S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
56 S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
57 S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
58 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
59 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
60 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
61 S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
62 S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
63 S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
64 S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
65 S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
66 S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
67 S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
68 S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
69 S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
70 S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
71 S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
72 S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
73 S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
74 S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
75 S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
76 S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
77 S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
78 S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
79 S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
80 S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
81 S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
82 S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
83 S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
84 S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
85 S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
86 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
87 S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
88 S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
89 S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
90 S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
91 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
92 S_(SECCLASS_MSG, MSG__SEND, "send")
93 S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
94 S_(SECCLASS_SHM, SHM__LOCK, "lock")
95 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
96 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
97 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
98 S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
99 S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
100 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
101 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
102 S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
103 S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
104 S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
105 S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
106 S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
107 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
108 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
109 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
110 S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
111 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
112 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
113 S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
114 S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
115 S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
116 S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
117 S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
118 S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
119 S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
120 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
121 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
122 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
123 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
124 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
125 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
126 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
127 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
128 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
129 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
130 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
131 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
132 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
133 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
134 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
135 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
136 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
137 S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
138 S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
139 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
140 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
141 S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
142 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
143 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
144 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
145 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
146 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
147 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
148 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
149 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
150 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
151 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
152 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
153 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
154 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
155 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
156 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
157 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
158 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
159 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
160 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
161 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
162 S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
163 S_(SECCLASS_PACKET, PACKET__SEND, "send")
164 S_(SECCLASS_PACKET, PACKET__RECV, "recv")
165 S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
166 S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
167 S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
168 S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
169 S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
170 S_(SECCLASS_KEY, KEY__VIEW, "view")
171 S_(SECCLASS_KEY, KEY__READ, "read")
172 S_(SECCLASS_KEY, KEY__WRITE, "write")
173 S_(SECCLASS_KEY, KEY__SEARCH, "search")
174 S_(SECCLASS_KEY, KEY__LINK, "link")
175 S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
176 S_(SECCLASS_KEY, KEY__CREATE, "create")
177 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
178 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
179 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
180 S_(SECCLASS_PEER, PEER__RECV, "recv")
181 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
182 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
deleted file mode 100644
index d645192ee950..000000000000
--- a/security/selinux/include/av_permissions.h
+++ /dev/null
@@ -1,847 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2#define COMMON_FILE__IOCTL 0x00000001UL
3#define COMMON_FILE__READ 0x00000002UL
4#define COMMON_FILE__WRITE 0x00000004UL
5#define COMMON_FILE__CREATE 0x00000008UL
6#define COMMON_FILE__GETATTR 0x00000010UL
7#define COMMON_FILE__SETATTR 0x00000020UL
8#define COMMON_FILE__LOCK 0x00000040UL
9#define COMMON_FILE__RELABELFROM 0x00000080UL
10#define COMMON_FILE__RELABELTO 0x00000100UL
11#define COMMON_FILE__APPEND 0x00000200UL
12#define COMMON_FILE__UNLINK 0x00000400UL
13#define COMMON_FILE__LINK 0x00000800UL
14#define COMMON_FILE__RENAME 0x00001000UL
15#define COMMON_FILE__EXECUTE 0x00002000UL
16#define COMMON_FILE__SWAPON 0x00004000UL
17#define COMMON_FILE__QUOTAON 0x00008000UL
18#define COMMON_FILE__MOUNTON 0x00010000UL
19#define COMMON_SOCKET__IOCTL 0x00000001UL
20#define COMMON_SOCKET__READ 0x00000002UL
21#define COMMON_SOCKET__WRITE 0x00000004UL
22#define COMMON_SOCKET__CREATE 0x00000008UL
23#define COMMON_SOCKET__GETATTR 0x00000010UL
24#define COMMON_SOCKET__SETATTR 0x00000020UL
25#define COMMON_SOCKET__LOCK 0x00000040UL
26#define COMMON_SOCKET__RELABELFROM 0x00000080UL
27#define COMMON_SOCKET__RELABELTO 0x00000100UL
28#define COMMON_SOCKET__APPEND 0x00000200UL
29#define COMMON_SOCKET__BIND 0x00000400UL
30#define COMMON_SOCKET__CONNECT 0x00000800UL
31#define COMMON_SOCKET__LISTEN 0x00001000UL
32#define COMMON_SOCKET__ACCEPT 0x00002000UL
33#define COMMON_SOCKET__GETOPT 0x00004000UL
34#define COMMON_SOCKET__SETOPT 0x00008000UL
35#define COMMON_SOCKET__SHUTDOWN 0x00010000UL
36#define COMMON_SOCKET__RECVFROM 0x00020000UL
37#define COMMON_SOCKET__SENDTO 0x00040000UL
38#define COMMON_SOCKET__RECV_MSG 0x00080000UL
39#define COMMON_SOCKET__SEND_MSG 0x00100000UL
40#define COMMON_SOCKET__NAME_BIND 0x00200000UL
41#define COMMON_IPC__CREATE 0x00000001UL
42#define COMMON_IPC__DESTROY 0x00000002UL
43#define COMMON_IPC__GETATTR 0x00000004UL
44#define COMMON_IPC__SETATTR 0x00000008UL
45#define COMMON_IPC__READ 0x00000010UL
46#define COMMON_IPC__WRITE 0x00000020UL
47#define COMMON_IPC__ASSOCIATE 0x00000040UL
48#define COMMON_IPC__UNIX_READ 0x00000080UL
49#define COMMON_IPC__UNIX_WRITE 0x00000100UL
50#define FILESYSTEM__MOUNT 0x00000001UL
51#define FILESYSTEM__REMOUNT 0x00000002UL
52#define FILESYSTEM__UNMOUNT 0x00000004UL
53#define FILESYSTEM__GETATTR 0x00000008UL
54#define FILESYSTEM__RELABELFROM 0x00000010UL
55#define FILESYSTEM__RELABELTO 0x00000020UL
56#define FILESYSTEM__TRANSITION 0x00000040UL
57#define FILESYSTEM__ASSOCIATE 0x00000080UL
58#define FILESYSTEM__QUOTAMOD 0x00000100UL
59#define FILESYSTEM__QUOTAGET 0x00000200UL
60#define DIR__IOCTL 0x00000001UL
61#define DIR__READ 0x00000002UL
62#define DIR__WRITE 0x00000004UL
63#define DIR__CREATE 0x00000008UL
64#define DIR__GETATTR 0x00000010UL
65#define DIR__SETATTR 0x00000020UL
66#define DIR__LOCK 0x00000040UL
67#define DIR__RELABELFROM 0x00000080UL
68#define DIR__RELABELTO 0x00000100UL
69#define DIR__APPEND 0x00000200UL
70#define DIR__UNLINK 0x00000400UL
71#define DIR__LINK 0x00000800UL
72#define DIR__RENAME 0x00001000UL
73#define DIR__EXECUTE 0x00002000UL
74#define DIR__SWAPON 0x00004000UL
75#define DIR__QUOTAON 0x00008000UL
76#define DIR__MOUNTON 0x00010000UL
77#define DIR__ADD_NAME 0x00020000UL
78#define DIR__REMOVE_NAME 0x00040000UL
79#define DIR__REPARENT 0x00080000UL
80#define DIR__SEARCH 0x00100000UL
81#define DIR__RMDIR 0x00200000UL
82#define DIR__OPEN 0x00400000UL
83#define FILE__IOCTL 0x00000001UL
84#define FILE__READ 0x00000002UL
85#define FILE__WRITE 0x00000004UL
86#define FILE__CREATE 0x00000008UL
87#define FILE__GETATTR 0x00000010UL
88#define FILE__SETATTR 0x00000020UL
89#define FILE__LOCK 0x00000040UL
90#define FILE__RELABELFROM 0x00000080UL
91#define FILE__RELABELTO 0x00000100UL
92#define FILE__APPEND 0x00000200UL
93#define FILE__UNLINK 0x00000400UL
94#define FILE__LINK 0x00000800UL
95#define FILE__RENAME 0x00001000UL
96#define FILE__EXECUTE 0x00002000UL
97#define FILE__SWAPON 0x00004000UL
98#define FILE__QUOTAON 0x00008000UL
99#define FILE__MOUNTON 0x00010000UL
100#define FILE__EXECUTE_NO_TRANS 0x00020000UL
101#define FILE__ENTRYPOINT 0x00040000UL
102#define FILE__EXECMOD 0x00080000UL
103#define FILE__OPEN 0x00100000UL
104#define LNK_FILE__IOCTL 0x00000001UL
105#define LNK_FILE__READ 0x00000002UL
106#define LNK_FILE__WRITE 0x00000004UL
107#define LNK_FILE__CREATE 0x00000008UL
108#define LNK_FILE__GETATTR 0x00000010UL
109#define LNK_FILE__SETATTR 0x00000020UL
110#define LNK_FILE__LOCK 0x00000040UL
111#define LNK_FILE__RELABELFROM 0x00000080UL
112#define LNK_FILE__RELABELTO 0x00000100UL
113#define LNK_FILE__APPEND 0x00000200UL
114#define LNK_FILE__UNLINK 0x00000400UL
115#define LNK_FILE__LINK 0x00000800UL
116#define LNK_FILE__RENAME 0x00001000UL
117#define LNK_FILE__EXECUTE 0x00002000UL
118#define LNK_FILE__SWAPON 0x00004000UL
119#define LNK_FILE__QUOTAON 0x00008000UL
120#define LNK_FILE__MOUNTON 0x00010000UL
121#define CHR_FILE__IOCTL 0x00000001UL
122#define CHR_FILE__READ 0x00000002UL
123#define CHR_FILE__WRITE 0x00000004UL
124#define CHR_FILE__CREATE 0x00000008UL
125#define CHR_FILE__GETATTR 0x00000010UL
126#define CHR_FILE__SETATTR 0x00000020UL
127#define CHR_FILE__LOCK 0x00000040UL
128#define CHR_FILE__RELABELFROM 0x00000080UL
129#define CHR_FILE__RELABELTO 0x00000100UL
130#define CHR_FILE__APPEND 0x00000200UL
131#define CHR_FILE__UNLINK 0x00000400UL
132#define CHR_FILE__LINK 0x00000800UL
133#define CHR_FILE__RENAME 0x00001000UL
134#define CHR_FILE__EXECUTE 0x00002000UL
135#define CHR_FILE__SWAPON 0x00004000UL
136#define CHR_FILE__QUOTAON 0x00008000UL
137#define CHR_FILE__MOUNTON 0x00010000UL
138#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
139#define CHR_FILE__ENTRYPOINT 0x00040000UL
140#define CHR_FILE__EXECMOD 0x00080000UL
141#define CHR_FILE__OPEN 0x00100000UL
142#define BLK_FILE__IOCTL 0x00000001UL
143#define BLK_FILE__READ 0x00000002UL
144#define BLK_FILE__WRITE 0x00000004UL
145#define BLK_FILE__CREATE 0x00000008UL
146#define BLK_FILE__GETATTR 0x00000010UL
147#define BLK_FILE__SETATTR 0x00000020UL
148#define BLK_FILE__LOCK 0x00000040UL
149#define BLK_FILE__RELABELFROM 0x00000080UL
150#define BLK_FILE__RELABELTO 0x00000100UL
151#define BLK_FILE__APPEND 0x00000200UL
152#define BLK_FILE__UNLINK 0x00000400UL
153#define BLK_FILE__LINK 0x00000800UL
154#define BLK_FILE__RENAME 0x00001000UL
155#define BLK_FILE__EXECUTE 0x00002000UL
156#define BLK_FILE__SWAPON 0x00004000UL
157#define BLK_FILE__QUOTAON 0x00008000UL
158#define BLK_FILE__MOUNTON 0x00010000UL
159#define BLK_FILE__OPEN 0x00020000UL
160#define SOCK_FILE__IOCTL 0x00000001UL
161#define SOCK_FILE__READ 0x00000002UL
162#define SOCK_FILE__WRITE 0x00000004UL
163#define SOCK_FILE__CREATE 0x00000008UL
164#define SOCK_FILE__GETATTR 0x00000010UL
165#define SOCK_FILE__SETATTR 0x00000020UL
166#define SOCK_FILE__LOCK 0x00000040UL
167#define SOCK_FILE__RELABELFROM 0x00000080UL
168#define SOCK_FILE__RELABELTO 0x00000100UL
169#define SOCK_FILE__APPEND 0x00000200UL
170#define SOCK_FILE__UNLINK 0x00000400UL
171#define SOCK_FILE__LINK 0x00000800UL
172#define SOCK_FILE__RENAME 0x00001000UL
173#define SOCK_FILE__EXECUTE 0x00002000UL
174#define SOCK_FILE__SWAPON 0x00004000UL
175#define SOCK_FILE__QUOTAON 0x00008000UL
176#define SOCK_FILE__MOUNTON 0x00010000UL
177#define SOCK_FILE__OPEN 0x00020000UL
178#define FIFO_FILE__IOCTL 0x00000001UL
179#define FIFO_FILE__READ 0x00000002UL
180#define FIFO_FILE__WRITE 0x00000004UL
181#define FIFO_FILE__CREATE 0x00000008UL
182#define FIFO_FILE__GETATTR 0x00000010UL
183#define FIFO_FILE__SETATTR 0x00000020UL
184#define FIFO_FILE__LOCK 0x00000040UL
185#define FIFO_FILE__RELABELFROM 0x00000080UL
186#define FIFO_FILE__RELABELTO 0x00000100UL
187#define FIFO_FILE__APPEND 0x00000200UL
188#define FIFO_FILE__UNLINK 0x00000400UL
189#define FIFO_FILE__LINK 0x00000800UL
190#define FIFO_FILE__RENAME 0x00001000UL
191#define FIFO_FILE__EXECUTE 0x00002000UL
192#define FIFO_FILE__SWAPON 0x00004000UL
193#define FIFO_FILE__QUOTAON 0x00008000UL
194#define FIFO_FILE__MOUNTON 0x00010000UL
195#define FIFO_FILE__OPEN 0x00020000UL
196#define FD__USE 0x00000001UL
197#define SOCKET__IOCTL 0x00000001UL
198#define SOCKET__READ 0x00000002UL
199#define SOCKET__WRITE 0x00000004UL
200#define SOCKET__CREATE 0x00000008UL
201#define SOCKET__GETATTR 0x00000010UL
202#define SOCKET__SETATTR 0x00000020UL
203#define SOCKET__LOCK 0x00000040UL
204#define SOCKET__RELABELFROM 0x00000080UL
205#define SOCKET__RELABELTO 0x00000100UL
206#define SOCKET__APPEND 0x00000200UL
207#define SOCKET__BIND 0x00000400UL
208#define SOCKET__CONNECT 0x00000800UL
209#define SOCKET__LISTEN 0x00001000UL
210#define SOCKET__ACCEPT 0x00002000UL
211#define SOCKET__GETOPT 0x00004000UL
212#define SOCKET__SETOPT 0x00008000UL
213#define SOCKET__SHUTDOWN 0x00010000UL
214#define SOCKET__RECVFROM 0x00020000UL
215#define SOCKET__SENDTO 0x00040000UL
216#define SOCKET__RECV_MSG 0x00080000UL
217#define SOCKET__SEND_MSG 0x00100000UL
218#define SOCKET__NAME_BIND 0x00200000UL
219#define TCP_SOCKET__IOCTL 0x00000001UL
220#define TCP_SOCKET__READ 0x00000002UL
221#define TCP_SOCKET__WRITE 0x00000004UL
222#define TCP_SOCKET__CREATE 0x00000008UL
223#define TCP_SOCKET__GETATTR 0x00000010UL
224#define TCP_SOCKET__SETATTR 0x00000020UL
225#define TCP_SOCKET__LOCK 0x00000040UL
226#define TCP_SOCKET__RELABELFROM 0x00000080UL
227#define TCP_SOCKET__RELABELTO 0x00000100UL
228#define TCP_SOCKET__APPEND 0x00000200UL
229#define TCP_SOCKET__BIND 0x00000400UL
230#define TCP_SOCKET__CONNECT 0x00000800UL
231#define TCP_SOCKET__LISTEN 0x00001000UL
232#define TCP_SOCKET__ACCEPT 0x00002000UL
233#define TCP_SOCKET__GETOPT 0x00004000UL
234#define TCP_SOCKET__SETOPT 0x00008000UL
235#define TCP_SOCKET__SHUTDOWN 0x00010000UL
236#define TCP_SOCKET__RECVFROM 0x00020000UL
237#define TCP_SOCKET__SENDTO 0x00040000UL
238#define TCP_SOCKET__RECV_MSG 0x00080000UL
239#define TCP_SOCKET__SEND_MSG 0x00100000UL
240#define TCP_SOCKET__NAME_BIND 0x00200000UL
241#define TCP_SOCKET__CONNECTTO 0x00400000UL
242#define TCP_SOCKET__NEWCONN 0x00800000UL
243#define TCP_SOCKET__ACCEPTFROM 0x01000000UL
244#define TCP_SOCKET__NODE_BIND 0x02000000UL
245#define TCP_SOCKET__NAME_CONNECT 0x04000000UL
246#define UDP_SOCKET__IOCTL 0x00000001UL
247#define UDP_SOCKET__READ 0x00000002UL
248#define UDP_SOCKET__WRITE 0x00000004UL
249#define UDP_SOCKET__CREATE 0x00000008UL
250#define UDP_SOCKET__GETATTR 0x00000010UL
251#define UDP_SOCKET__SETATTR 0x00000020UL
252#define UDP_SOCKET__LOCK 0x00000040UL
253#define UDP_SOCKET__RELABELFROM 0x00000080UL
254#define UDP_SOCKET__RELABELTO 0x00000100UL
255#define UDP_SOCKET__APPEND 0x00000200UL
256#define UDP_SOCKET__BIND 0x00000400UL
257#define UDP_SOCKET__CONNECT 0x00000800UL
258#define UDP_SOCKET__LISTEN 0x00001000UL
259#define UDP_SOCKET__ACCEPT 0x00002000UL
260#define UDP_SOCKET__GETOPT 0x00004000UL
261#define UDP_SOCKET__SETOPT 0x00008000UL
262#define UDP_SOCKET__SHUTDOWN 0x00010000UL
263#define UDP_SOCKET__RECVFROM 0x00020000UL
264#define UDP_SOCKET__SENDTO 0x00040000UL
265#define UDP_SOCKET__RECV_MSG 0x00080000UL
266#define UDP_SOCKET__SEND_MSG 0x00100000UL
267#define UDP_SOCKET__NAME_BIND 0x00200000UL
268#define UDP_SOCKET__NODE_BIND 0x00400000UL
269#define RAWIP_SOCKET__IOCTL 0x00000001UL
270#define RAWIP_SOCKET__READ 0x00000002UL
271#define RAWIP_SOCKET__WRITE 0x00000004UL
272#define RAWIP_SOCKET__CREATE 0x00000008UL
273#define RAWIP_SOCKET__GETATTR 0x00000010UL
274#define RAWIP_SOCKET__SETATTR 0x00000020UL
275#define RAWIP_SOCKET__LOCK 0x00000040UL
276#define RAWIP_SOCKET__RELABELFROM 0x00000080UL
277#define RAWIP_SOCKET__RELABELTO 0x00000100UL
278#define RAWIP_SOCKET__APPEND 0x00000200UL
279#define RAWIP_SOCKET__BIND 0x00000400UL
280#define RAWIP_SOCKET__CONNECT 0x00000800UL
281#define RAWIP_SOCKET__LISTEN 0x00001000UL
282#define RAWIP_SOCKET__ACCEPT 0x00002000UL
283#define RAWIP_SOCKET__GETOPT 0x00004000UL
284#define RAWIP_SOCKET__SETOPT 0x00008000UL
285#define RAWIP_SOCKET__SHUTDOWN 0x00010000UL
286#define RAWIP_SOCKET__RECVFROM 0x00020000UL
287#define RAWIP_SOCKET__SENDTO 0x00040000UL
288#define RAWIP_SOCKET__RECV_MSG 0x00080000UL
289#define RAWIP_SOCKET__SEND_MSG 0x00100000UL
290#define RAWIP_SOCKET__NAME_BIND 0x00200000UL
291#define RAWIP_SOCKET__NODE_BIND 0x00400000UL
292#define NODE__TCP_RECV 0x00000001UL
293#define NODE__TCP_SEND 0x00000002UL
294#define NODE__UDP_RECV 0x00000004UL
295#define NODE__UDP_SEND 0x00000008UL
296#define NODE__RAWIP_RECV 0x00000010UL
297#define NODE__RAWIP_SEND 0x00000020UL
298#define NODE__ENFORCE_DEST 0x00000040UL
299#define NODE__DCCP_RECV 0x00000080UL
300#define NODE__DCCP_SEND 0x00000100UL
301#define NODE__RECVFROM 0x00000200UL
302#define NODE__SENDTO 0x00000400UL
303#define NETIF__TCP_RECV 0x00000001UL
304#define NETIF__TCP_SEND 0x00000002UL
305#define NETIF__UDP_RECV 0x00000004UL
306#define NETIF__UDP_SEND 0x00000008UL
307#define NETIF__RAWIP_RECV 0x00000010UL
308#define NETIF__RAWIP_SEND 0x00000020UL
309#define NETIF__DCCP_RECV 0x00000040UL
310#define NETIF__DCCP_SEND 0x00000080UL
311#define NETIF__INGRESS 0x00000100UL
312#define NETIF__EGRESS 0x00000200UL
313#define NETLINK_SOCKET__IOCTL 0x00000001UL
314#define NETLINK_SOCKET__READ 0x00000002UL
315#define NETLINK_SOCKET__WRITE 0x00000004UL
316#define NETLINK_SOCKET__CREATE 0x00000008UL
317#define NETLINK_SOCKET__GETATTR 0x00000010UL
318#define NETLINK_SOCKET__SETATTR 0x00000020UL
319#define NETLINK_SOCKET__LOCK 0x00000040UL
320#define NETLINK_SOCKET__RELABELFROM 0x00000080UL
321#define NETLINK_SOCKET__RELABELTO 0x00000100UL
322#define NETLINK_SOCKET__APPEND 0x00000200UL
323#define NETLINK_SOCKET__BIND 0x00000400UL
324#define NETLINK_SOCKET__CONNECT 0x00000800UL
325#define NETLINK_SOCKET__LISTEN 0x00001000UL
326#define NETLINK_SOCKET__ACCEPT 0x00002000UL
327#define NETLINK_SOCKET__GETOPT 0x00004000UL
328#define NETLINK_SOCKET__SETOPT 0x00008000UL
329#define NETLINK_SOCKET__SHUTDOWN 0x00010000UL
330#define NETLINK_SOCKET__RECVFROM 0x00020000UL
331#define NETLINK_SOCKET__SENDTO 0x00040000UL
332#define NETLINK_SOCKET__RECV_MSG 0x00080000UL
333#define NETLINK_SOCKET__SEND_MSG 0x00100000UL
334#define NETLINK_SOCKET__NAME_BIND 0x00200000UL
335#define PACKET_SOCKET__IOCTL 0x00000001UL
336#define PACKET_SOCKET__READ 0x00000002UL
337#define PACKET_SOCKET__WRITE 0x00000004UL
338#define PACKET_SOCKET__CREATE 0x00000008UL
339#define PACKET_SOCKET__GETATTR 0x00000010UL
340#define PACKET_SOCKET__SETATTR 0x00000020UL
341#define PACKET_SOCKET__LOCK 0x00000040UL
342#define PACKET_SOCKET__RELABELFROM 0x00000080UL
343#define PACKET_SOCKET__RELABELTO 0x00000100UL
344#define PACKET_SOCKET__APPEND 0x00000200UL
345#define PACKET_SOCKET__BIND 0x00000400UL
346#define PACKET_SOCKET__CONNECT 0x00000800UL
347#define PACKET_SOCKET__LISTEN 0x00001000UL
348#define PACKET_SOCKET__ACCEPT 0x00002000UL
349#define PACKET_SOCKET__GETOPT 0x00004000UL
350#define PACKET_SOCKET__SETOPT 0x00008000UL
351#define PACKET_SOCKET__SHUTDOWN 0x00010000UL
352#define PACKET_SOCKET__RECVFROM 0x00020000UL
353#define PACKET_SOCKET__SENDTO 0x00040000UL
354#define PACKET_SOCKET__RECV_MSG 0x00080000UL
355#define PACKET_SOCKET__SEND_MSG 0x00100000UL
356#define PACKET_SOCKET__NAME_BIND 0x00200000UL
357#define KEY_SOCKET__IOCTL 0x00000001UL
358#define KEY_SOCKET__READ 0x00000002UL
359#define KEY_SOCKET__WRITE 0x00000004UL
360#define KEY_SOCKET__CREATE 0x00000008UL
361#define KEY_SOCKET__GETATTR 0x00000010UL
362#define KEY_SOCKET__SETATTR 0x00000020UL
363#define KEY_SOCKET__LOCK 0x00000040UL
364#define KEY_SOCKET__RELABELFROM 0x00000080UL
365#define KEY_SOCKET__RELABELTO 0x00000100UL
366#define KEY_SOCKET__APPEND 0x00000200UL
367#define KEY_SOCKET__BIND 0x00000400UL
368#define KEY_SOCKET__CONNECT 0x00000800UL
369#define KEY_SOCKET__LISTEN 0x00001000UL
370#define KEY_SOCKET__ACCEPT 0x00002000UL
371#define KEY_SOCKET__GETOPT 0x00004000UL
372#define KEY_SOCKET__SETOPT 0x00008000UL
373#define KEY_SOCKET__SHUTDOWN 0x00010000UL
374#define KEY_SOCKET__RECVFROM 0x00020000UL
375#define KEY_SOCKET__SENDTO 0x00040000UL
376#define KEY_SOCKET__RECV_MSG 0x00080000UL
377#define KEY_SOCKET__SEND_MSG 0x00100000UL
378#define KEY_SOCKET__NAME_BIND 0x00200000UL
379#define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL
380#define UNIX_STREAM_SOCKET__READ 0x00000002UL
381#define UNIX_STREAM_SOCKET__WRITE 0x00000004UL
382#define UNIX_STREAM_SOCKET__CREATE 0x00000008UL
383#define UNIX_STREAM_SOCKET__GETATTR 0x00000010UL
384#define UNIX_STREAM_SOCKET__SETATTR 0x00000020UL
385#define UNIX_STREAM_SOCKET__LOCK 0x00000040UL
386#define UNIX_STREAM_SOCKET__RELABELFROM 0x00000080UL
387#define UNIX_STREAM_SOCKET__RELABELTO 0x00000100UL
388#define UNIX_STREAM_SOCKET__APPEND 0x00000200UL
389#define UNIX_STREAM_SOCKET__BIND 0x00000400UL
390#define UNIX_STREAM_SOCKET__CONNECT 0x00000800UL
391#define UNIX_STREAM_SOCKET__LISTEN 0x00001000UL
392#define UNIX_STREAM_SOCKET__ACCEPT 0x00002000UL
393#define UNIX_STREAM_SOCKET__GETOPT 0x00004000UL
394#define UNIX_STREAM_SOCKET__SETOPT 0x00008000UL
395#define UNIX_STREAM_SOCKET__SHUTDOWN 0x00010000UL
396#define UNIX_STREAM_SOCKET__RECVFROM 0x00020000UL
397#define UNIX_STREAM_SOCKET__SENDTO 0x00040000UL
398#define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL
399#define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL
400#define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL
401#define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL
402#define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL
403#define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL
404#define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL
405#define UNIX_DGRAM_SOCKET__READ 0x00000002UL
406#define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL
407#define UNIX_DGRAM_SOCKET__CREATE 0x00000008UL
408#define UNIX_DGRAM_SOCKET__GETATTR 0x00000010UL
409#define UNIX_DGRAM_SOCKET__SETATTR 0x00000020UL
410#define UNIX_DGRAM_SOCKET__LOCK 0x00000040UL
411#define UNIX_DGRAM_SOCKET__RELABELFROM 0x00000080UL
412#define UNIX_DGRAM_SOCKET__RELABELTO 0x00000100UL
413#define UNIX_DGRAM_SOCKET__APPEND 0x00000200UL
414#define UNIX_DGRAM_SOCKET__BIND 0x00000400UL
415#define UNIX_DGRAM_SOCKET__CONNECT 0x00000800UL
416#define UNIX_DGRAM_SOCKET__LISTEN 0x00001000UL
417#define UNIX_DGRAM_SOCKET__ACCEPT 0x00002000UL
418#define UNIX_DGRAM_SOCKET__GETOPT 0x00004000UL
419#define UNIX_DGRAM_SOCKET__SETOPT 0x00008000UL
420#define UNIX_DGRAM_SOCKET__SHUTDOWN 0x00010000UL
421#define UNIX_DGRAM_SOCKET__RECVFROM 0x00020000UL
422#define UNIX_DGRAM_SOCKET__SENDTO 0x00040000UL
423#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
424#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
425#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
426#define PROCESS__FORK 0x00000001UL
427#define PROCESS__TRANSITION 0x00000002UL
428#define PROCESS__SIGCHLD 0x00000004UL
429#define PROCESS__SIGKILL 0x00000008UL
430#define PROCESS__SIGSTOP 0x00000010UL
431#define PROCESS__SIGNULL 0x00000020UL
432#define PROCESS__SIGNAL 0x00000040UL
433#define PROCESS__PTRACE 0x00000080UL
434#define PROCESS__GETSCHED 0x00000100UL
435#define PROCESS__SETSCHED 0x00000200UL
436#define PROCESS__GETSESSION 0x00000400UL
437#define PROCESS__GETPGID 0x00000800UL
438#define PROCESS__SETPGID 0x00001000UL
439#define PROCESS__GETCAP 0x00002000UL
440#define PROCESS__SETCAP 0x00004000UL
441#define PROCESS__SHARE 0x00008000UL
442#define PROCESS__GETATTR 0x00010000UL
443#define PROCESS__SETEXEC 0x00020000UL
444#define PROCESS__SETFSCREATE 0x00040000UL
445#define PROCESS__NOATSECURE 0x00080000UL
446#define PROCESS__SIGINH 0x00100000UL
447#define PROCESS__SETRLIMIT 0x00200000UL
448#define PROCESS__RLIMITINH 0x00400000UL
449#define PROCESS__DYNTRANSITION 0x00800000UL
450#define PROCESS__SETCURRENT 0x01000000UL
451#define PROCESS__EXECMEM 0x02000000UL
452#define PROCESS__EXECSTACK 0x04000000UL
453#define PROCESS__EXECHEAP 0x08000000UL
454#define PROCESS__SETKEYCREATE 0x10000000UL
455#define PROCESS__SETSOCKCREATE 0x20000000UL
456#define IPC__CREATE 0x00000001UL
457#define IPC__DESTROY 0x00000002UL
458#define IPC__GETATTR 0x00000004UL
459#define IPC__SETATTR 0x00000008UL
460#define IPC__READ 0x00000010UL
461#define IPC__WRITE 0x00000020UL
462#define IPC__ASSOCIATE 0x00000040UL
463#define IPC__UNIX_READ 0x00000080UL
464#define IPC__UNIX_WRITE 0x00000100UL
465#define SEM__CREATE 0x00000001UL
466#define SEM__DESTROY 0x00000002UL
467#define SEM__GETATTR 0x00000004UL
468#define SEM__SETATTR 0x00000008UL
469#define SEM__READ 0x00000010UL
470#define SEM__WRITE 0x00000020UL
471#define SEM__ASSOCIATE 0x00000040UL
472#define SEM__UNIX_READ 0x00000080UL
473#define SEM__UNIX_WRITE 0x00000100UL
474#define MSGQ__CREATE 0x00000001UL
475#define MSGQ__DESTROY 0x00000002UL
476#define MSGQ__GETATTR 0x00000004UL
477#define MSGQ__SETATTR 0x00000008UL
478#define MSGQ__READ 0x00000010UL
479#define MSGQ__WRITE 0x00000020UL
480#define MSGQ__ASSOCIATE 0x00000040UL
481#define MSGQ__UNIX_READ 0x00000080UL
482#define MSGQ__UNIX_WRITE 0x00000100UL
483#define MSGQ__ENQUEUE 0x00000200UL
484#define MSG__SEND 0x00000001UL
485#define MSG__RECEIVE 0x00000002UL
486#define SHM__CREATE 0x00000001UL
487#define SHM__DESTROY 0x00000002UL
488#define SHM__GETATTR 0x00000004UL
489#define SHM__SETATTR 0x00000008UL
490#define SHM__READ 0x00000010UL
491#define SHM__WRITE 0x00000020UL
492#define SHM__ASSOCIATE 0x00000040UL
493#define SHM__UNIX_READ 0x00000080UL
494#define SHM__UNIX_WRITE 0x00000100UL
495#define SHM__LOCK 0x00000200UL
496#define SECURITY__COMPUTE_AV 0x00000001UL
497#define SECURITY__COMPUTE_CREATE 0x00000002UL
498#define SECURITY__COMPUTE_MEMBER 0x00000004UL
499#define SECURITY__CHECK_CONTEXT 0x00000008UL
500#define SECURITY__LOAD_POLICY 0x00000010UL
501#define SECURITY__COMPUTE_RELABEL 0x00000020UL
502#define SECURITY__COMPUTE_USER 0x00000040UL
503#define SECURITY__SETENFORCE 0x00000080UL
504#define SECURITY__SETBOOL 0x00000100UL
505#define SECURITY__SETSECPARAM 0x00000200UL
506#define SECURITY__SETCHECKREQPROT 0x00000400UL
507#define SYSTEM__IPC_INFO 0x00000001UL
508#define SYSTEM__SYSLOG_READ 0x00000002UL
509#define SYSTEM__SYSLOG_MOD 0x00000004UL
510#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL
511#define CAPABILITY__CHOWN 0x00000001UL
512#define CAPABILITY__DAC_OVERRIDE 0x00000002UL
513#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL
514#define CAPABILITY__FOWNER 0x00000008UL
515#define CAPABILITY__FSETID 0x00000010UL
516#define CAPABILITY__KILL 0x00000020UL
517#define CAPABILITY__SETGID 0x00000040UL
518#define CAPABILITY__SETUID 0x00000080UL
519#define CAPABILITY__SETPCAP 0x00000100UL
520#define CAPABILITY__LINUX_IMMUTABLE 0x00000200UL
521#define CAPABILITY__NET_BIND_SERVICE 0x00000400UL
522#define CAPABILITY__NET_BROADCAST 0x00000800UL
523#define CAPABILITY__NET_ADMIN 0x00001000UL
524#define CAPABILITY__NET_RAW 0x00002000UL
525#define CAPABILITY__IPC_LOCK 0x00004000UL
526#define CAPABILITY__IPC_OWNER 0x00008000UL
527#define CAPABILITY__SYS_MODULE 0x00010000UL
528#define CAPABILITY__SYS_RAWIO 0x00020000UL
529#define CAPABILITY__SYS_CHROOT 0x00040000UL
530#define CAPABILITY__SYS_PTRACE 0x00080000UL
531#define CAPABILITY__SYS_PACCT 0x00100000UL
532#define CAPABILITY__SYS_ADMIN 0x00200000UL
533#define CAPABILITY__SYS_BOOT 0x00400000UL
534#define CAPABILITY__SYS_NICE 0x00800000UL
535#define CAPABILITY__SYS_RESOURCE 0x01000000UL
536#define CAPABILITY__SYS_TIME 0x02000000UL
537#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
538#define CAPABILITY__MKNOD 0x08000000UL
539#define CAPABILITY__LEASE 0x10000000UL
540#define CAPABILITY__AUDIT_WRITE 0x20000000UL
541#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
542#define CAPABILITY__SETFCAP 0x80000000UL
543#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
544#define CAPABILITY2__MAC_ADMIN 0x00000002UL
545#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
546#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
547#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
548#define NETLINK_ROUTE_SOCKET__CREATE 0x00000008UL
549#define NETLINK_ROUTE_SOCKET__GETATTR 0x00000010UL
550#define NETLINK_ROUTE_SOCKET__SETATTR 0x00000020UL
551#define NETLINK_ROUTE_SOCKET__LOCK 0x00000040UL
552#define NETLINK_ROUTE_SOCKET__RELABELFROM 0x00000080UL
553#define NETLINK_ROUTE_SOCKET__RELABELTO 0x00000100UL
554#define NETLINK_ROUTE_SOCKET__APPEND 0x00000200UL
555#define NETLINK_ROUTE_SOCKET__BIND 0x00000400UL
556#define NETLINK_ROUTE_SOCKET__CONNECT 0x00000800UL
557#define NETLINK_ROUTE_SOCKET__LISTEN 0x00001000UL
558#define NETLINK_ROUTE_SOCKET__ACCEPT 0x00002000UL
559#define NETLINK_ROUTE_SOCKET__GETOPT 0x00004000UL
560#define NETLINK_ROUTE_SOCKET__SETOPT 0x00008000UL
561#define NETLINK_ROUTE_SOCKET__SHUTDOWN 0x00010000UL
562#define NETLINK_ROUTE_SOCKET__RECVFROM 0x00020000UL
563#define NETLINK_ROUTE_SOCKET__SENDTO 0x00040000UL
564#define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL
565#define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL
566#define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL
567#define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL
568#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL
569#define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL
570#define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL
571#define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL
572#define NETLINK_FIREWALL_SOCKET__CREATE 0x00000008UL
573#define NETLINK_FIREWALL_SOCKET__GETATTR 0x00000010UL
574#define NETLINK_FIREWALL_SOCKET__SETATTR 0x00000020UL
575#define NETLINK_FIREWALL_SOCKET__LOCK 0x00000040UL
576#define NETLINK_FIREWALL_SOCKET__RELABELFROM 0x00000080UL
577#define NETLINK_FIREWALL_SOCKET__RELABELTO 0x00000100UL
578#define NETLINK_FIREWALL_SOCKET__APPEND 0x00000200UL
579#define NETLINK_FIREWALL_SOCKET__BIND 0x00000400UL
580#define NETLINK_FIREWALL_SOCKET__CONNECT 0x00000800UL
581#define NETLINK_FIREWALL_SOCKET__LISTEN 0x00001000UL
582#define NETLINK_FIREWALL_SOCKET__ACCEPT 0x00002000UL
583#define NETLINK_FIREWALL_SOCKET__GETOPT 0x00004000UL
584#define NETLINK_FIREWALL_SOCKET__SETOPT 0x00008000UL
585#define NETLINK_FIREWALL_SOCKET__SHUTDOWN 0x00010000UL
586#define NETLINK_FIREWALL_SOCKET__RECVFROM 0x00020000UL
587#define NETLINK_FIREWALL_SOCKET__SENDTO 0x00040000UL
588#define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL
589#define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL
590#define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL
591#define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL
592#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL
593#define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL
594#define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL
595#define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL
596#define NETLINK_TCPDIAG_SOCKET__CREATE 0x00000008UL
597#define NETLINK_TCPDIAG_SOCKET__GETATTR 0x00000010UL
598#define NETLINK_TCPDIAG_SOCKET__SETATTR 0x00000020UL
599#define NETLINK_TCPDIAG_SOCKET__LOCK 0x00000040UL
600#define NETLINK_TCPDIAG_SOCKET__RELABELFROM 0x00000080UL
601#define NETLINK_TCPDIAG_SOCKET__RELABELTO 0x00000100UL
602#define NETLINK_TCPDIAG_SOCKET__APPEND 0x00000200UL
603#define NETLINK_TCPDIAG_SOCKET__BIND 0x00000400UL
604#define NETLINK_TCPDIAG_SOCKET__CONNECT 0x00000800UL
605#define NETLINK_TCPDIAG_SOCKET__LISTEN 0x00001000UL
606#define NETLINK_TCPDIAG_SOCKET__ACCEPT 0x00002000UL
607#define NETLINK_TCPDIAG_SOCKET__GETOPT 0x00004000UL
608#define NETLINK_TCPDIAG_SOCKET__SETOPT 0x00008000UL
609#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN 0x00010000UL
610#define NETLINK_TCPDIAG_SOCKET__RECVFROM 0x00020000UL
611#define NETLINK_TCPDIAG_SOCKET__SENDTO 0x00040000UL
612#define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL
613#define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL
614#define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL
615#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL
616#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL
617#define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL
618#define NETLINK_NFLOG_SOCKET__READ 0x00000002UL
619#define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL
620#define NETLINK_NFLOG_SOCKET__CREATE 0x00000008UL
621#define NETLINK_NFLOG_SOCKET__GETATTR 0x00000010UL
622#define NETLINK_NFLOG_SOCKET__SETATTR 0x00000020UL
623#define NETLINK_NFLOG_SOCKET__LOCK 0x00000040UL
624#define NETLINK_NFLOG_SOCKET__RELABELFROM 0x00000080UL
625#define NETLINK_NFLOG_SOCKET__RELABELTO 0x00000100UL
626#define NETLINK_NFLOG_SOCKET__APPEND 0x00000200UL
627#define NETLINK_NFLOG_SOCKET__BIND 0x00000400UL
628#define NETLINK_NFLOG_SOCKET__CONNECT 0x00000800UL
629#define NETLINK_NFLOG_SOCKET__LISTEN 0x00001000UL
630#define NETLINK_NFLOG_SOCKET__ACCEPT 0x00002000UL
631#define NETLINK_NFLOG_SOCKET__GETOPT 0x00004000UL
632#define NETLINK_NFLOG_SOCKET__SETOPT 0x00008000UL
633#define NETLINK_NFLOG_SOCKET__SHUTDOWN 0x00010000UL
634#define NETLINK_NFLOG_SOCKET__RECVFROM 0x00020000UL
635#define NETLINK_NFLOG_SOCKET__SENDTO 0x00040000UL
636#define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL
637#define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL
638#define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL
639#define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL
640#define NETLINK_XFRM_SOCKET__READ 0x00000002UL
641#define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL
642#define NETLINK_XFRM_SOCKET__CREATE 0x00000008UL
643#define NETLINK_XFRM_SOCKET__GETATTR 0x00000010UL
644#define NETLINK_XFRM_SOCKET__SETATTR 0x00000020UL
645#define NETLINK_XFRM_SOCKET__LOCK 0x00000040UL
646#define NETLINK_XFRM_SOCKET__RELABELFROM 0x00000080UL
647#define NETLINK_XFRM_SOCKET__RELABELTO 0x00000100UL
648#define NETLINK_XFRM_SOCKET__APPEND 0x00000200UL
649#define NETLINK_XFRM_SOCKET__BIND 0x00000400UL
650#define NETLINK_XFRM_SOCKET__CONNECT 0x00000800UL
651#define NETLINK_XFRM_SOCKET__LISTEN 0x00001000UL
652#define NETLINK_XFRM_SOCKET__ACCEPT 0x00002000UL
653#define NETLINK_XFRM_SOCKET__GETOPT 0x00004000UL
654#define NETLINK_XFRM_SOCKET__SETOPT 0x00008000UL
655#define NETLINK_XFRM_SOCKET__SHUTDOWN 0x00010000UL
656#define NETLINK_XFRM_SOCKET__RECVFROM 0x00020000UL
657#define NETLINK_XFRM_SOCKET__SENDTO 0x00040000UL
658#define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL
659#define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL
660#define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL
661#define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL
662#define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL
663#define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL
664#define NETLINK_SELINUX_SOCKET__READ 0x00000002UL
665#define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL
666#define NETLINK_SELINUX_SOCKET__CREATE 0x00000008UL
667#define NETLINK_SELINUX_SOCKET__GETATTR 0x00000010UL
668#define NETLINK_SELINUX_SOCKET__SETATTR 0x00000020UL
669#define NETLINK_SELINUX_SOCKET__LOCK 0x00000040UL
670#define NETLINK_SELINUX_SOCKET__RELABELFROM 0x00000080UL
671#define NETLINK_SELINUX_SOCKET__RELABELTO 0x00000100UL
672#define NETLINK_SELINUX_SOCKET__APPEND 0x00000200UL
673#define NETLINK_SELINUX_SOCKET__BIND 0x00000400UL
674#define NETLINK_SELINUX_SOCKET__CONNECT 0x00000800UL
675#define NETLINK_SELINUX_SOCKET__LISTEN 0x00001000UL
676#define NETLINK_SELINUX_SOCKET__ACCEPT 0x00002000UL
677#define NETLINK_SELINUX_SOCKET__GETOPT 0x00004000UL
678#define NETLINK_SELINUX_SOCKET__SETOPT 0x00008000UL
679#define NETLINK_SELINUX_SOCKET__SHUTDOWN 0x00010000UL
680#define NETLINK_SELINUX_SOCKET__RECVFROM 0x00020000UL
681#define NETLINK_SELINUX_SOCKET__SENDTO 0x00040000UL
682#define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL
683#define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL
684#define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL
685#define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL
686#define NETLINK_AUDIT_SOCKET__READ 0x00000002UL
687#define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL
688#define NETLINK_AUDIT_SOCKET__CREATE 0x00000008UL
689#define NETLINK_AUDIT_SOCKET__GETATTR 0x00000010UL
690#define NETLINK_AUDIT_SOCKET__SETATTR 0x00000020UL
691#define NETLINK_AUDIT_SOCKET__LOCK 0x00000040UL
692#define NETLINK_AUDIT_SOCKET__RELABELFROM 0x00000080UL
693#define NETLINK_AUDIT_SOCKET__RELABELTO 0x00000100UL
694#define NETLINK_AUDIT_SOCKET__APPEND 0x00000200UL
695#define NETLINK_AUDIT_SOCKET__BIND 0x00000400UL
696#define NETLINK_AUDIT_SOCKET__CONNECT 0x00000800UL
697#define NETLINK_AUDIT_SOCKET__LISTEN 0x00001000UL
698#define NETLINK_AUDIT_SOCKET__ACCEPT 0x00002000UL
699#define NETLINK_AUDIT_SOCKET__GETOPT 0x00004000UL
700#define NETLINK_AUDIT_SOCKET__SETOPT 0x00008000UL
701#define NETLINK_AUDIT_SOCKET__SHUTDOWN 0x00010000UL
702#define NETLINK_AUDIT_SOCKET__RECVFROM 0x00020000UL
703#define NETLINK_AUDIT_SOCKET__SENDTO 0x00040000UL
704#define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL
705#define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL
706#define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL
707#define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL
708#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL
709#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL
710#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL
711#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL
712#define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL
713#define NETLINK_IP6FW_SOCKET__READ 0x00000002UL
714#define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL
715#define NETLINK_IP6FW_SOCKET__CREATE 0x00000008UL
716#define NETLINK_IP6FW_SOCKET__GETATTR 0x00000010UL
717#define NETLINK_IP6FW_SOCKET__SETATTR 0x00000020UL
718#define NETLINK_IP6FW_SOCKET__LOCK 0x00000040UL
719#define NETLINK_IP6FW_SOCKET__RELABELFROM 0x00000080UL
720#define NETLINK_IP6FW_SOCKET__RELABELTO 0x00000100UL
721#define NETLINK_IP6FW_SOCKET__APPEND 0x00000200UL
722#define NETLINK_IP6FW_SOCKET__BIND 0x00000400UL
723#define NETLINK_IP6FW_SOCKET__CONNECT 0x00000800UL
724#define NETLINK_IP6FW_SOCKET__LISTEN 0x00001000UL
725#define NETLINK_IP6FW_SOCKET__ACCEPT 0x00002000UL
726#define NETLINK_IP6FW_SOCKET__GETOPT 0x00004000UL
727#define NETLINK_IP6FW_SOCKET__SETOPT 0x00008000UL
728#define NETLINK_IP6FW_SOCKET__SHUTDOWN 0x00010000UL
729#define NETLINK_IP6FW_SOCKET__RECVFROM 0x00020000UL
730#define NETLINK_IP6FW_SOCKET__SENDTO 0x00040000UL
731#define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL
732#define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL
733#define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL
734#define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL
735#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL
736#define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL
737#define NETLINK_DNRT_SOCKET__READ 0x00000002UL
738#define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL
739#define NETLINK_DNRT_SOCKET__CREATE 0x00000008UL
740#define NETLINK_DNRT_SOCKET__GETATTR 0x00000010UL
741#define NETLINK_DNRT_SOCKET__SETATTR 0x00000020UL
742#define NETLINK_DNRT_SOCKET__LOCK 0x00000040UL
743#define NETLINK_DNRT_SOCKET__RELABELFROM 0x00000080UL
744#define NETLINK_DNRT_SOCKET__RELABELTO 0x00000100UL
745#define NETLINK_DNRT_SOCKET__APPEND 0x00000200UL
746#define NETLINK_DNRT_SOCKET__BIND 0x00000400UL
747#define NETLINK_DNRT_SOCKET__CONNECT 0x00000800UL
748#define NETLINK_DNRT_SOCKET__LISTEN 0x00001000UL
749#define NETLINK_DNRT_SOCKET__ACCEPT 0x00002000UL
750#define NETLINK_DNRT_SOCKET__GETOPT 0x00004000UL
751#define NETLINK_DNRT_SOCKET__SETOPT 0x00008000UL
752#define NETLINK_DNRT_SOCKET__SHUTDOWN 0x00010000UL
753#define NETLINK_DNRT_SOCKET__RECVFROM 0x00020000UL
754#define NETLINK_DNRT_SOCKET__SENDTO 0x00040000UL
755#define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL
756#define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL
757#define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL
758#define ASSOCIATION__SENDTO 0x00000001UL
759#define ASSOCIATION__RECVFROM 0x00000002UL
760#define ASSOCIATION__SETCONTEXT 0x00000004UL
761#define ASSOCIATION__POLMATCH 0x00000008UL
762#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
763#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
764#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
765#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
766#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
767#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
768#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
769#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
770#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
771#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
772#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
773#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
774#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
775#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
776#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
777#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
778#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
779#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
780#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
781#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
782#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
783#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
784#define APPLETALK_SOCKET__IOCTL 0x00000001UL
785#define APPLETALK_SOCKET__READ 0x00000002UL
786#define APPLETALK_SOCKET__WRITE 0x00000004UL
787#define APPLETALK_SOCKET__CREATE 0x00000008UL
788#define APPLETALK_SOCKET__GETATTR 0x00000010UL
789#define APPLETALK_SOCKET__SETATTR 0x00000020UL
790#define APPLETALK_SOCKET__LOCK 0x00000040UL
791#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL
792#define APPLETALK_SOCKET__RELABELTO 0x00000100UL
793#define APPLETALK_SOCKET__APPEND 0x00000200UL
794#define APPLETALK_SOCKET__BIND 0x00000400UL
795#define APPLETALK_SOCKET__CONNECT 0x00000800UL
796#define APPLETALK_SOCKET__LISTEN 0x00001000UL
797#define APPLETALK_SOCKET__ACCEPT 0x00002000UL
798#define APPLETALK_SOCKET__GETOPT 0x00004000UL
799#define APPLETALK_SOCKET__SETOPT 0x00008000UL
800#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL
801#define APPLETALK_SOCKET__RECVFROM 0x00020000UL
802#define APPLETALK_SOCKET__SENDTO 0x00040000UL
803#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL
804#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL
805#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL
806#define PACKET__SEND 0x00000001UL
807#define PACKET__RECV 0x00000002UL
808#define PACKET__RELABELTO 0x00000004UL
809#define PACKET__FLOW_IN 0x00000008UL
810#define PACKET__FLOW_OUT 0x00000010UL
811#define PACKET__FORWARD_IN 0x00000020UL
812#define PACKET__FORWARD_OUT 0x00000040UL
813#define KEY__VIEW 0x00000001UL
814#define KEY__READ 0x00000002UL
815#define KEY__WRITE 0x00000004UL
816#define KEY__SEARCH 0x00000008UL
817#define KEY__LINK 0x00000010UL
818#define KEY__SETATTR 0x00000020UL
819#define KEY__CREATE 0x00000040UL
820#define DCCP_SOCKET__IOCTL 0x00000001UL
821#define DCCP_SOCKET__READ 0x00000002UL
822#define DCCP_SOCKET__WRITE 0x00000004UL
823#define DCCP_SOCKET__CREATE 0x00000008UL
824#define DCCP_SOCKET__GETATTR 0x00000010UL
825#define DCCP_SOCKET__SETATTR 0x00000020UL
826#define DCCP_SOCKET__LOCK 0x00000040UL
827#define DCCP_SOCKET__RELABELFROM 0x00000080UL
828#define DCCP_SOCKET__RELABELTO 0x00000100UL
829#define DCCP_SOCKET__APPEND 0x00000200UL
830#define DCCP_SOCKET__BIND 0x00000400UL
831#define DCCP_SOCKET__CONNECT 0x00000800UL
832#define DCCP_SOCKET__LISTEN 0x00001000UL
833#define DCCP_SOCKET__ACCEPT 0x00002000UL
834#define DCCP_SOCKET__GETOPT 0x00004000UL
835#define DCCP_SOCKET__SETOPT 0x00008000UL
836#define DCCP_SOCKET__SHUTDOWN 0x00010000UL
837#define DCCP_SOCKET__RECVFROM 0x00020000UL
838#define DCCP_SOCKET__SENDTO 0x00040000UL
839#define DCCP_SOCKET__RECV_MSG 0x00080000UL
840#define DCCP_SOCKET__SEND_MSG 0x00100000UL
841#define DCCP_SOCKET__NAME_BIND 0x00200000UL
842#define DCCP_SOCKET__NODE_BIND 0x00400000UL
843#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
844#define MEMPROTECT__MMAP_ZERO 0x00000001UL
845#define PEER__RECV 0x00000001UL
846#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
847#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index d12ff1a9c0aa..e94e82f73818 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -13,6 +13,7 @@
13#include <linux/spinlock.h> 13#include <linux/spinlock.h>
14#include <linux/init.h> 14#include <linux/init.h>
15#include <linux/audit.h> 15#include <linux/audit.h>
16#include <linux/lsm_audit.h>
16#include <linux/in6.h> 17#include <linux/in6.h>
17#include <linux/path.h> 18#include <linux/path.h>
18#include <asm/system.h> 19#include <asm/system.h>
@@ -36,48 +37,6 @@ struct inode;
36struct sock; 37struct sock;
37struct sk_buff; 38struct sk_buff;
38 39
39/* Auxiliary data to use in generating the audit record. */
40struct avc_audit_data {
41 char type;
42#define AVC_AUDIT_DATA_FS 1
43#define AVC_AUDIT_DATA_NET 2
44#define AVC_AUDIT_DATA_CAP 3
45#define AVC_AUDIT_DATA_IPC 4
46 struct task_struct *tsk;
47 union {
48 struct {
49 struct path path;
50 struct inode *inode;
51 } fs;
52 struct {
53 int netif;
54 struct sock *sk;
55 u16 family;
56 __be16 dport;
57 __be16 sport;
58 union {
59 struct {
60 __be32 daddr;
61 __be32 saddr;
62 } v4;
63 struct {
64 struct in6_addr daddr;
65 struct in6_addr saddr;
66 } v6;
67 } fam;
68 } net;
69 int cap;
70 int ipc_id;
71 } u;
72};
73
74#define v4info fam.v4
75#define v6info fam.v6
76
77/* Initialize an AVC audit data structure. */
78#define AVC_AUDIT_DATA_INIT(_d,_t) \
79 { memset((_d), 0, sizeof(struct avc_audit_data)); (_d)->type = AVC_AUDIT_DATA_##_t; }
80
81/* 40/*
82 * AVC statistics 41 * AVC statistics
83 */ 42 */
@@ -98,7 +57,9 @@ void __init avc_init(void);
98 57
99void avc_audit(u32 ssid, u32 tsid, 58void avc_audit(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 59 u16 tclass, u32 requested,
101 struct av_decision *avd, int result, struct avc_audit_data *auditdata); 60 struct av_decision *avd,
61 int result,
62 struct common_audit_data *a);
102 63
103#define AVC_STRICT 1 /* Ignore permissive mode. */ 64#define AVC_STRICT 1 /* Ignore permissive mode. */
104int avc_has_perm_noaudit(u32 ssid, u32 tsid, 65int avc_has_perm_noaudit(u32 ssid, u32 tsid,
@@ -108,7 +69,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
108 69
109int avc_has_perm(u32 ssid, u32 tsid, 70int avc_has_perm(u32 ssid, u32 tsid,
110 u16 tclass, u32 requested, 71 u16 tclass, u32 requested,
111 struct avc_audit_data *auditdata); 72 struct common_audit_data *auditdata);
112 73
113u32 avc_policy_seqno(void); 74u32 avc_policy_seqno(void);
114 75
@@ -127,13 +88,13 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
127 u32 events, u32 ssid, u32 tsid, 88 u32 events, u32 ssid, u32 tsid,
128 u16 tclass, u32 perms); 89 u16 tclass, u32 perms);
129 90
130/* Shows permission in human readable form */
131void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av);
132
133/* Exported to selinuxfs */ 91/* Exported to selinuxfs */
134int avc_get_hash_stats(char *page); 92int avc_get_hash_stats(char *page);
135extern unsigned int avc_cache_threshold; 93extern unsigned int avc_cache_threshold;
136 94
95/* Attempt to free avc node cache */
96void avc_disable(void);
97
137#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 98#ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
138DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); 99DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats);
139#endif 100#endif
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index bb1ec801bdfe..4677aa519b04 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -10,26 +10,13 @@
10 10
11int avc_ss_reset(u32 seqno); 11int avc_ss_reset(u32 seqno);
12 12
13struct av_perm_to_string { 13/* Class/perm mapping support */
14 u16 tclass; 14struct security_class_mapping {
15 u32 value;
16 const char *name; 15 const char *name;
16 const char *perms[sizeof(u32) * 8 + 1];
17}; 17};
18 18
19struct av_inherit { 19extern struct security_class_mapping secclass_map[];
20 const char **common_pts;
21 u32 common_base;
22 u16 tclass;
23};
24
25struct selinux_class_perm {
26 const struct av_perm_to_string *av_perm_to_string;
27 u32 av_pts_len;
28 u32 cts_len;
29 const char **class_to_string;
30 const struct av_inherit *av_inherit;
31 u32 av_inherit_len;
32};
33 20
34#endif /* _SELINUX_AVC_SS_H_ */ 21#endif /* _SELINUX_AVC_SS_H_ */
35 22
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
deleted file mode 100644
index 21ec786611d4..000000000000
--- a/security/selinux/include/class_to_string.h
+++ /dev/null
@@ -1,79 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2/*
3 * Security object class definitions
4 */
5 S_(NULL)
6 S_("security")
7 S_("process")
8 S_("system")
9 S_("capability")
10 S_("filesystem")
11 S_("file")
12 S_("dir")
13 S_("fd")
14 S_("lnk_file")
15 S_("chr_file")
16 S_("blk_file")
17 S_("sock_file")
18 S_("fifo_file")
19 S_("socket")
20 S_("tcp_socket")
21 S_("udp_socket")
22 S_("rawip_socket")
23 S_("node")
24 S_("netif")
25 S_("netlink_socket")
26 S_("packet_socket")
27 S_("key_socket")
28 S_("unix_stream_socket")
29 S_("unix_dgram_socket")
30 S_("sem")
31 S_("msg")
32 S_("msgq")
33 S_("shm")
34 S_("ipc")
35 S_(NULL)
36 S_(NULL)
37 S_(NULL)
38 S_(NULL)
39 S_(NULL)
40 S_(NULL)
41 S_(NULL)
42 S_(NULL)
43 S_(NULL)
44 S_(NULL)
45 S_(NULL)
46 S_(NULL)
47 S_(NULL)
48 S_("netlink_route_socket")
49 S_("netlink_firewall_socket")
50 S_("netlink_tcpdiag_socket")
51 S_("netlink_nflog_socket")
52 S_("netlink_xfrm_socket")
53 S_("netlink_selinux_socket")
54 S_("netlink_audit_socket")
55 S_("netlink_ip6fw_socket")
56 S_("netlink_dnrt_socket")
57 S_(NULL)
58 S_(NULL)
59 S_("association")
60 S_("netlink_kobject_uevent_socket")
61 S_("appletalk_socket")
62 S_("packet")
63 S_("key")
64 S_(NULL)
65 S_("dccp_socket")
66 S_("memprotect")
67 S_(NULL)
68 S_(NULL)
69 S_(NULL)
70 S_(NULL)
71 S_(NULL)
72 S_(NULL)
73 S_("peer")
74 S_("capability2")
75 S_(NULL)
76 S_(NULL)
77 S_(NULL)
78 S_(NULL)
79 S_("kernel_service")
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
new file mode 100644
index 000000000000..8b32e959bb2e
--- /dev/null
+++ b/security/selinux/include/classmap.h
@@ -0,0 +1,150 @@
1#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
2 "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
3
4#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
5 "rename", "execute", "swapon", "quotaon", "mounton"
6
7#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
8 "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
9 "sendto", "recv_msg", "send_msg", "name_bind"
10
11#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
12 "write", "associate", "unix_read", "unix_write"
13
14struct security_class_mapping secclass_map[] = {
15 { "security",
16 { "compute_av", "compute_create", "compute_member",
17 "check_context", "load_policy", "compute_relabel",
18 "compute_user", "setenforce", "setbool", "setsecparam",
19 "setcheckreqprot", NULL } },
20 { "process",
21 { "fork", "transition", "sigchld", "sigkill",
22 "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
23 "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
24 "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
25 "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
26 "execmem", "execstack", "execheap", "setkeycreate",
27 "setsockcreate", NULL } },
28 { "system",
29 { "ipc_info", "syslog_read", "syslog_mod",
30 "syslog_console", "module_request", NULL } },
31 { "capability",
32 { "chown", "dac_override", "dac_read_search",
33 "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
34 "linux_immutable", "net_bind_service", "net_broadcast",
35 "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
36 "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
37 "sys_boot", "sys_nice", "sys_resource", "sys_time",
38 "sys_tty_config", "mknod", "lease", "audit_write",
39 "audit_control", "setfcap", NULL } },
40 { "filesystem",
41 { "mount", "remount", "unmount", "getattr",
42 "relabelfrom", "relabelto", "transition", "associate", "quotamod",
43 "quotaget", NULL } },
44 { "file",
45 { COMMON_FILE_PERMS,
46 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
47 { "dir",
48 { COMMON_FILE_PERMS, "add_name", "remove_name",
49 "reparent", "search", "rmdir", "open", NULL } },
50 { "fd", { "use", NULL } },
51 { "lnk_file",
52 { COMMON_FILE_PERMS, NULL } },
53 { "chr_file",
54 { COMMON_FILE_PERMS,
55 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
56 { "blk_file",
57 { COMMON_FILE_PERMS, "open", NULL } },
58 { "sock_file",
59 { COMMON_FILE_PERMS, "open", NULL } },
60 { "fifo_file",
61 { COMMON_FILE_PERMS, "open", NULL } },
62 { "socket",
63 { COMMON_SOCK_PERMS, NULL } },
64 { "tcp_socket",
65 { COMMON_SOCK_PERMS,
66 "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
67 NULL } },
68 { "udp_socket",
69 { COMMON_SOCK_PERMS,
70 "node_bind", NULL } },
71 { "rawip_socket",
72 { COMMON_SOCK_PERMS,
73 "node_bind", NULL } },
74 { "node",
75 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
76 "rawip_recv", "rawip_send", "enforce_dest",
77 "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
78 { "netif",
79 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
80 "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
81 "ingress", "egress", NULL } },
82 { "netlink_socket",
83 { COMMON_SOCK_PERMS, NULL } },
84 { "packet_socket",
85 { COMMON_SOCK_PERMS, NULL } },
86 { "key_socket",
87 { COMMON_SOCK_PERMS, NULL } },
88 { "unix_stream_socket",
89 { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
90 } },
91 { "unix_dgram_socket",
92 { COMMON_SOCK_PERMS, NULL
93 } },
94 { "sem",
95 { COMMON_IPC_PERMS, NULL } },
96 { "msg", { "send", "receive", NULL } },
97 { "msgq",
98 { COMMON_IPC_PERMS, "enqueue", NULL } },
99 { "shm",
100 { COMMON_IPC_PERMS, "lock", NULL } },
101 { "ipc",
102 { COMMON_IPC_PERMS, NULL } },
103 { "netlink_route_socket",
104 { COMMON_SOCK_PERMS,
105 "nlmsg_read", "nlmsg_write", NULL } },
106 { "netlink_firewall_socket",
107 { COMMON_SOCK_PERMS,
108 "nlmsg_read", "nlmsg_write", NULL } },
109 { "netlink_tcpdiag_socket",
110 { COMMON_SOCK_PERMS,
111 "nlmsg_read", "nlmsg_write", NULL } },
112 { "netlink_nflog_socket",
113 { COMMON_SOCK_PERMS, NULL } },
114 { "netlink_xfrm_socket",
115 { COMMON_SOCK_PERMS,
116 "nlmsg_read", "nlmsg_write", NULL } },
117 { "netlink_selinux_socket",
118 { COMMON_SOCK_PERMS, NULL } },
119 { "netlink_audit_socket",
120 { COMMON_SOCK_PERMS,
121 "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
122 "nlmsg_tty_audit", NULL } },
123 { "netlink_ip6fw_socket",
124 { COMMON_SOCK_PERMS,
125 "nlmsg_read", "nlmsg_write", NULL } },
126 { "netlink_dnrt_socket",
127 { COMMON_SOCK_PERMS, NULL } },
128 { "association",
129 { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
130 { "netlink_kobject_uevent_socket",
131 { COMMON_SOCK_PERMS, NULL } },
132 { "appletalk_socket",
133 { COMMON_SOCK_PERMS, NULL } },
134 { "packet",
135 { "send", "recv", "relabelto", "flow_in", "flow_out",
136 "forward_in", "forward_out", NULL } },
137 { "key",
138 { "view", "read", "write", "search", "link", "setattr", "create",
139 NULL } },
140 { "dccp_socket",
141 { COMMON_SOCK_PERMS,
142 "node_bind", "name_connect", NULL } },
143 { "memprotect", { "mmap_zero", NULL } },
144 { "peer", { "recv", NULL } },
145 { "capability2", { "mac_override", "mac_admin", NULL } },
146 { "kernel_service", { "use_as_override", "create_files_as", NULL } },
147 { "tun_socket",
148 { COMMON_SOCK_PERMS, NULL } },
149 { NULL }
150 };
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h
deleted file mode 100644
index ce5b6e2fe9dd..000000000000
--- a/security/selinux/include/common_perm_to_string.h
+++ /dev/null
@@ -1,58 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2TB_(common_file_perm_to_string)
3 S_("ioctl")
4 S_("read")
5 S_("write")
6 S_("create")
7 S_("getattr")
8 S_("setattr")
9 S_("lock")
10 S_("relabelfrom")
11 S_("relabelto")
12 S_("append")
13 S_("unlink")
14 S_("link")
15 S_("rename")
16 S_("execute")
17 S_("swapon")
18 S_("quotaon")
19 S_("mounton")
20TE_(common_file_perm_to_string)
21
22TB_(common_socket_perm_to_string)
23 S_("ioctl")
24 S_("read")
25 S_("write")
26 S_("create")
27 S_("getattr")
28 S_("setattr")
29 S_("lock")
30 S_("relabelfrom")
31 S_("relabelto")
32 S_("append")
33 S_("bind")
34 S_("connect")
35 S_("listen")
36 S_("accept")
37 S_("getopt")
38 S_("setopt")
39 S_("shutdown")
40 S_("recvfrom")
41 S_("sendto")
42 S_("recv_msg")
43 S_("send_msg")
44 S_("name_bind")
45TE_(common_socket_perm_to_string)
46
47TB_(common_ipc_perm_to_string)
48 S_("create")
49 S_("destroy")
50 S_("getattr")
51 S_("setattr")
52 S_("read")
53 S_("write")
54 S_("associate")
55 S_("unix_read")
56 S_("unix_write")
57TE_(common_ipc_perm_to_string)
58
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
deleted file mode 100644
index 882f27d66fac..000000000000
--- a/security/selinux/include/flask.h
+++ /dev/null
@@ -1,90 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2#ifndef _SELINUX_FLASK_H_
3#define _SELINUX_FLASK_H_
4
5/*
6 * Security object class definitions
7 */
8#define SECCLASS_SECURITY 1
9#define SECCLASS_PROCESS 2
10#define SECCLASS_SYSTEM 3
11#define SECCLASS_CAPABILITY 4
12#define SECCLASS_FILESYSTEM 5
13#define SECCLASS_FILE 6
14#define SECCLASS_DIR 7
15#define SECCLASS_FD 8
16#define SECCLASS_LNK_FILE 9
17#define SECCLASS_CHR_FILE 10
18#define SECCLASS_BLK_FILE 11
19#define SECCLASS_SOCK_FILE 12
20#define SECCLASS_FIFO_FILE 13
21#define SECCLASS_SOCKET 14
22#define SECCLASS_TCP_SOCKET 15
23#define SECCLASS_UDP_SOCKET 16
24#define SECCLASS_RAWIP_SOCKET 17
25#define SECCLASS_NODE 18
26#define SECCLASS_NETIF 19
27#define SECCLASS_NETLINK_SOCKET 20
28#define SECCLASS_PACKET_SOCKET 21
29#define SECCLASS_KEY_SOCKET 22
30#define SECCLASS_UNIX_STREAM_SOCKET 23
31#define SECCLASS_UNIX_DGRAM_SOCKET 24
32#define SECCLASS_SEM 25
33#define SECCLASS_MSG 26
34#define SECCLASS_MSGQ 27
35#define SECCLASS_SHM 28
36#define SECCLASS_IPC 29
37#define SECCLASS_NETLINK_ROUTE_SOCKET 43
38#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
39#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
40#define SECCLASS_NETLINK_NFLOG_SOCKET 46
41#define SECCLASS_NETLINK_XFRM_SOCKET 47
42#define SECCLASS_NETLINK_SELINUX_SOCKET 48
43#define SECCLASS_NETLINK_AUDIT_SOCKET 49
44#define SECCLASS_NETLINK_IP6FW_SOCKET 50
45#define SECCLASS_NETLINK_DNRT_SOCKET 51
46#define SECCLASS_ASSOCIATION 54
47#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
48#define SECCLASS_APPLETALK_SOCKET 56
49#define SECCLASS_PACKET 57
50#define SECCLASS_KEY 58
51#define SECCLASS_DCCP_SOCKET 60
52#define SECCLASS_MEMPROTECT 61
53#define SECCLASS_PEER 68
54#define SECCLASS_CAPABILITY2 69
55#define SECCLASS_KERNEL_SERVICE 74
56
57/*
58 * Security identifier indices for initial entities
59 */
60#define SECINITSID_KERNEL 1
61#define SECINITSID_SECURITY 2
62#define SECINITSID_UNLABELED 3
63#define SECINITSID_FS 4
64#define SECINITSID_FILE 5
65#define SECINITSID_FILE_LABELS 6
66#define SECINITSID_INIT 7
67#define SECINITSID_ANY_SOCKET 8
68#define SECINITSID_PORT 9
69#define SECINITSID_NETIF 10
70#define SECINITSID_NETMSG 11
71#define SECINITSID_NODE 12
72#define SECINITSID_IGMP_PACKET 13
73#define SECINITSID_ICMP_SOCKET 14
74#define SECINITSID_TCP_SOCKET 15
75#define SECINITSID_SYSCTL_MODPROBE 16
76#define SECINITSID_SYSCTL 17
77#define SECINITSID_SYSCTL_FS 18
78#define SECINITSID_SYSCTL_KERNEL 19
79#define SECINITSID_SYSCTL_NET 20
80#define SECINITSID_SYSCTL_NET_UNIX 21
81#define SECINITSID_SYSCTL_VM 22
82#define SECINITSID_SYSCTL_DEV 23
83#define SECINITSID_KMOD 24
84#define SECINITSID_POLICY 25
85#define SECINITSID_SCMP_PACKET 26
86#define SECINITSID_DEVNULL 27
87
88#define SECINITSID_NUM 27
89
90#endif
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index b4b5b9b2f0be..8d7384280a7a 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -59,7 +59,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family);
59int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 59int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
60 struct sk_buff *skb, 60 struct sk_buff *skb,
61 u16 family, 61 u16 family,
62 struct avc_audit_data *ad); 62 struct common_audit_data *ad);
63int selinux_netlbl_socket_setsockopt(struct socket *sock, 63int selinux_netlbl_socket_setsockopt(struct socket *sock,
64 int level, 64 int level,
65 int optname); 65 int optname);
@@ -129,7 +129,7 @@ static inline int selinux_netlbl_socket_post_create(struct sock *sk,
129static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 129static inline int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
130 struct sk_buff *skb, 130 struct sk_buff *skb,
131 u16 family, 131 u16 family,
132 struct avc_audit_data *ad) 132 struct common_audit_data *ad)
133{ 133{
134 return 0; 134 return 0;
135} 135}
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ca835795a8b3..2553266ad793 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -97,11 +97,18 @@ struct av_decision {
97#define AVD_FLAGS_PERMISSIVE 0x0001 97#define AVD_FLAGS_PERMISSIVE 0x0001
98 98
99int security_compute_av(u32 ssid, u32 tsid, 99int security_compute_av(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 100 u16 tclass, u32 requested,
101 struct av_decision *avd); 101 struct av_decision *avd);
102
103int security_compute_av_user(u32 ssid, u32 tsid,
104 u16 tclass, u32 requested,
105 struct av_decision *avd);
102 106
103int security_transition_sid(u32 ssid, u32 tsid, 107int security_transition_sid(u32 ssid, u32 tsid,
104 u16 tclass, u32 *out_sid); 108 u16 tclass, u32 *out_sid);
109
110int security_transition_sid_user(u32 ssid, u32 tsid,
111 u16 tclass, u32 *out_sid);
105 112
106int security_member_sid(u32 ssid, u32 tsid, 113int security_member_sid(u32 ssid, u32 tsid,
107 u16 tclass, u32 *out_sid); 114 u16 tclass, u32 *out_sid);
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 289e24b39e3e..13128f9a3e5a 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -41,9 +41,9 @@ static inline int selinux_xfrm_enabled(void)
41} 41}
42 42
43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb, 43int selinux_xfrm_sock_rcv_skb(u32 sid, struct sk_buff *skb,
44 struct avc_audit_data *ad); 44 struct common_audit_data *ad);
45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 45int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
46 struct avc_audit_data *ad, u8 proto); 46 struct common_audit_data *ad, u8 proto);
47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall); 47int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
48 48
49static inline void selinux_xfrm_notify_policyload(void) 49static inline void selinux_xfrm_notify_policyload(void)
@@ -57,13 +57,13 @@ static inline int selinux_xfrm_enabled(void)
57} 57}
58 58
59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 59static inline int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
60 struct avc_audit_data *ad) 60 struct common_audit_data *ad)
61{ 61{
62 return 0; 62 return 0;
63} 63}
64 64
65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 65static inline int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
66 struct avc_audit_data *ad, u8 proto) 66 struct common_audit_data *ad, u8 proto)
67{ 67{
68 return 0; 68 return 0;
69} 69}
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index 2e984413c7b2..e68823741ad5 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -342,7 +342,7 @@ int selinux_netlbl_socket_post_create(struct sock *sk, u16 family)
342int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec, 342int selinux_netlbl_sock_rcv_skb(struct sk_security_struct *sksec,
343 struct sk_buff *skb, 343 struct sk_buff *skb,
344 u16 family, 344 u16 family,
345 struct avc_audit_data *ad) 345 struct common_audit_data *ad)
346{ 346{
347 int rc; 347 int rc;
348 u32 nlbl_sid; 348 u32 nlbl_sid;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b4fc506e7a87..fab36fdf2769 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
522 if (length < 0) 522 if (length < 0)
523 goto out2; 523 goto out2;
524 524
525 length = security_compute_av(ssid, tsid, tclass, req, &avd); 525 length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
526 if (length < 0) 526 if (length < 0)
527 goto out2; 527 goto out2;
528 528
@@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
571 if (length < 0) 571 if (length < 0)
572 goto out2; 572 goto out2;
573 573
574 length = security_transition_sid(ssid, tsid, tclass, &newsid); 574 length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
575 if (length < 0) 575 if (length < 0)
576 goto out2; 576 goto out2;
577 577
diff --git a/security/selinux/ss/Makefile b/security/selinux/ss/Makefile
index bad78779b9b0..15d4e62917de 100644
--- a/security/selinux/ss/Makefile
+++ b/security/selinux/ss/Makefile
@@ -2,7 +2,7 @@
2# Makefile for building the SELinux security server as part of the kernel tree. 2# Makefile for building the SELinux security server as part of the kernel tree.
3# 3#
4 4
5EXTRA_CFLAGS += -Isecurity/selinux/include 5EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
6obj-y := ss.o 6obj-y := ss.o
7 7
8ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o 8ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b5407f16c2a4..3f2b2706b5bb 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
532 } 532 }
533 /* Fallthrough */ 533 /* Fallthrough */
534 case AVTAB_CHANGE: 534 case AVTAB_CHANGE:
535 if (tclass == SECCLASS_PROCESS) 535 if (tclass == policydb.process_class)
536 /* Use the process MLS attributes. */ 536 /* Use the process MLS attributes. */
537 return mls_context_cpy(newcontext, scontext); 537 return mls_context_cpy(newcontext, scontext);
538 else 538 else
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 72e4a54973aa..f03667213ea8 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p)
713 ebitmap_destroy(&p->type_attr_map[i]); 713 ebitmap_destroy(&p->type_attr_map[i]);
714 } 714 }
715 kfree(p->type_attr_map); 715 kfree(p->type_attr_map);
716 kfree(p->undefined_perms);
717 ebitmap_destroy(&p->policycaps); 716 ebitmap_destroy(&p->policycaps);
718 ebitmap_destroy(&p->permissive_map); 717 ebitmap_destroy(&p->permissive_map);
719 718
@@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
1640 1639
1641extern int ss_initialized; 1640extern int ss_initialized;
1642 1641
1642u16 string_to_security_class(struct policydb *p, const char *name)
1643{
1644 struct class_datum *cladatum;
1645
1646 cladatum = hashtab_search(p->p_classes.table, name);
1647 if (!cladatum)
1648 return 0;
1649
1650 return cladatum->value;
1651}
1652
1653u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
1654{
1655 struct class_datum *cladatum;
1656 struct perm_datum *perdatum = NULL;
1657 struct common_datum *comdatum;
1658
1659 if (!tclass || tclass > p->p_classes.nprim)
1660 return 0;
1661
1662 cladatum = p->class_val_to_struct[tclass-1];
1663 comdatum = cladatum->comdatum;
1664 if (comdatum)
1665 perdatum = hashtab_search(comdatum->permissions.table,
1666 name);
1667 if (!perdatum)
1668 perdatum = hashtab_search(cladatum->permissions.table,
1669 name);
1670 if (!perdatum)
1671 return 0;
1672
1673 return 1U << (perdatum->value-1);
1674}
1675
1643/* 1676/*
1644 * Read the configuration data from a policy database binary 1677 * Read the configuration data from a policy database binary
1645 * representation file into a policy database structure. 1678 * representation file into a policy database structure.
@@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp)
1861 if (rc) 1894 if (rc)
1862 goto bad; 1895 goto bad;
1863 1896
1897 p->process_class = string_to_security_class(p, "process");
1898 if (!p->process_class)
1899 goto bad;
1900 p->process_trans_perms = string_to_av_perm(p, p->process_class,
1901 "transition");
1902 p->process_trans_perms |= string_to_av_perm(p, p->process_class,
1903 "dyntransition");
1904 if (!p->process_trans_perms)
1905 goto bad;
1906
1864 for (i = 0; i < info->ocon_num; i++) { 1907 for (i = 0; i < info->ocon_num; i++) {
1865 rc = next_entry(buf, fp, sizeof(u32)); 1908 rc = next_entry(buf, fp, sizeof(u32));
1866 if (rc < 0) 1909 if (rc < 0)
@@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp)
2101 goto bad; 2144 goto bad;
2102 rt->target_class = le32_to_cpu(buf[0]); 2145 rt->target_class = le32_to_cpu(buf[0]);
2103 } else 2146 } else
2104 rt->target_class = SECCLASS_PROCESS; 2147 rt->target_class = p->process_class;
2105 if (!policydb_type_isvalid(p, rt->source_type) || 2148 if (!policydb_type_isvalid(p, rt->source_type) ||
2106 !policydb_type_isvalid(p, rt->target_type) || 2149 !policydb_type_isvalid(p, rt->target_type) ||
2107 !policydb_class_isvalid(p, rt->target_class)) { 2150 !policydb_class_isvalid(p, rt->target_class)) {
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 55152d498b53..cdcc5700946f 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -254,7 +254,9 @@ struct policydb {
254 254
255 unsigned int reject_unknown : 1; 255 unsigned int reject_unknown : 1;
256 unsigned int allow_unknown : 1; 256 unsigned int allow_unknown : 1;
257 u32 *undefined_perms; 257
258 u16 process_class;
259 u32 process_trans_perms;
258}; 260};
259 261
260extern void policydb_destroy(struct policydb *p); 262extern void policydb_destroy(struct policydb *p);
@@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
295 return 0; 297 return 0;
296} 298}
297 299
300extern u16 string_to_security_class(struct policydb *p, const char *name);
301extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
302
298#endif /* _SS_POLICYDB_H_ */ 303#endif /* _SS_POLICYDB_H_ */
299 304
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 500e6f78e115..d6bb20cbad62 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -22,6 +22,11 @@
22 * 22 *
23 * Added validation of kernel classes and permissions 23 * Added validation of kernel classes and permissions
24 * 24 *
25 * Updated: KaiGai Kohei <kaigai@ak.jp.nec.com>
26 *
27 * Added support for bounds domain and audit messaged on masked permissions
28 *
29 * Copyright (C) 2008, 2009 NEC Corporation
25 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 30 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
26 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 31 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
27 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC 32 * Copyright (C) 2003 - 2004, 2006 Tresys Technology, LLC
@@ -60,16 +65,10 @@
60#include "audit.h" 65#include "audit.h"
61 66
62extern void selnl_notify_policyload(u32 seqno); 67extern void selnl_notify_policyload(u32 seqno);
63unsigned int policydb_loaded_version;
64 68
65int selinux_policycap_netpeer; 69int selinux_policycap_netpeer;
66int selinux_policycap_openperm; 70int selinux_policycap_openperm;
67 71
68/*
69 * This is declared in avc.c
70 */
71extern const struct selinux_class_perm selinux_class_perm;
72
73static DEFINE_RWLOCK(policy_rwlock); 72static DEFINE_RWLOCK(policy_rwlock);
74 73
75static struct sidtab sidtab; 74static struct sidtab sidtab;
@@ -93,6 +92,165 @@ static int context_struct_compute_av(struct context *scontext,
93 u16 tclass, 92 u16 tclass,
94 u32 requested, 93 u32 requested,
95 struct av_decision *avd); 94 struct av_decision *avd);
95
96struct selinux_mapping {
97 u16 value; /* policy value */
98 unsigned num_perms;
99 u32 perms[sizeof(u32) * 8];
100};
101
102static struct selinux_mapping *current_mapping;
103static u16 current_mapping_size;
104
105static int selinux_set_mapping(struct policydb *pol,
106 struct security_class_mapping *map,
107 struct selinux_mapping **out_map_p,
108 u16 *out_map_size)
109{
110 struct selinux_mapping *out_map = NULL;
111 size_t size = sizeof(struct selinux_mapping);
112 u16 i, j;
113 unsigned k;
114 bool print_unknown_handle = false;
115
116 /* Find number of classes in the input mapping */
117 if (!map)
118 return -EINVAL;
119 i = 0;
120 while (map[i].name)
121 i++;
122
123 /* Allocate space for the class records, plus one for class zero */
124 out_map = kcalloc(++i, size, GFP_ATOMIC);
125 if (!out_map)
126 return -ENOMEM;
127
128 /* Store the raw class and permission values */
129 j = 0;
130 while (map[j].name) {
131 struct security_class_mapping *p_in = map + (j++);
132 struct selinux_mapping *p_out = out_map + j;
133
134 /* An empty class string skips ahead */
135 if (!strcmp(p_in->name, "")) {
136 p_out->num_perms = 0;
137 continue;
138 }
139
140 p_out->value = string_to_security_class(pol, p_in->name);
141 if (!p_out->value) {
142 printk(KERN_INFO
143 "SELinux: Class %s not defined in policy.\n",
144 p_in->name);
145 if (pol->reject_unknown)
146 goto err;
147 p_out->num_perms = 0;
148 print_unknown_handle = true;
149 continue;
150 }
151
152 k = 0;
153 while (p_in->perms && p_in->perms[k]) {
154 /* An empty permission string skips ahead */
155 if (!*p_in->perms[k]) {
156 k++;
157 continue;
158 }
159 p_out->perms[k] = string_to_av_perm(pol, p_out->value,
160 p_in->perms[k]);
161 if (!p_out->perms[k]) {
162 printk(KERN_INFO
163 "SELinux: Permission %s in class %s not defined in policy.\n",
164 p_in->perms[k], p_in->name);
165 if (pol->reject_unknown)
166 goto err;
167 print_unknown_handle = true;
168 }
169
170 k++;
171 }
172 p_out->num_perms = k;
173 }
174
175 if (print_unknown_handle)
176 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
177 pol->allow_unknown ? "allowed" : "denied");
178
179 *out_map_p = out_map;
180 *out_map_size = i;
181 return 0;
182err:
183 kfree(out_map);
184 return -EINVAL;
185}
186
187/*
188 * Get real, policy values from mapped values
189 */
190
191static u16 unmap_class(u16 tclass)
192{
193 if (tclass < current_mapping_size)
194 return current_mapping[tclass].value;
195
196 return tclass;
197}
198
199static u32 unmap_perm(u16 tclass, u32 tperm)
200{
201 if (tclass < current_mapping_size) {
202 unsigned i;
203 u32 kperm = 0;
204
205 for (i = 0; i < current_mapping[tclass].num_perms; i++)
206 if (tperm & (1<<i)) {
207 kperm |= current_mapping[tclass].perms[i];
208 tperm &= ~(1<<i);
209 }
210 return kperm;
211 }
212
213 return tperm;
214}
215
216static void map_decision(u16 tclass, struct av_decision *avd,
217 int allow_unknown)
218{
219 if (tclass < current_mapping_size) {
220 unsigned i, n = current_mapping[tclass].num_perms;
221 u32 result;
222
223 for (i = 0, result = 0; i < n; i++) {
224 if (avd->allowed & current_mapping[tclass].perms[i])
225 result |= 1<<i;
226 if (allow_unknown && !current_mapping[tclass].perms[i])
227 result |= 1<<i;
228 }
229 avd->allowed = result;
230
231 for (i = 0, result = 0; i < n; i++)
232 if (avd->auditallow & current_mapping[tclass].perms[i])
233 result |= 1<<i;
234 avd->auditallow = result;
235
236 for (i = 0, result = 0; i < n; i++) {
237 if (avd->auditdeny & current_mapping[tclass].perms[i])
238 result |= 1<<i;
239 if (!allow_unknown && !current_mapping[tclass].perms[i])
240 result |= 1<<i;
241 }
242 /*
243 * In case the kernel has a bug and requests a permission
244 * between num_perms and the maximum permission number, we
245 * should audit that denial
246 */
247 for (; i < (sizeof(u32)*8); i++)
248 result |= 1<<i;
249 avd->auditdeny = result;
250 }
251}
252
253
96/* 254/*
97 * Return the boolean value of a constraint expression 255 * Return the boolean value of a constraint expression
98 * when it is applied to the specified source and target 256 * when it is applied to the specified source and target
@@ -279,6 +437,95 @@ mls_ops:
279} 437}
280 438
281/* 439/*
440 * security_dump_masked_av - dumps masked permissions during
441 * security_compute_av due to RBAC, MLS/Constraint and Type bounds.
442 */
443static int dump_masked_av_helper(void *k, void *d, void *args)
444{
445 struct perm_datum *pdatum = d;
446 char **permission_names = args;
447
448 BUG_ON(pdatum->value < 1 || pdatum->value > 32);
449
450 permission_names[pdatum->value - 1] = (char *)k;
451
452 return 0;
453}
454
455static void security_dump_masked_av(struct context *scontext,
456 struct context *tcontext,
457 u16 tclass,
458 u32 permissions,
459 const char *reason)
460{
461 struct common_datum *common_dat;
462 struct class_datum *tclass_dat;
463 struct audit_buffer *ab;
464 char *tclass_name;
465 char *scontext_name = NULL;
466 char *tcontext_name = NULL;
467 char *permission_names[32];
468 int index, length;
469 bool need_comma = false;
470
471 if (!permissions)
472 return;
473
474 tclass_name = policydb.p_class_val_to_name[tclass - 1];
475 tclass_dat = policydb.class_val_to_struct[tclass - 1];
476 common_dat = tclass_dat->comdatum;
477
478 /* init permission_names */
479 if (common_dat &&
480 hashtab_map(common_dat->permissions.table,
481 dump_masked_av_helper, permission_names) < 0)
482 goto out;
483
484 if (hashtab_map(tclass_dat->permissions.table,
485 dump_masked_av_helper, permission_names) < 0)
486 goto out;
487
488 /* get scontext/tcontext in text form */
489 if (context_struct_to_string(scontext,
490 &scontext_name, &length) < 0)
491 goto out;
492
493 if (context_struct_to_string(tcontext,
494 &tcontext_name, &length) < 0)
495 goto out;
496
497 /* audit a message */
498 ab = audit_log_start(current->audit_context,
499 GFP_ATOMIC, AUDIT_SELINUX_ERR);
500 if (!ab)
501 goto out;
502
503 audit_log_format(ab, "op=security_compute_av reason=%s "
504 "scontext=%s tcontext=%s tclass=%s perms=",
505 reason, scontext_name, tcontext_name, tclass_name);
506
507 for (index = 0; index < 32; index++) {
508 u32 mask = (1 << index);
509
510 if ((mask & permissions) == 0)
511 continue;
512
513 audit_log_format(ab, "%s%s",
514 need_comma ? "," : "",
515 permission_names[index]
516 ? permission_names[index] : "????");
517 need_comma = true;
518 }
519 audit_log_end(ab);
520out:
521 /* release scontext/tcontext */
522 kfree(tcontext_name);
523 kfree(scontext_name);
524
525 return;
526}
527
528/*
282 * security_boundary_permission - drops violated permissions 529 * security_boundary_permission - drops violated permissions
283 * on boundary constraint. 530 * on boundary constraint.
284 */ 531 */
@@ -347,28 +594,12 @@ static void type_attribute_bounds_av(struct context *scontext,
347 } 594 }
348 595
349 if (masked) { 596 if (masked) {
350 struct audit_buffer *ab;
351 char *stype_name
352 = policydb.p_type_val_to_name[source->value - 1];
353 char *ttype_name
354 = policydb.p_type_val_to_name[target->value - 1];
355 char *tclass_name
356 = policydb.p_class_val_to_name[tclass - 1];
357
358 /* mask violated permissions */ 597 /* mask violated permissions */
359 avd->allowed &= ~masked; 598 avd->allowed &= ~masked;
360 599
361 /* notice to userspace via audit message */ 600 /* audit masked permissions */
362 ab = audit_log_start(current->audit_context, 601 security_dump_masked_av(scontext, tcontext,
363 GFP_ATOMIC, AUDIT_SELINUX_ERR); 602 tclass, masked, "bounds");
364 if (!ab)
365 return;
366
367 audit_log_format(ab, "av boundary violation: "
368 "source=%s target=%s tclass=%s",
369 stype_name, ttype_name, tclass_name);
370 avc_dump_av(ab, tclass, masked);
371 audit_log_end(ab);
372 } 603 }
373} 604}
374 605
@@ -389,21 +620,9 @@ static int context_struct_compute_av(struct context *scontext,
389 struct class_datum *tclass_datum; 620 struct class_datum *tclass_datum;
390 struct ebitmap *sattr, *tattr; 621 struct ebitmap *sattr, *tattr;
391 struct ebitmap_node *snode, *tnode; 622 struct ebitmap_node *snode, *tnode;
392 const struct selinux_class_perm *kdefs = &selinux_class_perm;
393 unsigned int i, j; 623 unsigned int i, j;
394 624
395 /* 625 /*
396 * Remap extended Netlink classes for old policy versions.
397 * Do this here rather than socket_type_to_security_class()
398 * in case a newer policy version is loaded, allowing sockets
399 * to remain in the correct class.
400 */
401 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
402 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
403 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
404 tclass = SECCLASS_NETLINK_SOCKET;
405
406 /*
407 * Initialize the access vectors to the default values. 626 * Initialize the access vectors to the default values.
408 */ 627 */
409 avd->allowed = 0; 628 avd->allowed = 0;
@@ -412,33 +631,11 @@ static int context_struct_compute_av(struct context *scontext,
412 avd->seqno = latest_granting; 631 avd->seqno = latest_granting;
413 avd->flags = 0; 632 avd->flags = 0;
414 633
415 /* 634 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
416 * Check for all the invalid cases. 635 if (printk_ratelimit())
417 * - tclass 0 636 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
418 * - tclass > policy and > kernel 637 return -EINVAL;
419 * - tclass > policy but is a userspace class 638 }
420 * - tclass > policy but we do not allow unknowns
421 */
422 if (unlikely(!tclass))
423 goto inval_class;
424 if (unlikely(tclass > policydb.p_classes.nprim))
425 if (tclass > kdefs->cts_len ||
426 !kdefs->class_to_string[tclass] ||
427 !policydb.allow_unknown)
428 goto inval_class;
429
430 /*
431 * Kernel class and we allow unknown so pad the allow decision
432 * the pad will be all 1 for unknown classes.
433 */
434 if (tclass <= kdefs->cts_len && policydb.allow_unknown)
435 avd->allowed = policydb.undefined_perms[tclass - 1];
436
437 /*
438 * Not in policy. Since decision is completed (all 1 or all 0) return.
439 */
440 if (unlikely(tclass > policydb.p_classes.nprim))
441 return 0;
442 639
443 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 640 tclass_datum = policydb.class_val_to_struct[tclass - 1];
444 641
@@ -480,7 +677,7 @@ static int context_struct_compute_av(struct context *scontext,
480 if ((constraint->permissions & (avd->allowed)) && 677 if ((constraint->permissions & (avd->allowed)) &&
481 !constraint_expr_eval(scontext, tcontext, NULL, 678 !constraint_expr_eval(scontext, tcontext, NULL,
482 constraint->expr)) { 679 constraint->expr)) {
483 avd->allowed = (avd->allowed) & ~(constraint->permissions); 680 avd->allowed &= ~(constraint->permissions);
484 } 681 }
485 constraint = constraint->next; 682 constraint = constraint->next;
486 } 683 }
@@ -490,8 +687,8 @@ static int context_struct_compute_av(struct context *scontext,
490 * role is changing, then check the (current_role, new_role) 687 * role is changing, then check the (current_role, new_role)
491 * pair. 688 * pair.
492 */ 689 */
493 if (tclass == SECCLASS_PROCESS && 690 if (tclass == policydb.process_class &&
494 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 691 (avd->allowed & policydb.process_trans_perms) &&
495 scontext->role != tcontext->role) { 692 scontext->role != tcontext->role) {
496 for (ra = policydb.role_allow; ra; ra = ra->next) { 693 for (ra = policydb.role_allow; ra; ra = ra->next) {
497 if (scontext->role == ra->role && 694 if (scontext->role == ra->role &&
@@ -499,8 +696,7 @@ static int context_struct_compute_av(struct context *scontext,
499 break; 696 break;
500 } 697 }
501 if (!ra) 698 if (!ra)
502 avd->allowed = (avd->allowed) & ~(PROCESS__TRANSITION | 699 avd->allowed &= ~policydb.process_trans_perms;
503 PROCESS__DYNTRANSITION);
504 } 700 }
505 701
506 /* 702 /*
@@ -512,21 +708,6 @@ static int context_struct_compute_av(struct context *scontext,
512 tclass, requested, avd); 708 tclass, requested, avd);
513 709
514 return 0; 710 return 0;
515
516inval_class:
517 if (!tclass || tclass > kdefs->cts_len ||
518 !kdefs->class_to_string[tclass]) {
519 if (printk_ratelimit())
520 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
521 __func__, tclass);
522 return -EINVAL;
523 }
524
525 /*
526 * Known to the kernel, but not to the policy.
527 * Handle as a denial (allowed is 0).
528 */
529 return 0;
530} 711}
531 712
532static int security_validtrans_handle_fail(struct context *ocontext, 713static int security_validtrans_handle_fail(struct context *ocontext,
@@ -558,13 +739,14 @@ out:
558} 739}
559 740
560int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 741int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
561 u16 tclass) 742 u16 orig_tclass)
562{ 743{
563 struct context *ocontext; 744 struct context *ocontext;
564 struct context *ncontext; 745 struct context *ncontext;
565 struct context *tcontext; 746 struct context *tcontext;
566 struct class_datum *tclass_datum; 747 struct class_datum *tclass_datum;
567 struct constraint_node *constraint; 748 struct constraint_node *constraint;
749 u16 tclass;
568 int rc = 0; 750 int rc = 0;
569 751
570 if (!ss_initialized) 752 if (!ss_initialized)
@@ -572,16 +754,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
572 754
573 read_lock(&policy_rwlock); 755 read_lock(&policy_rwlock);
574 756
575 /* 757 tclass = unmap_class(orig_tclass);
576 * Remap extended Netlink classes for old policy versions.
577 * Do this here rather than socket_type_to_security_class()
578 * in case a newer policy version is loaded, allowing sockets
579 * to remain in the correct class.
580 */
581 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
582 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
583 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
584 tclass = SECCLASS_NETLINK_SOCKET;
585 758
586 if (!tclass || tclass > policydb.p_classes.nprim) { 759 if (!tclass || tclass > policydb.p_classes.nprim) {
587 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 760 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
@@ -687,6 +860,26 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
687 } 860 }
688 index = type->bounds; 861 index = type->bounds;
689 } 862 }
863
864 if (rc) {
865 char *old_name = NULL;
866 char *new_name = NULL;
867 int length;
868
869 if (!context_struct_to_string(old_context,
870 &old_name, &length) &&
871 !context_struct_to_string(new_context,
872 &new_name, &length)) {
873 audit_log(current->audit_context,
874 GFP_ATOMIC, AUDIT_SELINUX_ERR,
875 "op=security_bounded_transition "
876 "result=denied "
877 "oldcontext=%s newcontext=%s",
878 old_name, new_name);
879 }
880 kfree(new_name);
881 kfree(old_name);
882 }
690out: 883out:
691 read_unlock(&policy_rwlock); 884 read_unlock(&policy_rwlock);
692 885
@@ -694,6 +887,38 @@ out:
694} 887}
695 888
696 889
890static int security_compute_av_core(u32 ssid,
891 u32 tsid,
892 u16 tclass,
893 u32 requested,
894 struct av_decision *avd)
895{
896 struct context *scontext = NULL, *tcontext = NULL;
897 int rc = 0;
898
899 scontext = sidtab_search(&sidtab, ssid);
900 if (!scontext) {
901 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
902 __func__, ssid);
903 return -EINVAL;
904 }
905 tcontext = sidtab_search(&sidtab, tsid);
906 if (!tcontext) {
907 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
908 __func__, tsid);
909 return -EINVAL;
910 }
911
912 rc = context_struct_compute_av(scontext, tcontext, tclass,
913 requested, avd);
914
915 /* permissive domain? */
916 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
917 avd->flags |= AVD_FLAGS_PERMISSIVE;
918
919 return rc;
920}
921
697/** 922/**
698 * security_compute_av - Compute access vector decisions. 923 * security_compute_av - Compute access vector decisions.
699 * @ssid: source security identifier 924 * @ssid: source security identifier
@@ -709,12 +934,49 @@ out:
709 */ 934 */
710int security_compute_av(u32 ssid, 935int security_compute_av(u32 ssid,
711 u32 tsid, 936 u32 tsid,
712 u16 tclass, 937 u16 orig_tclass,
713 u32 requested, 938 u32 orig_requested,
714 struct av_decision *avd) 939 struct av_decision *avd)
715{ 940{
716 struct context *scontext = NULL, *tcontext = NULL; 941 u16 tclass;
717 int rc = 0; 942 u32 requested;
943 int rc;
944
945 read_lock(&policy_rwlock);
946
947 if (!ss_initialized)
948 goto allow;
949
950 requested = unmap_perm(orig_tclass, orig_requested);
951 tclass = unmap_class(orig_tclass);
952 if (unlikely(orig_tclass && !tclass)) {
953 if (policydb.allow_unknown)
954 goto allow;
955 rc = -EINVAL;
956 goto out;
957 }
958 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
959 map_decision(orig_tclass, avd, policydb.allow_unknown);
960out:
961 read_unlock(&policy_rwlock);
962 return rc;
963allow:
964 avd->allowed = 0xffffffff;
965 avd->auditallow = 0;
966 avd->auditdeny = 0xffffffff;
967 avd->seqno = latest_granting;
968 avd->flags = 0;
969 rc = 0;
970 goto out;
971}
972
973int security_compute_av_user(u32 ssid,
974 u32 tsid,
975 u16 tclass,
976 u32 requested,
977 struct av_decision *avd)
978{
979 int rc;
718 980
719 if (!ss_initialized) { 981 if (!ss_initialized) {
720 avd->allowed = 0xffffffff; 982 avd->allowed = 0xffffffff;
@@ -725,29 +987,7 @@ int security_compute_av(u32 ssid,
725 } 987 }
726 988
727 read_lock(&policy_rwlock); 989 read_lock(&policy_rwlock);
728 990 rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
729 scontext = sidtab_search(&sidtab, ssid);
730 if (!scontext) {
731 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
732 __func__, ssid);
733 rc = -EINVAL;
734 goto out;
735 }
736 tcontext = sidtab_search(&sidtab, tsid);
737 if (!tcontext) {
738 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
739 __func__, tsid);
740 rc = -EINVAL;
741 goto out;
742 }
743
744 rc = context_struct_compute_av(scontext, tcontext, tclass,
745 requested, avd);
746
747 /* permissive domain? */
748 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
749 avd->flags |= AVD_FLAGS_PERMISSIVE;
750out:
751 read_unlock(&policy_rwlock); 991 read_unlock(&policy_rwlock);
752 return rc; 992 return rc;
753} 993}
@@ -1106,20 +1346,22 @@ out:
1106 1346
1107static int security_compute_sid(u32 ssid, 1347static int security_compute_sid(u32 ssid,
1108 u32 tsid, 1348 u32 tsid,
1109 u16 tclass, 1349 u16 orig_tclass,
1110 u32 specified, 1350 u32 specified,
1111 u32 *out_sid) 1351 u32 *out_sid,
1352 bool kern)
1112{ 1353{
1113 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1354 struct context *scontext = NULL, *tcontext = NULL, newcontext;
1114 struct role_trans *roletr = NULL; 1355 struct role_trans *roletr = NULL;
1115 struct avtab_key avkey; 1356 struct avtab_key avkey;
1116 struct avtab_datum *avdatum; 1357 struct avtab_datum *avdatum;
1117 struct avtab_node *node; 1358 struct avtab_node *node;
1359 u16 tclass;
1118 int rc = 0; 1360 int rc = 0;
1119 1361
1120 if (!ss_initialized) { 1362 if (!ss_initialized) {
1121 switch (tclass) { 1363 switch (orig_tclass) {
1122 case SECCLASS_PROCESS: 1364 case SECCLASS_PROCESS: /* kernel value */
1123 *out_sid = ssid; 1365 *out_sid = ssid;
1124 break; 1366 break;
1125 default: 1367 default:
@@ -1133,6 +1375,11 @@ static int security_compute_sid(u32 ssid,
1133 1375
1134 read_lock(&policy_rwlock); 1376 read_lock(&policy_rwlock);
1135 1377
1378 if (kern)
1379 tclass = unmap_class(orig_tclass);
1380 else
1381 tclass = orig_tclass;
1382
1136 scontext = sidtab_search(&sidtab, ssid); 1383 scontext = sidtab_search(&sidtab, ssid);
1137 if (!scontext) { 1384 if (!scontext) {
1138 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1385 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
@@ -1162,13 +1409,11 @@ static int security_compute_sid(u32 ssid,
1162 } 1409 }
1163 1410
1164 /* Set the role and type to default values. */ 1411 /* Set the role and type to default values. */
1165 switch (tclass) { 1412 if (tclass == policydb.process_class) {
1166 case SECCLASS_PROCESS:
1167 /* Use the current role and type of process. */ 1413 /* Use the current role and type of process. */
1168 newcontext.role = scontext->role; 1414 newcontext.role = scontext->role;
1169 newcontext.type = scontext->type; 1415 newcontext.type = scontext->type;
1170 break; 1416 } else {
1171 default:
1172 /* Use the well-defined object role. */ 1417 /* Use the well-defined object role. */
1173 newcontext.role = OBJECT_R_VAL; 1418 newcontext.role = OBJECT_R_VAL;
1174 /* Use the type of the related object. */ 1419 /* Use the type of the related object. */
@@ -1199,8 +1444,7 @@ static int security_compute_sid(u32 ssid,
1199 } 1444 }
1200 1445
1201 /* Check for class-specific changes. */ 1446 /* Check for class-specific changes. */
1202 switch (tclass) { 1447 if (tclass == policydb.process_class) {
1203 case SECCLASS_PROCESS:
1204 if (specified & AVTAB_TRANSITION) { 1448 if (specified & AVTAB_TRANSITION) {
1205 /* Look for a role transition rule. */ 1449 /* Look for a role transition rule. */
1206 for (roletr = policydb.role_tr; roletr; 1450 for (roletr = policydb.role_tr; roletr;
@@ -1213,9 +1457,6 @@ static int security_compute_sid(u32 ssid,
1213 } 1457 }
1214 } 1458 }
1215 } 1459 }
1216 break;
1217 default:
1218 break;
1219 } 1460 }
1220 1461
1221 /* Set the MLS attributes. 1462 /* Set the MLS attributes.
@@ -1260,7 +1501,17 @@ int security_transition_sid(u32 ssid,
1260 u16 tclass, 1501 u16 tclass,
1261 u32 *out_sid) 1502 u32 *out_sid)
1262{ 1503{
1263 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1504 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1505 out_sid, true);
1506}
1507
1508int security_transition_sid_user(u32 ssid,
1509 u32 tsid,
1510 u16 tclass,
1511 u32 *out_sid)
1512{
1513 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1514 out_sid, false);
1264} 1515}
1265 1516
1266/** 1517/**
@@ -1281,7 +1532,8 @@ int security_member_sid(u32 ssid,
1281 u16 tclass, 1532 u16 tclass,
1282 u32 *out_sid) 1533 u32 *out_sid)
1283{ 1534{
1284 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1535 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
1536 false);
1285} 1537}
1286 1538
1287/** 1539/**
@@ -1302,144 +1554,8 @@ int security_change_sid(u32 ssid,
1302 u16 tclass, 1554 u16 tclass,
1303 u32 *out_sid) 1555 u32 *out_sid)
1304{ 1556{
1305 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1557 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
1306} 1558 false);
1307
1308/*
1309 * Verify that each kernel class that is defined in the
1310 * policy is correct
1311 */
1312static int validate_classes(struct policydb *p)
1313{
1314 int i, j;
1315 struct class_datum *cladatum;
1316 struct perm_datum *perdatum;
1317 u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1318 u16 class_val;
1319 const struct selinux_class_perm *kdefs = &selinux_class_perm;
1320 const char *def_class, *def_perm, *pol_class;
1321 struct symtab *perms;
1322 bool print_unknown_handle = 0;
1323
1324 if (p->allow_unknown) {
1325 u32 num_classes = kdefs->cts_len;
1326 p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
1327 if (!p->undefined_perms)
1328 return -ENOMEM;
1329 }
1330
1331 for (i = 1; i < kdefs->cts_len; i++) {
1332 def_class = kdefs->class_to_string[i];
1333 if (!def_class)
1334 continue;
1335 if (i > p->p_classes.nprim) {
1336 printk(KERN_INFO
1337 "SELinux: class %s not defined in policy\n",
1338 def_class);
1339 if (p->reject_unknown)
1340 return -EINVAL;
1341 if (p->allow_unknown)
1342 p->undefined_perms[i-1] = ~0U;
1343 print_unknown_handle = 1;
1344 continue;
1345 }
1346 pol_class = p->p_class_val_to_name[i-1];
1347 if (strcmp(pol_class, def_class)) {
1348 printk(KERN_ERR
1349 "SELinux: class %d is incorrect, found %s but should be %s\n",
1350 i, pol_class, def_class);
1351 return -EINVAL;
1352 }
1353 }
1354 for (i = 0; i < kdefs->av_pts_len; i++) {
1355 class_val = kdefs->av_perm_to_string[i].tclass;
1356 perm_val = kdefs->av_perm_to_string[i].value;
1357 def_perm = kdefs->av_perm_to_string[i].name;
1358 if (class_val > p->p_classes.nprim)
1359 continue;
1360 pol_class = p->p_class_val_to_name[class_val-1];
1361 cladatum = hashtab_search(p->p_classes.table, pol_class);
1362 BUG_ON(!cladatum);
1363 perms = &cladatum->permissions;
1364 nprim = 1 << (perms->nprim - 1);
1365 if (perm_val > nprim) {
1366 printk(KERN_INFO
1367 "SELinux: permission %s in class %s not defined in policy\n",
1368 def_perm, pol_class);
1369 if (p->reject_unknown)
1370 return -EINVAL;
1371 if (p->allow_unknown)
1372 p->undefined_perms[class_val-1] |= perm_val;
1373 print_unknown_handle = 1;
1374 continue;
1375 }
1376 perdatum = hashtab_search(perms->table, def_perm);
1377 if (perdatum == NULL) {
1378 printk(KERN_ERR
1379 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1380 def_perm, pol_class);
1381 return -EINVAL;
1382 }
1383 pol_val = 1 << (perdatum->value - 1);
1384 if (pol_val != perm_val) {
1385 printk(KERN_ERR
1386 "SELinux: permission %s in class %s has incorrect value\n",
1387 def_perm, pol_class);
1388 return -EINVAL;
1389 }
1390 }
1391 for (i = 0; i < kdefs->av_inherit_len; i++) {
1392 class_val = kdefs->av_inherit[i].tclass;
1393 if (class_val > p->p_classes.nprim)
1394 continue;
1395 pol_class = p->p_class_val_to_name[class_val-1];
1396 cladatum = hashtab_search(p->p_classes.table, pol_class);
1397 BUG_ON(!cladatum);
1398 if (!cladatum->comdatum) {
1399 printk(KERN_ERR
1400 "SELinux: class %s should have an inherits clause but does not\n",
1401 pol_class);
1402 return -EINVAL;
1403 }
1404 tmp = kdefs->av_inherit[i].common_base;
1405 common_pts_len = 0;
1406 while (!(tmp & 0x01)) {
1407 common_pts_len++;
1408 tmp >>= 1;
1409 }
1410 perms = &cladatum->comdatum->permissions;
1411 for (j = 0; j < common_pts_len; j++) {
1412 def_perm = kdefs->av_inherit[i].common_pts[j];
1413 if (j >= perms->nprim) {
1414 printk(KERN_INFO
1415 "SELinux: permission %s in class %s not defined in policy\n",
1416 def_perm, pol_class);
1417 if (p->reject_unknown)
1418 return -EINVAL;
1419 if (p->allow_unknown)
1420 p->undefined_perms[class_val-1] |= (1 << j);
1421 print_unknown_handle = 1;
1422 continue;
1423 }
1424 perdatum = hashtab_search(perms->table, def_perm);
1425 if (perdatum == NULL) {
1426 printk(KERN_ERR
1427 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1428 def_perm, pol_class);
1429 return -EINVAL;
1430 }
1431 if (perdatum->value != j + 1) {
1432 printk(KERN_ERR
1433 "SELinux: permission %s in class %s has incorrect value\n",
1434 def_perm, pol_class);
1435 return -EINVAL;
1436 }
1437 }
1438 }
1439 if (print_unknown_handle)
1440 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
1441 (security_get_allow_unknown() ? "allowed" : "denied"));
1442 return 0;
1443} 1559}
1444 1560
1445/* Clone the SID into the new SID table. */ 1561/* Clone the SID into the new SID table. */
@@ -1612,8 +1728,10 @@ int security_load_policy(void *data, size_t len)
1612{ 1728{
1613 struct policydb oldpolicydb, newpolicydb; 1729 struct policydb oldpolicydb, newpolicydb;
1614 struct sidtab oldsidtab, newsidtab; 1730 struct sidtab oldsidtab, newsidtab;
1731 struct selinux_mapping *oldmap, *map = NULL;
1615 struct convert_context_args args; 1732 struct convert_context_args args;
1616 u32 seqno; 1733 u32 seqno;
1734 u16 map_size;
1617 int rc = 0; 1735 int rc = 0;
1618 struct policy_file file = { data, len }, *fp = &file; 1736 struct policy_file file = { data, len }, *fp = &file;
1619 1737
@@ -1623,22 +1741,19 @@ int security_load_policy(void *data, size_t len)
1623 avtab_cache_destroy(); 1741 avtab_cache_destroy();
1624 return -EINVAL; 1742 return -EINVAL;
1625 } 1743 }
1626 if (policydb_load_isids(&policydb, &sidtab)) { 1744 if (selinux_set_mapping(&policydb, secclass_map,
1745 &current_mapping,
1746 &current_mapping_size)) {
1627 policydb_destroy(&policydb); 1747 policydb_destroy(&policydb);
1628 avtab_cache_destroy(); 1748 avtab_cache_destroy();
1629 return -EINVAL; 1749 return -EINVAL;
1630 } 1750 }
1631 /* Verify that the kernel defined classes are correct. */ 1751 if (policydb_load_isids(&policydb, &sidtab)) {
1632 if (validate_classes(&policydb)) {
1633 printk(KERN_ERR
1634 "SELinux: the definition of a class is incorrect\n");
1635 sidtab_destroy(&sidtab);
1636 policydb_destroy(&policydb); 1752 policydb_destroy(&policydb);
1637 avtab_cache_destroy(); 1753 avtab_cache_destroy();
1638 return -EINVAL; 1754 return -EINVAL;
1639 } 1755 }
1640 security_load_policycaps(); 1756 security_load_policycaps();
1641 policydb_loaded_version = policydb.policyvers;
1642 ss_initialized = 1; 1757 ss_initialized = 1;
1643 seqno = ++latest_granting; 1758 seqno = ++latest_granting;
1644 selinux_complete_init(); 1759 selinux_complete_init();
@@ -1661,13 +1776,9 @@ int security_load_policy(void *data, size_t len)
1661 return -ENOMEM; 1776 return -ENOMEM;
1662 } 1777 }
1663 1778
1664 /* Verify that the kernel defined classes are correct. */ 1779 if (selinux_set_mapping(&newpolicydb, secclass_map,
1665 if (validate_classes(&newpolicydb)) { 1780 &map, &map_size))
1666 printk(KERN_ERR
1667 "SELinux: the definition of a class is incorrect\n");
1668 rc = -EINVAL;
1669 goto err; 1781 goto err;
1670 }
1671 1782
1672 rc = security_preserve_bools(&newpolicydb); 1783 rc = security_preserve_bools(&newpolicydb);
1673 if (rc) { 1784 if (rc) {
@@ -1701,13 +1812,16 @@ int security_load_policy(void *data, size_t len)
1701 memcpy(&policydb, &newpolicydb, sizeof policydb); 1812 memcpy(&policydb, &newpolicydb, sizeof policydb);
1702 sidtab_set(&sidtab, &newsidtab); 1813 sidtab_set(&sidtab, &newsidtab);
1703 security_load_policycaps(); 1814 security_load_policycaps();
1815 oldmap = current_mapping;
1816 current_mapping = map;
1817 current_mapping_size = map_size;
1704 seqno = ++latest_granting; 1818 seqno = ++latest_granting;
1705 policydb_loaded_version = policydb.policyvers;
1706 write_unlock_irq(&policy_rwlock); 1819 write_unlock_irq(&policy_rwlock);
1707 1820
1708 /* Free the old policydb and SID table. */ 1821 /* Free the old policydb and SID table. */
1709 policydb_destroy(&oldpolicydb); 1822 policydb_destroy(&oldpolicydb);
1710 sidtab_destroy(&oldsidtab); 1823 sidtab_destroy(&oldsidtab);
1824 kfree(oldmap);
1711 1825
1712 avc_ss_reset(seqno); 1826 avc_ss_reset(seqno);
1713 selnl_notify_policyload(seqno); 1827 selnl_notify_policyload(seqno);
@@ -1717,6 +1831,7 @@ int security_load_policy(void *data, size_t len)
1717 return 0; 1831 return 0;
1718 1832
1719err: 1833err:
1834 kfree(map);
1720 sidtab_destroy(&newsidtab); 1835 sidtab_destroy(&newsidtab);
1721 policydb_destroy(&newpolicydb); 1836 policydb_destroy(&newpolicydb);
1722 return rc; 1837 return rc;
@@ -1993,7 +2108,7 @@ out_unlock:
1993 } 2108 }
1994 for (i = 0, j = 0; i < mynel; i++) { 2109 for (i = 0, j = 0; i < mynel; i++) {
1995 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2110 rc = avc_has_perm_noaudit(fromsid, mysids[i],
1996 SECCLASS_PROCESS, 2111 SECCLASS_PROCESS, /* kernel value */
1997 PROCESS__TRANSITION, AVC_STRICT, 2112 PROCESS__TRANSITION, AVC_STRICT,
1998 NULL); 2113 NULL);
1999 if (!rc) 2114 if (!rc)
@@ -2021,10 +2136,11 @@ out:
2021 */ 2136 */
2022int security_genfs_sid(const char *fstype, 2137int security_genfs_sid(const char *fstype,
2023 char *path, 2138 char *path,
2024 u16 sclass, 2139 u16 orig_sclass,
2025 u32 *sid) 2140 u32 *sid)
2026{ 2141{
2027 int len; 2142 int len;
2143 u16 sclass;
2028 struct genfs *genfs; 2144 struct genfs *genfs;
2029 struct ocontext *c; 2145 struct ocontext *c;
2030 int rc = 0, cmp = 0; 2146 int rc = 0, cmp = 0;
@@ -2034,6 +2150,8 @@ int security_genfs_sid(const char *fstype,
2034 2150
2035 read_lock(&policy_rwlock); 2151 read_lock(&policy_rwlock);
2036 2152
2153 sclass = unmap_class(orig_sclass);
2154
2037 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2155 for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2038 cmp = strcmp(fstype, genfs->fstype); 2156 cmp = strcmp(fstype, genfs->fstype);
2039 if (cmp <= 0) 2157 if (cmp <= 0)
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 72b18452e1a1..f3cb9ed731a9 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -401,7 +401,7 @@ int selinux_xfrm_state_delete(struct xfrm_state *x)
401 * gone thru the IPSec process. 401 * gone thru the IPSec process.
402 */ 402 */
403int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb, 403int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
404 struct avc_audit_data *ad) 404 struct common_audit_data *ad)
405{ 405{
406 int i, rc = 0; 406 int i, rc = 0;
407 struct sec_path *sp; 407 struct sec_path *sp;
@@ -442,7 +442,7 @@ int selinux_xfrm_sock_rcv_skb(u32 isec_sid, struct sk_buff *skb,
442 * checked in the selinux_xfrm_state_pol_flow_match hook above. 442 * checked in the selinux_xfrm_state_pol_flow_match hook above.
443 */ 443 */
444int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb, 444int selinux_xfrm_postroute_last(u32 isec_sid, struct sk_buff *skb,
445 struct avc_audit_data *ad, u8 proto) 445 struct common_audit_data *ad, u8 proto)
446{ 446{
447 struct dst_entry *dst; 447 struct dst_entry *dst;
448 int rc = 0; 448 int rc = 0;
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-02 08:50:33 -0500