aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux')
-rw-r--r--security/selinux/.gitignore2
-rw-r--r--security/selinux/Makefile10
-rw-r--r--security/selinux/avc.c100
-rw-r--r--security/selinux/hooks.c70
-rw-r--r--security/selinux/include/av_inherit.h34
-rw-r--r--security/selinux/include/av_perm_to_string.h183
-rw-r--r--security/selinux/include/av_permissions.h870
-rw-r--r--security/selinux/include/avc_ss.h21
-rw-r--r--security/selinux/include/class_to_string.h80
-rw-r--r--security/selinux/include/classmap.h150
-rw-r--r--security/selinux/include/common_perm_to_string.h58
-rw-r--r--security/selinux/include/flask.h91
-rw-r--r--security/selinux/include/security.h16
-rw-r--r--security/selinux/netlabel.c2
-rw-r--r--security/selinux/selinuxfs.c14
-rw-r--r--security/selinux/ss/Makefile2
-rw-r--r--security/selinux/ss/context.h12
-rw-r--r--security/selinux/ss/ebitmap.c2
-rw-r--r--security/selinux/ss/mls.c50
-rw-r--r--security/selinux/ss/mls.h2
-rw-r--r--security/selinux/ss/mls_types.h7
-rw-r--r--security/selinux/ss/policydb.c174
-rw-r--r--security/selinux/ss/policydb.h17
-rw-r--r--security/selinux/ss/services.c665
24 files changed, 760 insertions, 1872 deletions
diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore
new file mode 100644
index 000000000000..2e5040a3d48b
--- /dev/null
+++ b/security/selinux/.gitignore
@@ -0,0 +1,2 @@
1av_permissions.h
2flask.h
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index d47fc5e545e0..f013982df417 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -18,5 +18,13 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
18 18
19selinux-$(CONFIG_NETLABEL) += netlabel.o 19selinux-$(CONFIG_NETLABEL) += netlabel.o
20 20
21EXTRA_CFLAGS += -Isecurity/selinux/include 21EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
22 22
23$(obj)/avc.o: $(obj)/flask.h
24
25quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
26 cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
27
28targets += flask.h
29$(obj)/flask.h: $(src)/include/classmap.h FORCE
30 $(call if_changed,flask)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b4b5da1c0a42..db0fd9f33499 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,43 +31,7 @@
31#include <net/ipv6.h> 31#include <net/ipv6.h>
32#include "avc.h" 32#include "avc.h"
33#include "avc_ss.h" 33#include "avc_ss.h"
34 34#include "classmap.h"
35static const struct av_perm_to_string av_perm_to_string[] = {
36#define S_(c, v, s) { c, v, s },
37#include "av_perm_to_string.h"
38#undef S_
39};
40
41static const char *class_to_string[] = {
42#define S_(s) s,
43#include "class_to_string.h"
44#undef S_
45};
46
47#define TB_(s) static const char *s[] = {
48#define TE_(s) };
49#define S_(s) s,
50#include "common_perm_to_string.h"
51#undef TB_
52#undef TE_
53#undef S_
54
55static const struct av_inherit av_inherit[] = {
56#define S_(c, i, b) { .tclass = c,\
57 .common_pts = common_##i##_perm_to_string,\
58 .common_base = b },
59#include "av_inherit.h"
60#undef S_
61};
62
63const struct selinux_class_perm selinux_class_perm = {
64 .av_perm_to_string = av_perm_to_string,
65 .av_pts_len = ARRAY_SIZE(av_perm_to_string),
66 .class_to_string = class_to_string,
67 .cts_len = ARRAY_SIZE(class_to_string),
68 .av_inherit = av_inherit,
69 .av_inherit_len = ARRAY_SIZE(av_inherit)
70};
71 35
72#define AVC_CACHE_SLOTS 512 36#define AVC_CACHE_SLOTS 512
73#define AVC_DEF_CACHE_THRESHOLD 512 37#define AVC_DEF_CACHE_THRESHOLD 512
@@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
139 */ 103 */
140static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) 104static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
141{ 105{
142 const char **common_pts = NULL; 106 const char **perms;
143 u32 common_base = 0; 107 int i, perm;
144 int i, i2, perm;
145 108
146 if (av == 0) { 109 if (av == 0) {
147 audit_log_format(ab, " null"); 110 audit_log_format(ab, " null");
148 return; 111 return;
149 } 112 }
150 113
151 for (i = 0; i < ARRAY_SIZE(av_inherit); i++) { 114 perms = secclass_map[tclass-1].perms;
152 if (av_inherit[i].tclass == tclass) {
153 common_pts = av_inherit[i].common_pts;
154 common_base = av_inherit[i].common_base;
155 break;
156 }
157 }
158 115
159 audit_log_format(ab, " {"); 116 audit_log_format(ab, " {");
160 i = 0; 117 i = 0;
161 perm = 1; 118 perm = 1;
162 while (perm < common_base) { 119 while (i < (sizeof(av) * 8)) {
163 if (perm & av) { 120 if ((perm & av) && perms[i]) {
164 audit_log_format(ab, " %s", common_pts[i]); 121 audit_log_format(ab, " %s", perms[i]);
165 av &= ~perm; 122 av &= ~perm;
166 } 123 }
167 i++; 124 i++;
168 perm <<= 1; 125 perm <<= 1;
169 } 126 }
170 127
171 while (i < sizeof(av) * 8) {
172 if (perm & av) {
173 for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
174 if ((av_perm_to_string[i2].tclass == tclass) &&
175 (av_perm_to_string[i2].value == perm))
176 break;
177 }
178 if (i2 < ARRAY_SIZE(av_perm_to_string)) {
179 audit_log_format(ab, " %s",
180 av_perm_to_string[i2].name);
181 av &= ~perm;
182 }
183 }
184 i++;
185 perm <<= 1;
186 }
187
188 if (av) 128 if (av)
189 audit_log_format(ab, " 0x%x", av); 129 audit_log_format(ab, " 0x%x", av);
190 130
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
219 kfree(scontext); 159 kfree(scontext);
220 } 160 }
221 161
222 BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]); 162 BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
223 audit_log_format(ab, " tclass=%s", class_to_string[tclass]); 163 audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
224} 164}
225 165
226/** 166/**
@@ -549,17 +489,14 @@ void avc_audit(u32 ssid, u32 tsid,
549 struct common_audit_data stack_data; 489 struct common_audit_data stack_data;
550 u32 denied, audited; 490 u32 denied, audited;
551 denied = requested & ~avd->allowed; 491 denied = requested & ~avd->allowed;
552 if (denied) { 492 if (denied)
553 audited = denied; 493 audited = denied & avd->auditdeny;
554 if (!(audited & avd->auditdeny)) 494 else if (result)
555 return;
556 } else if (result) {
557 audited = denied = requested; 495 audited = denied = requested;
558 } else { 496 else
559 audited = requested; 497 audited = requested & avd->auditallow;
560 if (!(audited & avd->auditallow)) 498 if (!audited)
561 return; 499 return;
562 }
563 if (!a) { 500 if (!a) {
564 a = &stack_data; 501 a = &stack_data;
565 memset(a, 0, sizeof(*a)); 502 memset(a, 0, sizeof(*a));
@@ -806,9 +743,7 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
806 else 743 else
807 avd = &avd_entry; 744 avd = &avd_entry;
808 745
809 rc = security_compute_av(ssid, tsid, tclass, requested, avd); 746 security_compute_av(ssid, tsid, tclass, avd);
810 if (rc)
811 goto out;
812 rcu_read_lock(); 747 rcu_read_lock();
813 node = avc_insert(ssid, tsid, tclass, avd); 748 node = avc_insert(ssid, tsid, tclass, avd);
814 } else { 749 } else {
@@ -830,7 +765,6 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
830 } 765 }
831 766
832 rcu_read_unlock(); 767 rcu_read_unlock();
833out:
834 return rc; 768 return rc;
835} 769}
836 770
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bb230d5d7085..5feecb41009d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -76,6 +76,7 @@
76#include <linux/selinux.h> 76#include <linux/selinux.h>
77#include <linux/mutex.h> 77#include <linux/mutex.h>
78#include <linux/posix-timers.h> 78#include <linux/posix-timers.h>
79#include <linux/syslog.h>
79 80
80#include "avc.h" 81#include "avc.h"
81#include "objsec.h" 82#include "objsec.h"
@@ -91,7 +92,6 @@
91 92
92#define NUM_SEL_MNT_OPTS 5 93#define NUM_SEL_MNT_OPTS 5
93 94
94extern unsigned int policydb_loaded_version;
95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 95extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96extern struct security_operations *security_ops; 96extern struct security_operations *security_ops;
97 97
@@ -126,13 +126,6 @@ __setup("selinux=", selinux_enabled_setup);
126int selinux_enabled = 1; 126int selinux_enabled = 1;
127#endif 127#endif
128 128
129
130/*
131 * Minimal support for a secondary security module,
132 * just to allow the use of the capability module.
133 */
134static struct security_operations *secondary_ops;
135
136/* Lists of inode and superblock security structures initialized 129/* Lists of inode and superblock security structures initialized
137 before the policy was loaded. */ 130 before the policy was loaded. */
138static LIST_HEAD(superblock_security_head); 131static LIST_HEAD(superblock_security_head);
@@ -2050,29 +2043,30 @@ static int selinux_quota_on(struct dentry *dentry)
2050 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON); 2043 return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
2051} 2044}
2052 2045
2053static int selinux_syslog(int type) 2046static int selinux_syslog(int type, bool from_file)
2054{ 2047{
2055 int rc; 2048 int rc;
2056 2049
2057 rc = cap_syslog(type); 2050 rc = cap_syslog(type, from_file);
2058 if (rc) 2051 if (rc)
2059 return rc; 2052 return rc;
2060 2053
2061 switch (type) { 2054 switch (type) {
2062 case 3: /* Read last kernel messages */ 2055 case SYSLOG_ACTION_READ_ALL: /* Read last kernel messages */
2063 case 10: /* Return size of the log buffer */ 2056 case SYSLOG_ACTION_SIZE_BUFFER: /* Return size of the log buffer */
2064 rc = task_has_system(current, SYSTEM__SYSLOG_READ); 2057 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2065 break; 2058 break;
2066 case 6: /* Disable logging to console */ 2059 case SYSLOG_ACTION_CONSOLE_OFF: /* Disable logging to console */
2067 case 7: /* Enable logging to console */ 2060 case SYSLOG_ACTION_CONSOLE_ON: /* Enable logging to console */
2068 case 8: /* Set level of messages printed to console */ 2061 /* Set level of messages printed to console */
2062 case SYSLOG_ACTION_CONSOLE_LEVEL:
2069 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE); 2063 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2070 break; 2064 break;
2071 case 0: /* Close log */ 2065 case SYSLOG_ACTION_CLOSE: /* Close log */
2072 case 1: /* Open log */ 2066 case SYSLOG_ACTION_OPEN: /* Open log */
2073 case 2: /* Read from log */ 2067 case SYSLOG_ACTION_READ: /* Read from log */
2074 case 4: /* Read/clear last kernel messages */ 2068 case SYSLOG_ACTION_READ_CLEAR: /* Read/clear last kernel messages */
2075 case 5: /* Clear ring buffer */ 2069 case SYSLOG_ACTION_CLEAR: /* Clear ring buffer */
2076 default: 2070 default:
2077 rc = task_has_system(current, SYSTEM__SYSLOG_MOD); 2071 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2078 break; 2072 break;
@@ -2366,7 +2360,7 @@ static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2366 initrlim = init_task.signal->rlim + i; 2360 initrlim = init_task.signal->rlim + i;
2367 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur); 2361 rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2368 } 2362 }
2369 update_rlimit_cpu(rlim->rlim_cur); 2363 update_rlimit_cpu(current->signal->rlim[RLIMIT_CPU].rlim_cur);
2370 } 2364 }
2371} 2365}
2372 2366
@@ -3335,12 +3329,21 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3335 3329
3336 if (ret == 0) 3330 if (ret == 0)
3337 tsec->create_sid = isec->sid; 3331 tsec->create_sid = isec->sid;
3338 return 0; 3332 return ret;
3339} 3333}
3340 3334
3341static int selinux_kernel_module_request(void) 3335static int selinux_kernel_module_request(char *kmod_name)
3342{ 3336{
3343 return task_has_system(current, SYSTEM__MODULE_REQUEST); 3337 u32 sid;
3338 struct common_audit_data ad;
3339
3340 sid = task_sid(current);
3341
3342 COMMON_AUDIT_DATA_INIT(&ad, KMOD);
3343 ad.u.kmod_name = kmod_name;
3344
3345 return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
3346 SYSTEM__MODULE_REQUEST, &ad);
3344} 3347}
3345 3348
3346static int selinux_task_setpgid(struct task_struct *p, pid_t pgid) 3349static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
@@ -4085,7 +4088,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4085 char *addrp; 4088 char *addrp;
4086 4089
4087 COMMON_AUDIT_DATA_INIT(&ad, NET); 4090 COMMON_AUDIT_DATA_INIT(&ad, NET);
4088 ad.u.net.netif = skb->iif; 4091 ad.u.net.netif = skb->skb_iif;
4089 ad.u.net.family = family; 4092 ad.u.net.family = family;
4090 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4093 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4091 if (err) 4094 if (err)
@@ -4147,7 +4150,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4147 return 0; 4150 return 0;
4148 4151
4149 COMMON_AUDIT_DATA_INIT(&ad, NET); 4152 COMMON_AUDIT_DATA_INIT(&ad, NET);
4150 ad.u.net.netif = skb->iif; 4153 ad.u.net.netif = skb->skb_iif;
4151 ad.u.net.family = family; 4154 ad.u.net.family = family;
4152 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL); 4155 err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4153 if (err) 4156 if (err)
@@ -4159,7 +4162,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4159 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid); 4162 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4160 if (err) 4163 if (err)
4161 return err; 4164 return err;
4162 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family, 4165 err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
4163 peer_sid, &ad); 4166 peer_sid, &ad);
4164 if (err) { 4167 if (err) {
4165 selinux_netlbl_err(skb, err, 0); 4168 selinux_netlbl_err(skb, err, 0);
@@ -4714,10 +4717,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4714 if (err) 4717 if (err)
4715 return err; 4718 return err;
4716 4719
4717 if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS) 4720 return selinux_nlmsg_perm(sk, skb);
4718 err = selinux_nlmsg_perm(sk, skb);
4719
4720 return err;
4721} 4721}
4722 4722
4723static int selinux_netlink_recv(struct sk_buff *skb, int capability) 4723static int selinux_netlink_recv(struct sk_buff *skb, int capability)
@@ -5667,9 +5667,6 @@ static __init int selinux_init(void)
5667 0, SLAB_PANIC, NULL); 5667 0, SLAB_PANIC, NULL);
5668 avc_init(); 5668 avc_init();
5669 5669
5670 secondary_ops = security_ops;
5671 if (!secondary_ops)
5672 panic("SELinux: No initial security operations\n");
5673 if (register_security(&selinux_ops)) 5670 if (register_security(&selinux_ops))
5674 panic("SELinux: Unable to register with kernel.\n"); 5671 panic("SELinux: Unable to register with kernel.\n");
5675 5672
@@ -5830,12 +5827,11 @@ int selinux_disable(void)
5830 selinux_disabled = 1; 5827 selinux_disabled = 1;
5831 selinux_enabled = 0; 5828 selinux_enabled = 0;
5832 5829
5830 reset_security_ops();
5831
5833 /* Try to destroy the avc node cache */ 5832 /* Try to destroy the avc node cache */
5834 avc_disable(); 5833 avc_disable();
5835 5834
5836 /* Reset security_ops to the secondary module, dummy or capability. */
5837 security_ops = secondary_ops;
5838
5839 /* Unregister netfilter hooks. */ 5835 /* Unregister netfilter hooks. */
5840 selinux_nf_ip_exit(); 5836 selinux_nf_ip_exit();
5841 5837
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
deleted file mode 100644
index abedcd704dae..000000000000
--- a/security/selinux/include/av_inherit.h
+++ /dev/null
@@ -1,34 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_DIR, file, 0x00020000UL)
3 S_(SECCLASS_FILE, file, 0x00020000UL)
4 S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
5 S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
6 S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
7 S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
8 S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
9 S_(SECCLASS_SOCKET, socket, 0x00400000UL)
10 S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
11 S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
12 S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
13 S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
14 S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
15 S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
16 S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
17 S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
18 S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
19 S_(SECCLASS_IPC, ipc, 0x00000200UL)
20 S_(SECCLASS_SEM, ipc, 0x00000200UL)
21 S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
22 S_(SECCLASS_SHM, ipc, 0x00000200UL)
23 S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
24 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
25 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
26 S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
27 S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
28 S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
29 S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
30 S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
31 S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
32 S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
33 S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
34 S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
deleted file mode 100644
index 2b683ad83d21..000000000000
--- a/security/selinux/include/av_perm_to_string.h
+++ /dev/null
@@ -1,183 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2 S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
3 S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
4 S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
5 S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
6 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
7 S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
8 S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
9 S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
10 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
11 S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
12 S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
13 S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
14 S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
15 S_(SECCLASS_DIR, DIR__SEARCH, "search")
16 S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
17 S_(SECCLASS_DIR, DIR__OPEN, "open")
18 S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
19 S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
20 S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
21 S_(SECCLASS_FILE, FILE__OPEN, "open")
22 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
23 S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
24 S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
25 S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
26 S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
27 S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
28 S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
29 S_(SECCLASS_FD, FD__USE, "use")
30 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
31 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
32 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
33 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
34 S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
35 S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
36 S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
37 S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
38 S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
39 S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
40 S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
41 S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
42 S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
43 S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
44 S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
45 S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
46 S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
47 S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
48 S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
49 S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
50 S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
51 S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
52 S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
53 S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
54 S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
55 S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
56 S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
57 S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
58 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
59 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
60 S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
61 S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
62 S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
63 S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
64 S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
65 S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
66 S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
67 S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
68 S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
69 S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
70 S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
71 S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
72 S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
73 S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
74 S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
75 S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
76 S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
77 S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
78 S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
79 S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
80 S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
81 S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
82 S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
83 S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
84 S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
85 S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
86 S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
87 S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
88 S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
89 S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
90 S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
91 S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
92 S_(SECCLASS_MSG, MSG__SEND, "send")
93 S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
94 S_(SECCLASS_SHM, SHM__LOCK, "lock")
95 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
96 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
97 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
98 S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
99 S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
100 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
101 S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
102 S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
103 S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
104 S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
105 S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
106 S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
107 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
108 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
109 S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
110 S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
111 S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
112 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
113 S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
114 S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
115 S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
116 S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
117 S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
118 S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
119 S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
120 S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
121 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
122 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
123 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
124 S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
125 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
126 S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
127 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
128 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
129 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
130 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
131 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
132 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
133 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
134 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
135 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
136 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
137 S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
138 S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
139 S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
140 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
141 S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
142 S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
143 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
144 S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
145 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
146 S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
147 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
148 S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
149 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
150 S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
151 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
152 S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
153 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
154 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
155 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
156 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
157 S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
158 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
159 S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
160 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
161 S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
162 S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
163 S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
164 S_(SECCLASS_PACKET, PACKET__SEND, "send")
165 S_(SECCLASS_PACKET, PACKET__RECV, "recv")
166 S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
167 S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
168 S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
169 S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
170 S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
171 S_(SECCLASS_KEY, KEY__VIEW, "view")
172 S_(SECCLASS_KEY, KEY__READ, "read")
173 S_(SECCLASS_KEY, KEY__WRITE, "write")
174 S_(SECCLASS_KEY, KEY__SEARCH, "search")
175 S_(SECCLASS_KEY, KEY__LINK, "link")
176 S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
177 S_(SECCLASS_KEY, KEY__CREATE, "create")
178 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
179 S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
180 S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
181 S_(SECCLASS_PEER, PEER__RECV, "recv")
182 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
183 S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
deleted file mode 100644
index 0546d616ccac..000000000000
--- a/security/selinux/include/av_permissions.h
+++ /dev/null
@@ -1,870 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2#define COMMON_FILE__IOCTL 0x00000001UL
3#define COMMON_FILE__READ 0x00000002UL
4#define COMMON_FILE__WRITE 0x00000004UL
5#define COMMON_FILE__CREATE 0x00000008UL
6#define COMMON_FILE__GETATTR 0x00000010UL
7#define COMMON_FILE__SETATTR 0x00000020UL
8#define COMMON_FILE__LOCK 0x00000040UL
9#define COMMON_FILE__RELABELFROM 0x00000080UL
10#define COMMON_FILE__RELABELTO 0x00000100UL
11#define COMMON_FILE__APPEND 0x00000200UL
12#define COMMON_FILE__UNLINK 0x00000400UL
13#define COMMON_FILE__LINK 0x00000800UL
14#define COMMON_FILE__RENAME 0x00001000UL
15#define COMMON_FILE__EXECUTE 0x00002000UL
16#define COMMON_FILE__SWAPON 0x00004000UL
17#define COMMON_FILE__QUOTAON 0x00008000UL
18#define COMMON_FILE__MOUNTON 0x00010000UL
19#define COMMON_SOCKET__IOCTL 0x00000001UL
20#define COMMON_SOCKET__READ 0x00000002UL
21#define COMMON_SOCKET__WRITE 0x00000004UL
22#define COMMON_SOCKET__CREATE 0x00000008UL
23#define COMMON_SOCKET__GETATTR 0x00000010UL
24#define COMMON_SOCKET__SETATTR 0x00000020UL
25#define COMMON_SOCKET__LOCK 0x00000040UL
26#define COMMON_SOCKET__RELABELFROM 0x00000080UL
27#define COMMON_SOCKET__RELABELTO 0x00000100UL
28#define COMMON_SOCKET__APPEND 0x00000200UL
29#define COMMON_SOCKET__BIND 0x00000400UL
30#define COMMON_SOCKET__CONNECT 0x00000800UL
31#define COMMON_SOCKET__LISTEN 0x00001000UL
32#define COMMON_SOCKET__ACCEPT 0x00002000UL
33#define COMMON_SOCKET__GETOPT 0x00004000UL
34#define COMMON_SOCKET__SETOPT 0x00008000UL
35#define COMMON_SOCKET__SHUTDOWN 0x00010000UL
36#define COMMON_SOCKET__RECVFROM 0x00020000UL
37#define COMMON_SOCKET__SENDTO 0x00040000UL
38#define COMMON_SOCKET__RECV_MSG 0x00080000UL
39#define COMMON_SOCKET__SEND_MSG 0x00100000UL
40#define COMMON_SOCKET__NAME_BIND 0x00200000UL
41#define COMMON_IPC__CREATE 0x00000001UL
42#define COMMON_IPC__DESTROY 0x00000002UL
43#define COMMON_IPC__GETATTR 0x00000004UL
44#define COMMON_IPC__SETATTR 0x00000008UL
45#define COMMON_IPC__READ 0x00000010UL
46#define COMMON_IPC__WRITE 0x00000020UL
47#define COMMON_IPC__ASSOCIATE 0x00000040UL
48#define COMMON_IPC__UNIX_READ 0x00000080UL
49#define COMMON_IPC__UNIX_WRITE 0x00000100UL
50#define FILESYSTEM__MOUNT 0x00000001UL
51#define FILESYSTEM__REMOUNT 0x00000002UL
52#define FILESYSTEM__UNMOUNT 0x00000004UL
53#define FILESYSTEM__GETATTR 0x00000008UL
54#define FILESYSTEM__RELABELFROM 0x00000010UL
55#define FILESYSTEM__RELABELTO 0x00000020UL
56#define FILESYSTEM__TRANSITION 0x00000040UL
57#define FILESYSTEM__ASSOCIATE 0x00000080UL
58#define FILESYSTEM__QUOTAMOD 0x00000100UL
59#define FILESYSTEM__QUOTAGET 0x00000200UL
60#define DIR__IOCTL 0x00000001UL
61#define DIR__READ 0x00000002UL
62#define DIR__WRITE 0x00000004UL
63#define DIR__CREATE 0x00000008UL
64#define DIR__GETATTR 0x00000010UL
65#define DIR__SETATTR 0x00000020UL
66#define DIR__LOCK 0x00000040UL
67#define DIR__RELABELFROM 0x00000080UL
68#define DIR__RELABELTO 0x00000100UL
69#define DIR__APPEND 0x00000200UL
70#define DIR__UNLINK 0x00000400UL
71#define DIR__LINK 0x00000800UL
72#define DIR__RENAME 0x00001000UL
73#define DIR__EXECUTE 0x00002000UL
74#define DIR__SWAPON 0x00004000UL
75#define DIR__QUOTAON 0x00008000UL
76#define DIR__MOUNTON 0x00010000UL
77#define DIR__ADD_NAME 0x00020000UL
78#define DIR__REMOVE_NAME 0x00040000UL
79#define DIR__REPARENT 0x00080000UL
80#define DIR__SEARCH 0x00100000UL
81#define DIR__RMDIR 0x00200000UL
82#define DIR__OPEN 0x00400000UL
83#define FILE__IOCTL 0x00000001UL
84#define FILE__READ 0x00000002UL
85#define FILE__WRITE 0x00000004UL
86#define FILE__CREATE 0x00000008UL
87#define FILE__GETATTR 0x00000010UL
88#define FILE__SETATTR 0x00000020UL
89#define FILE__LOCK 0x00000040UL
90#define FILE__RELABELFROM 0x00000080UL
91#define FILE__RELABELTO 0x00000100UL
92#define FILE__APPEND 0x00000200UL
93#define FILE__UNLINK 0x00000400UL
94#define FILE__LINK 0x00000800UL
95#define FILE__RENAME 0x00001000UL
96#define FILE__EXECUTE 0x00002000UL
97#define FILE__SWAPON 0x00004000UL
98#define FILE__QUOTAON 0x00008000UL
99#define FILE__MOUNTON 0x00010000UL
100#define FILE__EXECUTE_NO_TRANS 0x00020000UL
101#define FILE__ENTRYPOINT 0x00040000UL
102#define FILE__EXECMOD 0x00080000UL
103#define FILE__OPEN 0x00100000UL
104#define LNK_FILE__IOCTL 0x00000001UL
105#define LNK_FILE__READ 0x00000002UL
106#define LNK_FILE__WRITE 0x00000004UL
107#define LNK_FILE__CREATE 0x00000008UL
108#define LNK_FILE__GETATTR 0x00000010UL
109#define LNK_FILE__SETATTR 0x00000020UL
110#define LNK_FILE__LOCK 0x00000040UL
111#define LNK_FILE__RELABELFROM 0x00000080UL
112#define LNK_FILE__RELABELTO 0x00000100UL
113#define LNK_FILE__APPEND 0x00000200UL
114#define LNK_FILE__UNLINK 0x00000400UL
115#define LNK_FILE__LINK 0x00000800UL
116#define LNK_FILE__RENAME 0x00001000UL
117#define LNK_FILE__EXECUTE 0x00002000UL
118#define LNK_FILE__SWAPON 0x00004000UL
119#define LNK_FILE__QUOTAON 0x00008000UL
120#define LNK_FILE__MOUNTON 0x00010000UL
121#define CHR_FILE__IOCTL 0x00000001UL
122#define CHR_FILE__READ 0x00000002UL
123#define CHR_FILE__WRITE 0x00000004UL
124#define CHR_FILE__CREATE 0x00000008UL
125#define CHR_FILE__GETATTR 0x00000010UL
126#define CHR_FILE__SETATTR 0x00000020UL
127#define CHR_FILE__LOCK 0x00000040UL
128#define CHR_FILE__RELABELFROM 0x00000080UL
129#define CHR_FILE__RELABELTO 0x00000100UL
130#define CHR_FILE__APPEND 0x00000200UL
131#define CHR_FILE__UNLINK 0x00000400UL
132#define CHR_FILE__LINK 0x00000800UL
133#define CHR_FILE__RENAME 0x00001000UL
134#define CHR_FILE__EXECUTE 0x00002000UL
135#define CHR_FILE__SWAPON 0x00004000UL
136#define CHR_FILE__QUOTAON 0x00008000UL
137#define CHR_FILE__MOUNTON 0x00010000UL
138#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
139#define CHR_FILE__ENTRYPOINT 0x00040000UL
140#define CHR_FILE__EXECMOD 0x00080000UL
141#define CHR_FILE__OPEN 0x00100000UL
142#define BLK_FILE__IOCTL 0x00000001UL
143#define BLK_FILE__READ 0x00000002UL
144#define BLK_FILE__WRITE 0x00000004UL
145#define BLK_FILE__CREATE 0x00000008UL
146#define BLK_FILE__GETATTR 0x00000010UL
147#define BLK_FILE__SETATTR 0x00000020UL
148#define BLK_FILE__LOCK 0x00000040UL
149#define BLK_FILE__RELABELFROM 0x00000080UL
150#define BLK_FILE__RELABELTO 0x00000100UL
151#define BLK_FILE__APPEND 0x00000200UL
152#define BLK_FILE__UNLINK 0x00000400UL
153#define BLK_FILE__LINK 0x00000800UL
154#define BLK_FILE__RENAME 0x00001000UL
155#define BLK_FILE__EXECUTE 0x00002000UL
156#define BLK_FILE__SWAPON 0x00004000UL
157#define BLK_FILE__QUOTAON 0x00008000UL
158#define BLK_FILE__MOUNTON 0x00010000UL
159#define BLK_FILE__OPEN 0x00020000UL
160#define SOCK_FILE__IOCTL 0x00000001UL
161#define SOCK_FILE__READ 0x00000002UL
162#define SOCK_FILE__WRITE 0x00000004UL
163#define SOCK_FILE__CREATE 0x00000008UL
164#define SOCK_FILE__GETATTR 0x00000010UL
165#define SOCK_FILE__SETATTR 0x00000020UL
166#define SOCK_FILE__LOCK 0x00000040UL
167#define SOCK_FILE__RELABELFROM 0x00000080UL
168#define SOCK_FILE__RELABELTO 0x00000100UL
169#define SOCK_FILE__APPEND 0x00000200UL
170#define SOCK_FILE__UNLINK 0x00000400UL
171#define SOCK_FILE__LINK 0x00000800UL
172#define SOCK_FILE__RENAME 0x00001000UL
173#define SOCK_FILE__EXECUTE 0x00002000UL
174#define SOCK_FILE__SWAPON 0x00004000UL
175#define SOCK_FILE__QUOTAON 0x00008000UL
176#define SOCK_FILE__MOUNTON 0x00010000UL
177#define SOCK_FILE__OPEN 0x00020000UL
178#define FIFO_FILE__IOCTL 0x00000001UL
179#define FIFO_FILE__READ 0x00000002UL
180#define FIFO_FILE__WRITE 0x00000004UL
181#define FIFO_FILE__CREATE 0x00000008UL
182#define FIFO_FILE__GETATTR 0x00000010UL
183#define FIFO_FILE__SETATTR 0x00000020UL
184#define FIFO_FILE__LOCK 0x00000040UL
185#define FIFO_FILE__RELABELFROM 0x00000080UL
186#define FIFO_FILE__RELABELTO 0x00000100UL
187#define FIFO_FILE__APPEND 0x00000200UL
188#define FIFO_FILE__UNLINK 0x00000400UL
189#define FIFO_FILE__LINK 0x00000800UL
190#define FIFO_FILE__RENAME 0x00001000UL
191#define FIFO_FILE__EXECUTE 0x00002000UL
192#define FIFO_FILE__SWAPON 0x00004000UL
193#define FIFO_FILE__QUOTAON 0x00008000UL
194#define FIFO_FILE__MOUNTON 0x00010000UL
195#define FIFO_FILE__OPEN 0x00020000UL
196#define FD__USE 0x00000001UL
197#define SOCKET__IOCTL 0x00000001UL
198#define SOCKET__READ 0x00000002UL
199#define SOCKET__WRITE 0x00000004UL
200#define SOCKET__CREATE 0x00000008UL
201#define SOCKET__GETATTR 0x00000010UL
202#define SOCKET__SETATTR 0x00000020UL
203#define SOCKET__LOCK 0x00000040UL
204#define SOCKET__RELABELFROM 0x00000080UL
205#define SOCKET__RELABELTO 0x00000100UL
206#define SOCKET__APPEND 0x00000200UL
207#define SOCKET__BIND 0x00000400UL
208#define SOCKET__CONNECT 0x00000800UL
209#define SOCKET__LISTEN 0x00001000UL
210#define SOCKET__ACCEPT 0x00002000UL
211#define SOCKET__GETOPT 0x00004000UL
212#define SOCKET__SETOPT 0x00008000UL
213#define SOCKET__SHUTDOWN 0x00010000UL
214#define SOCKET__RECVFROM 0x00020000UL
215#define SOCKET__SENDTO 0x00040000UL
216#define SOCKET__RECV_MSG 0x00080000UL
217#define SOCKET__SEND_MSG 0x00100000UL
218#define SOCKET__NAME_BIND 0x00200000UL
219#define TCP_SOCKET__IOCTL 0x00000001UL
220#define TCP_SOCKET__READ 0x00000002UL
221#define TCP_SOCKET__WRITE 0x00000004UL
222#define TCP_SOCKET__CREATE 0x00000008UL
223#define TCP_SOCKET__GETATTR 0x00000010UL
224#define TCP_SOCKET__SETATTR 0x00000020UL
225#define TCP_SOCKET__LOCK 0x00000040UL
226#define TCP_SOCKET__RELABELFROM 0x00000080UL
227#define TCP_SOCKET__RELABELTO 0x00000100UL
228#define TCP_SOCKET__APPEND 0x00000200UL
229#define TCP_SOCKET__BIND 0x00000400UL
230#define TCP_SOCKET__CONNECT 0x00000800UL
231#define TCP_SOCKET__LISTEN 0x00001000UL
232#define TCP_SOCKET__ACCEPT 0x00002000UL
233#define TCP_SOCKET__GETOPT 0x00004000UL
234#define TCP_SOCKET__SETOPT 0x00008000UL
235#define TCP_SOCKET__SHUTDOWN 0x00010000UL
236#define TCP_SOCKET__RECVFROM 0x00020000UL
237#define TCP_SOCKET__SENDTO 0x00040000UL
238#define TCP_SOCKET__RECV_MSG 0x00080000UL
239#define TCP_SOCKET__SEND_MSG 0x00100000UL
240#define TCP_SOCKET__NAME_BIND 0x00200000UL
241#define TCP_SOCKET__CONNECTTO 0x00400000UL
242#define TCP_SOCKET__NEWCONN 0x00800000UL
243#define TCP_SOCKET__ACCEPTFROM 0x01000000UL
244#define TCP_SOCKET__NODE_BIND 0x02000000UL
245#define TCP_SOCKET__NAME_CONNECT 0x04000000UL
246#define UDP_SOCKET__IOCTL 0x00000001UL
247#define UDP_SOCKET__READ 0x00000002UL
248#define UDP_SOCKET__WRITE 0x00000004UL
249#define UDP_SOCKET__CREATE 0x00000008UL
250#define UDP_SOCKET__GETATTR 0x00000010UL
251#define UDP_SOCKET__SETATTR 0x00000020UL
252#define UDP_SOCKET__LOCK 0x00000040UL
253#define UDP_SOCKET__RELABELFROM 0x00000080UL
254#define UDP_SOCKET__RELABELTO 0x00000100UL
255#define UDP_SOCKET__APPEND 0x00000200UL
256#define UDP_SOCKET__BIND 0x00000400UL
257#define UDP_SOCKET__CONNECT 0x00000800UL
258#define UDP_SOCKET__LISTEN 0x00001000UL
259#define UDP_SOCKET__ACCEPT 0x00002000UL
260#define UDP_SOCKET__GETOPT 0x00004000UL
261#define UDP_SOCKET__SETOPT 0x00008000UL
262#define UDP_SOCKET__SHUTDOWN 0x00010000UL
263#define UDP_SOCKET__RECVFROM 0x00020000UL
264#define UDP_SOCKET__SENDTO 0x00040000UL
265#define UDP_SOCKET__RECV_MSG 0x00080000UL
266#define UDP_SOCKET__SEND_MSG 0x00100000UL
267#define UDP_SOCKET__NAME_BIND 0x00200000UL
268#define UDP_SOCKET__NODE_BIND 0x00400000UL
269#define RAWIP_SOCKET__IOCTL 0x00000001UL
270#define RAWIP_SOCKET__READ 0x00000002UL
271#define RAWIP_SOCKET__WRITE 0x00000004UL
272#define RAWIP_SOCKET__CREATE 0x00000008UL
273#define RAWIP_SOCKET__GETATTR 0x00000010UL
274#define RAWIP_SOCKET__SETATTR 0x00000020UL
275#define RAWIP_SOCKET__LOCK 0x00000040UL
276#define RAWIP_SOCKET__RELABELFROM 0x00000080UL
277#define RAWIP_SOCKET__RELABELTO 0x00000100UL
278#define RAWIP_SOCKET__APPEND 0x00000200UL
279#define RAWIP_SOCKET__BIND 0x00000400UL
280#define RAWIP_SOCKET__CONNECT 0x00000800UL
281#define RAWIP_SOCKET__LISTEN 0x00001000UL
282#define RAWIP_SOCKET__ACCEPT 0x00002000UL
283#define RAWIP_SOCKET__GETOPT 0x00004000UL
284#define RAWIP_SOCKET__SETOPT 0x00008000UL
285#define RAWIP_SOCKET__SHUTDOWN 0x00010000UL
286#define RAWIP_SOCKET__RECVFROM 0x00020000UL
287#define RAWIP_SOCKET__SENDTO 0x00040000UL
288#define RAWIP_SOCKET__RECV_MSG 0x00080000UL
289#define RAWIP_SOCKET__SEND_MSG 0x00100000UL
290#define RAWIP_SOCKET__NAME_BIND 0x00200000UL
291#define RAWIP_SOCKET__NODE_BIND 0x00400000UL
292#define NODE__TCP_RECV 0x00000001UL
293#define NODE__TCP_SEND 0x00000002UL
294#define NODE__UDP_RECV 0x00000004UL
295#define NODE__UDP_SEND 0x00000008UL
296#define NODE__RAWIP_RECV 0x00000010UL
297#define NODE__RAWIP_SEND 0x00000020UL
298#define NODE__ENFORCE_DEST 0x00000040UL
299#define NODE__DCCP_RECV 0x00000080UL
300#define NODE__DCCP_SEND 0x00000100UL
301#define NODE__RECVFROM 0x00000200UL
302#define NODE__SENDTO 0x00000400UL
303#define NETIF__TCP_RECV 0x00000001UL
304#define NETIF__TCP_SEND 0x00000002UL
305#define NETIF__UDP_RECV 0x00000004UL
306#define NETIF__UDP_SEND 0x00000008UL
307#define NETIF__RAWIP_RECV 0x00000010UL
308#define NETIF__RAWIP_SEND 0x00000020UL
309#define NETIF__DCCP_RECV 0x00000040UL
310#define NETIF__DCCP_SEND 0x00000080UL
311#define NETIF__INGRESS 0x00000100UL
312#define NETIF__EGRESS 0x00000200UL
313#define NETLINK_SOCKET__IOCTL 0x00000001UL
314#define NETLINK_SOCKET__READ 0x00000002UL
315#define NETLINK_SOCKET__WRITE 0x00000004UL
316#define NETLINK_SOCKET__CREATE 0x00000008UL
317#define NETLINK_SOCKET__GETATTR 0x00000010UL
318#define NETLINK_SOCKET__SETATTR 0x00000020UL
319#define NETLINK_SOCKET__LOCK 0x00000040UL
320#define NETLINK_SOCKET__RELABELFROM 0x00000080UL
321#define NETLINK_SOCKET__RELABELTO 0x00000100UL
322#define NETLINK_SOCKET__APPEND 0x00000200UL
323#define NETLINK_SOCKET__BIND 0x00000400UL
324#define NETLINK_SOCKET__CONNECT 0x00000800UL
325#define NETLINK_SOCKET__LISTEN 0x00001000UL
326#define NETLINK_SOCKET__ACCEPT 0x00002000UL
327#define NETLINK_SOCKET__GETOPT 0x00004000UL
328#define NETLINK_SOCKET__SETOPT 0x00008000UL
329#define NETLINK_SOCKET__SHUTDOWN 0x00010000UL
330#define NETLINK_SOCKET__RECVFROM 0x00020000UL
331#define NETLINK_SOCKET__SENDTO 0x00040000UL
332#define NETLINK_SOCKET__RECV_MSG 0x00080000UL
333#define NETLINK_SOCKET__SEND_MSG 0x00100000UL
334#define NETLINK_SOCKET__NAME_BIND 0x00200000UL
335#define PACKET_SOCKET__IOCTL 0x00000001UL
336#define PACKET_SOCKET__READ 0x00000002UL
337#define PACKET_SOCKET__WRITE 0x00000004UL
338#define PACKET_SOCKET__CREATE 0x00000008UL
339#define PACKET_SOCKET__GETATTR 0x00000010UL
340#define PACKET_SOCKET__SETATTR 0x00000020UL
341#define PACKET_SOCKET__LOCK 0x00000040UL
342#define PACKET_SOCKET__RELABELFROM 0x00000080UL
343#define PACKET_SOCKET__RELABELTO 0x00000100UL
344#define PACKET_SOCKET__APPEND 0x00000200UL
345#define PACKET_SOCKET__BIND 0x00000400UL
346#define PACKET_SOCKET__CONNECT 0x00000800UL
347#define PACKET_SOCKET__LISTEN 0x00001000UL
348#define PACKET_SOCKET__ACCEPT 0x00002000UL
349#define PACKET_SOCKET__GETOPT 0x00004000UL
350#define PACKET_SOCKET__SETOPT 0x00008000UL
351#define PACKET_SOCKET__SHUTDOWN 0x00010000UL
352#define PACKET_SOCKET__RECVFROM 0x00020000UL
353#define PACKET_SOCKET__SENDTO 0x00040000UL
354#define PACKET_SOCKET__RECV_MSG 0x00080000UL
355#define PACKET_SOCKET__SEND_MSG 0x00100000UL
356#define PACKET_SOCKET__NAME_BIND 0x00200000UL
357#define KEY_SOCKET__IOCTL 0x00000001UL
358#define KEY_SOCKET__READ 0x00000002UL
359#define KEY_SOCKET__WRITE 0x00000004UL
360#define KEY_SOCKET__CREATE 0x00000008UL
361#define KEY_SOCKET__GETATTR 0x00000010UL
362#define KEY_SOCKET__SETATTR 0x00000020UL
363#define KEY_SOCKET__LOCK 0x00000040UL
364#define KEY_SOCKET__RELABELFROM 0x00000080UL
365#define KEY_SOCKET__RELABELTO 0x00000100UL
366#define KEY_SOCKET__APPEND 0x00000200UL
367#define KEY_SOCKET__BIND 0x00000400UL
368#define KEY_SOCKET__CONNECT 0x00000800UL
369#define KEY_SOCKET__LISTEN 0x00001000UL
370#define KEY_SOCKET__ACCEPT 0x00002000UL
371#define KEY_SOCKET__GETOPT 0x00004000UL
372#define KEY_SOCKET__SETOPT 0x00008000UL
373#define KEY_SOCKET__SHUTDOWN 0x00010000UL
374#define KEY_SOCKET__RECVFROM 0x00020000UL
375#define KEY_SOCKET__SENDTO 0x00040000UL
376#define KEY_SOCKET__RECV_MSG 0x00080000UL
377#define KEY_SOCKET__SEND_MSG 0x00100000UL
378#define KEY_SOCKET__NAME_BIND 0x00200000UL
379#define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL
380#define UNIX_STREAM_SOCKET__READ 0x00000002UL
381#define UNIX_STREAM_SOCKET__WRITE 0x00000004UL
382#define UNIX_STREAM_SOCKET__CREATE 0x00000008UL
383#define UNIX_STREAM_SOCKET__GETATTR 0x00000010UL
384#define UNIX_STREAM_SOCKET__SETATTR 0x00000020UL
385#define UNIX_STREAM_SOCKET__LOCK 0x00000040UL
386#define UNIX_STREAM_SOCKET__RELABELFROM 0x00000080UL
387#define UNIX_STREAM_SOCKET__RELABELTO 0x00000100UL
388#define UNIX_STREAM_SOCKET__APPEND 0x00000200UL
389#define UNIX_STREAM_SOCKET__BIND 0x00000400UL
390#define UNIX_STREAM_SOCKET__CONNECT 0x00000800UL
391#define UNIX_STREAM_SOCKET__LISTEN 0x00001000UL
392#define UNIX_STREAM_SOCKET__ACCEPT 0x00002000UL
393#define UNIX_STREAM_SOCKET__GETOPT 0x00004000UL
394#define UNIX_STREAM_SOCKET__SETOPT 0x00008000UL
395#define UNIX_STREAM_SOCKET__SHUTDOWN 0x00010000UL
396#define UNIX_STREAM_SOCKET__RECVFROM 0x00020000UL
397#define UNIX_STREAM_SOCKET__SENDTO 0x00040000UL
398#define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL
399#define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL
400#define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL
401#define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL
402#define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL
403#define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL
404#define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL
405#define UNIX_DGRAM_SOCKET__READ 0x00000002UL
406#define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL
407#define UNIX_DGRAM_SOCKET__CREATE 0x00000008UL
408#define UNIX_DGRAM_SOCKET__GETATTR 0x00000010UL
409#define UNIX_DGRAM_SOCKET__SETATTR 0x00000020UL
410#define UNIX_DGRAM_SOCKET__LOCK 0x00000040UL
411#define UNIX_DGRAM_SOCKET__RELABELFROM 0x00000080UL
412#define UNIX_DGRAM_SOCKET__RELABELTO 0x00000100UL
413#define UNIX_DGRAM_SOCKET__APPEND 0x00000200UL
414#define UNIX_DGRAM_SOCKET__BIND 0x00000400UL
415#define UNIX_DGRAM_SOCKET__CONNECT 0x00000800UL
416#define UNIX_DGRAM_SOCKET__LISTEN 0x00001000UL
417#define UNIX_DGRAM_SOCKET__ACCEPT 0x00002000UL
418#define UNIX_DGRAM_SOCKET__GETOPT 0x00004000UL
419#define UNIX_DGRAM_SOCKET__SETOPT 0x00008000UL
420#define UNIX_DGRAM_SOCKET__SHUTDOWN 0x00010000UL
421#define UNIX_DGRAM_SOCKET__RECVFROM 0x00020000UL
422#define UNIX_DGRAM_SOCKET__SENDTO 0x00040000UL
423#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
424#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
425#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
426#define TUN_SOCKET__IOCTL 0x00000001UL
427#define TUN_SOCKET__READ 0x00000002UL
428#define TUN_SOCKET__WRITE 0x00000004UL
429#define TUN_SOCKET__CREATE 0x00000008UL
430#define TUN_SOCKET__GETATTR 0x00000010UL
431#define TUN_SOCKET__SETATTR 0x00000020UL
432#define TUN_SOCKET__LOCK 0x00000040UL
433#define TUN_SOCKET__RELABELFROM 0x00000080UL
434#define TUN_SOCKET__RELABELTO 0x00000100UL
435#define TUN_SOCKET__APPEND 0x00000200UL
436#define TUN_SOCKET__BIND 0x00000400UL
437#define TUN_SOCKET__CONNECT 0x00000800UL
438#define TUN_SOCKET__LISTEN 0x00001000UL
439#define TUN_SOCKET__ACCEPT 0x00002000UL
440#define TUN_SOCKET__GETOPT 0x00004000UL
441#define TUN_SOCKET__SETOPT 0x00008000UL
442#define TUN_SOCKET__SHUTDOWN 0x00010000UL
443#define TUN_SOCKET__RECVFROM 0x00020000UL
444#define TUN_SOCKET__SENDTO 0x00040000UL
445#define TUN_SOCKET__RECV_MSG 0x00080000UL
446#define TUN_SOCKET__SEND_MSG 0x00100000UL
447#define TUN_SOCKET__NAME_BIND 0x00200000UL
448#define PROCESS__FORK 0x00000001UL
449#define PROCESS__TRANSITION 0x00000002UL
450#define PROCESS__SIGCHLD 0x00000004UL
451#define PROCESS__SIGKILL 0x00000008UL
452#define PROCESS__SIGSTOP 0x00000010UL
453#define PROCESS__SIGNULL 0x00000020UL
454#define PROCESS__SIGNAL 0x00000040UL
455#define PROCESS__PTRACE 0x00000080UL
456#define PROCESS__GETSCHED 0x00000100UL
457#define PROCESS__SETSCHED 0x00000200UL
458#define PROCESS__GETSESSION 0x00000400UL
459#define PROCESS__GETPGID 0x00000800UL
460#define PROCESS__SETPGID 0x00001000UL
461#define PROCESS__GETCAP 0x00002000UL
462#define PROCESS__SETCAP 0x00004000UL
463#define PROCESS__SHARE 0x00008000UL
464#define PROCESS__GETATTR 0x00010000UL
465#define PROCESS__SETEXEC 0x00020000UL
466#define PROCESS__SETFSCREATE 0x00040000UL
467#define PROCESS__NOATSECURE 0x00080000UL
468#define PROCESS__SIGINH 0x00100000UL
469#define PROCESS__SETRLIMIT 0x00200000UL
470#define PROCESS__RLIMITINH 0x00400000UL
471#define PROCESS__DYNTRANSITION 0x00800000UL
472#define PROCESS__SETCURRENT 0x01000000UL
473#define PROCESS__EXECMEM 0x02000000UL
474#define PROCESS__EXECSTACK 0x04000000UL
475#define PROCESS__EXECHEAP 0x08000000UL
476#define PROCESS__SETKEYCREATE 0x10000000UL
477#define PROCESS__SETSOCKCREATE 0x20000000UL
478#define IPC__CREATE 0x00000001UL
479#define IPC__DESTROY 0x00000002UL
480#define IPC__GETATTR 0x00000004UL
481#define IPC__SETATTR 0x00000008UL
482#define IPC__READ 0x00000010UL
483#define IPC__WRITE 0x00000020UL
484#define IPC__ASSOCIATE 0x00000040UL
485#define IPC__UNIX_READ 0x00000080UL
486#define IPC__UNIX_WRITE 0x00000100UL
487#define SEM__CREATE 0x00000001UL
488#define SEM__DESTROY 0x00000002UL
489#define SEM__GETATTR 0x00000004UL
490#define SEM__SETATTR 0x00000008UL
491#define SEM__READ 0x00000010UL
492#define SEM__WRITE 0x00000020UL
493#define SEM__ASSOCIATE 0x00000040UL
494#define SEM__UNIX_READ 0x00000080UL
495#define SEM__UNIX_WRITE 0x00000100UL
496#define MSGQ__CREATE 0x00000001UL
497#define MSGQ__DESTROY 0x00000002UL
498#define MSGQ__GETATTR 0x00000004UL
499#define MSGQ__SETATTR 0x00000008UL
500#define MSGQ__READ 0x00000010UL
501#define MSGQ__WRITE 0x00000020UL
502#define MSGQ__ASSOCIATE 0x00000040UL
503#define MSGQ__UNIX_READ 0x00000080UL
504#define MSGQ__UNIX_WRITE 0x00000100UL
505#define MSGQ__ENQUEUE 0x00000200UL
506#define MSG__SEND 0x00000001UL
507#define MSG__RECEIVE 0x00000002UL
508#define SHM__CREATE 0x00000001UL
509#define SHM__DESTROY 0x00000002UL
510#define SHM__GETATTR 0x00000004UL
511#define SHM__SETATTR 0x00000008UL
512#define SHM__READ 0x00000010UL
513#define SHM__WRITE 0x00000020UL
514#define SHM__ASSOCIATE 0x00000040UL
515#define SHM__UNIX_READ 0x00000080UL
516#define SHM__UNIX_WRITE 0x00000100UL
517#define SHM__LOCK 0x00000200UL
518#define SECURITY__COMPUTE_AV 0x00000001UL
519#define SECURITY__COMPUTE_CREATE 0x00000002UL
520#define SECURITY__COMPUTE_MEMBER 0x00000004UL
521#define SECURITY__CHECK_CONTEXT 0x00000008UL
522#define SECURITY__LOAD_POLICY 0x00000010UL
523#define SECURITY__COMPUTE_RELABEL 0x00000020UL
524#define SECURITY__COMPUTE_USER 0x00000040UL
525#define SECURITY__SETENFORCE 0x00000080UL
526#define SECURITY__SETBOOL 0x00000100UL
527#define SECURITY__SETSECPARAM 0x00000200UL
528#define SECURITY__SETCHECKREQPROT 0x00000400UL
529#define SYSTEM__IPC_INFO 0x00000001UL
530#define SYSTEM__SYSLOG_READ 0x00000002UL
531#define SYSTEM__SYSLOG_MOD 0x00000004UL
532#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL
533#define SYSTEM__MODULE_REQUEST 0x00000010UL
534#define CAPABILITY__CHOWN 0x00000001UL
535#define CAPABILITY__DAC_OVERRIDE 0x00000002UL
536#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL
537#define CAPABILITY__FOWNER 0x00000008UL
538#define CAPABILITY__FSETID 0x00000010UL
539#define CAPABILITY__KILL 0x00000020UL
540#define CAPABILITY__SETGID 0x00000040UL
541#define CAPABILITY__SETUID 0x00000080UL
542#define CAPABILITY__SETPCAP 0x00000100UL
543#define CAPABILITY__LINUX_IMMUTABLE 0x00000200UL
544#define CAPABILITY__NET_BIND_SERVICE 0x00000400UL
545#define CAPABILITY__NET_BROADCAST 0x00000800UL
546#define CAPABILITY__NET_ADMIN 0x00001000UL
547#define CAPABILITY__NET_RAW 0x00002000UL
548#define CAPABILITY__IPC_LOCK 0x00004000UL
549#define CAPABILITY__IPC_OWNER 0x00008000UL
550#define CAPABILITY__SYS_MODULE 0x00010000UL
551#define CAPABILITY__SYS_RAWIO 0x00020000UL
552#define CAPABILITY__SYS_CHROOT 0x00040000UL
553#define CAPABILITY__SYS_PTRACE 0x00080000UL
554#define CAPABILITY__SYS_PACCT 0x00100000UL
555#define CAPABILITY__SYS_ADMIN 0x00200000UL
556#define CAPABILITY__SYS_BOOT 0x00400000UL
557#define CAPABILITY__SYS_NICE 0x00800000UL
558#define CAPABILITY__SYS_RESOURCE 0x01000000UL
559#define CAPABILITY__SYS_TIME 0x02000000UL
560#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
561#define CAPABILITY__MKNOD 0x08000000UL
562#define CAPABILITY__LEASE 0x10000000UL
563#define CAPABILITY__AUDIT_WRITE 0x20000000UL
564#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
565#define CAPABILITY__SETFCAP 0x80000000UL
566#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
567#define CAPABILITY2__MAC_ADMIN 0x00000002UL
568#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
569#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
570#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
571#define NETLINK_ROUTE_SOCKET__CREATE 0x00000008UL
572#define NETLINK_ROUTE_SOCKET__GETATTR 0x00000010UL
573#define NETLINK_ROUTE_SOCKET__SETATTR 0x00000020UL
574#define NETLINK_ROUTE_SOCKET__LOCK 0x00000040UL
575#define NETLINK_ROUTE_SOCKET__RELABELFROM 0x00000080UL
576#define NETLINK_ROUTE_SOCKET__RELABELTO 0x00000100UL
577#define NETLINK_ROUTE_SOCKET__APPEND 0x00000200UL
578#define NETLINK_ROUTE_SOCKET__BIND 0x00000400UL
579#define NETLINK_ROUTE_SOCKET__CONNECT 0x00000800UL
580#define NETLINK_ROUTE_SOCKET__LISTEN 0x00001000UL
581#define NETLINK_ROUTE_SOCKET__ACCEPT 0x00002000UL
582#define NETLINK_ROUTE_SOCKET__GETOPT 0x00004000UL
583#define NETLINK_ROUTE_SOCKET__SETOPT 0x00008000UL
584#define NETLINK_ROUTE_SOCKET__SHUTDOWN 0x00010000UL
585#define NETLINK_ROUTE_SOCKET__RECVFROM 0x00020000UL
586#define NETLINK_ROUTE_SOCKET__SENDTO 0x00040000UL
587#define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL
588#define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL
589#define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL
590#define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL
591#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL
592#define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL
593#define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL
594#define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL
595#define NETLINK_FIREWALL_SOCKET__CREATE 0x00000008UL
596#define NETLINK_FIREWALL_SOCKET__GETATTR 0x00000010UL
597#define NETLINK_FIREWALL_SOCKET__SETATTR 0x00000020UL
598#define NETLINK_FIREWALL_SOCKET__LOCK 0x00000040UL
599#define NETLINK_FIREWALL_SOCKET__RELABELFROM 0x00000080UL
600#define NETLINK_FIREWALL_SOCKET__RELABELTO 0x00000100UL
601#define NETLINK_FIREWALL_SOCKET__APPEND 0x00000200UL
602#define NETLINK_FIREWALL_SOCKET__BIND 0x00000400UL
603#define NETLINK_FIREWALL_SOCKET__CONNECT 0x00000800UL
604#define NETLINK_FIREWALL_SOCKET__LISTEN 0x00001000UL
605#define NETLINK_FIREWALL_SOCKET__ACCEPT 0x00002000UL
606#define NETLINK_FIREWALL_SOCKET__GETOPT 0x00004000UL
607#define NETLINK_FIREWALL_SOCKET__SETOPT 0x00008000UL
608#define NETLINK_FIREWALL_SOCKET__SHUTDOWN 0x00010000UL
609#define NETLINK_FIREWALL_SOCKET__RECVFROM 0x00020000UL
610#define NETLINK_FIREWALL_SOCKET__SENDTO 0x00040000UL
611#define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL
612#define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL
613#define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL
614#define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL
615#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL
616#define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL
617#define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL
618#define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL
619#define NETLINK_TCPDIAG_SOCKET__CREATE 0x00000008UL
620#define NETLINK_TCPDIAG_SOCKET__GETATTR 0x00000010UL
621#define NETLINK_TCPDIAG_SOCKET__SETATTR 0x00000020UL
622#define NETLINK_TCPDIAG_SOCKET__LOCK 0x00000040UL
623#define NETLINK_TCPDIAG_SOCKET__RELABELFROM 0x00000080UL
624#define NETLINK_TCPDIAG_SOCKET__RELABELTO 0x00000100UL
625#define NETLINK_TCPDIAG_SOCKET__APPEND 0x00000200UL
626#define NETLINK_TCPDIAG_SOCKET__BIND 0x00000400UL
627#define NETLINK_TCPDIAG_SOCKET__CONNECT 0x00000800UL
628#define NETLINK_TCPDIAG_SOCKET__LISTEN 0x00001000UL
629#define NETLINK_TCPDIAG_SOCKET__ACCEPT 0x00002000UL
630#define NETLINK_TCPDIAG_SOCKET__GETOPT 0x00004000UL
631#define NETLINK_TCPDIAG_SOCKET__SETOPT 0x00008000UL
632#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN 0x00010000UL
633#define NETLINK_TCPDIAG_SOCKET__RECVFROM 0x00020000UL
634#define NETLINK_TCPDIAG_SOCKET__SENDTO 0x00040000UL
635#define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL
636#define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL
637#define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL
638#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL
639#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL
640#define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL
641#define NETLINK_NFLOG_SOCKET__READ 0x00000002UL
642#define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL
643#define NETLINK_NFLOG_SOCKET__CREATE 0x00000008UL
644#define NETLINK_NFLOG_SOCKET__GETATTR 0x00000010UL
645#define NETLINK_NFLOG_SOCKET__SETATTR 0x00000020UL
646#define NETLINK_NFLOG_SOCKET__LOCK 0x00000040UL
647#define NETLINK_NFLOG_SOCKET__RELABELFROM 0x00000080UL
648#define NETLINK_NFLOG_SOCKET__RELABELTO 0x00000100UL
649#define NETLINK_NFLOG_SOCKET__APPEND 0x00000200UL
650#define NETLINK_NFLOG_SOCKET__BIND 0x00000400UL
651#define NETLINK_NFLOG_SOCKET__CONNECT 0x00000800UL
652#define NETLINK_NFLOG_SOCKET__LISTEN 0x00001000UL
653#define NETLINK_NFLOG_SOCKET__ACCEPT 0x00002000UL
654#define NETLINK_NFLOG_SOCKET__GETOPT 0x00004000UL
655#define NETLINK_NFLOG_SOCKET__SETOPT 0x00008000UL
656#define NETLINK_NFLOG_SOCKET__SHUTDOWN 0x00010000UL
657#define NETLINK_NFLOG_SOCKET__RECVFROM 0x00020000UL
658#define NETLINK_NFLOG_SOCKET__SENDTO 0x00040000UL
659#define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL
660#define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL
661#define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL
662#define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL
663#define NETLINK_XFRM_SOCKET__READ 0x00000002UL
664#define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL
665#define NETLINK_XFRM_SOCKET__CREATE 0x00000008UL
666#define NETLINK_XFRM_SOCKET__GETATTR 0x00000010UL
667#define NETLINK_XFRM_SOCKET__SETATTR 0x00000020UL
668#define NETLINK_XFRM_SOCKET__LOCK 0x00000040UL
669#define NETLINK_XFRM_SOCKET__RELABELFROM 0x00000080UL
670#define NETLINK_XFRM_SOCKET__RELABELTO 0x00000100UL
671#define NETLINK_XFRM_SOCKET__APPEND 0x00000200UL
672#define NETLINK_XFRM_SOCKET__BIND 0x00000400UL
673#define NETLINK_XFRM_SOCKET__CONNECT 0x00000800UL
674#define NETLINK_XFRM_SOCKET__LISTEN 0x00001000UL
675#define NETLINK_XFRM_SOCKET__ACCEPT 0x00002000UL
676#define NETLINK_XFRM_SOCKET__GETOPT 0x00004000UL
677#define NETLINK_XFRM_SOCKET__SETOPT 0x00008000UL
678#define NETLINK_XFRM_SOCKET__SHUTDOWN 0x00010000UL
679#define NETLINK_XFRM_SOCKET__RECVFROM 0x00020000UL
680#define NETLINK_XFRM_SOCKET__SENDTO 0x00040000UL
681#define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL
682#define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL
683#define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL
684#define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL
685#define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL
686#define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL
687#define NETLINK_SELINUX_SOCKET__READ 0x00000002UL
688#define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL
689#define NETLINK_SELINUX_SOCKET__CREATE 0x00000008UL
690#define NETLINK_SELINUX_SOCKET__GETATTR 0x00000010UL
691#define NETLINK_SELINUX_SOCKET__SETATTR 0x00000020UL
692#define NETLINK_SELINUX_SOCKET__LOCK 0x00000040UL
693#define NETLINK_SELINUX_SOCKET__RELABELFROM 0x00000080UL
694#define NETLINK_SELINUX_SOCKET__RELABELTO 0x00000100UL
695#define NETLINK_SELINUX_SOCKET__APPEND 0x00000200UL
696#define NETLINK_SELINUX_SOCKET__BIND 0x00000400UL
697#define NETLINK_SELINUX_SOCKET__CONNECT 0x00000800UL
698#define NETLINK_SELINUX_SOCKET__LISTEN 0x00001000UL
699#define NETLINK_SELINUX_SOCKET__ACCEPT 0x00002000UL
700#define NETLINK_SELINUX_SOCKET__GETOPT 0x00004000UL
701#define NETLINK_SELINUX_SOCKET__SETOPT 0x00008000UL
702#define NETLINK_SELINUX_SOCKET__SHUTDOWN 0x00010000UL
703#define NETLINK_SELINUX_SOCKET__RECVFROM 0x00020000UL
704#define NETLINK_SELINUX_SOCKET__SENDTO 0x00040000UL
705#define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL
706#define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL
707#define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL
708#define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL
709#define NETLINK_AUDIT_SOCKET__READ 0x00000002UL
710#define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL
711#define NETLINK_AUDIT_SOCKET__CREATE 0x00000008UL
712#define NETLINK_AUDIT_SOCKET__GETATTR 0x00000010UL
713#define NETLINK_AUDIT_SOCKET__SETATTR 0x00000020UL
714#define NETLINK_AUDIT_SOCKET__LOCK 0x00000040UL
715#define NETLINK_AUDIT_SOCKET__RELABELFROM 0x00000080UL
716#define NETLINK_AUDIT_SOCKET__RELABELTO 0x00000100UL
717#define NETLINK_AUDIT_SOCKET__APPEND 0x00000200UL
718#define NETLINK_AUDIT_SOCKET__BIND 0x00000400UL
719#define NETLINK_AUDIT_SOCKET__CONNECT 0x00000800UL
720#define NETLINK_AUDIT_SOCKET__LISTEN 0x00001000UL
721#define NETLINK_AUDIT_SOCKET__ACCEPT 0x00002000UL
722#define NETLINK_AUDIT_SOCKET__GETOPT 0x00004000UL
723#define NETLINK_AUDIT_SOCKET__SETOPT 0x00008000UL
724#define NETLINK_AUDIT_SOCKET__SHUTDOWN 0x00010000UL
725#define NETLINK_AUDIT_SOCKET__RECVFROM 0x00020000UL
726#define NETLINK_AUDIT_SOCKET__SENDTO 0x00040000UL
727#define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL
728#define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL
729#define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL
730#define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL
731#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL
732#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL
733#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL
734#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL
735#define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL
736#define NETLINK_IP6FW_SOCKET__READ 0x00000002UL
737#define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL
738#define NETLINK_IP6FW_SOCKET__CREATE 0x00000008UL
739#define NETLINK_IP6FW_SOCKET__GETATTR 0x00000010UL
740#define NETLINK_IP6FW_SOCKET__SETATTR 0x00000020UL
741#define NETLINK_IP6FW_SOCKET__LOCK 0x00000040UL
742#define NETLINK_IP6FW_SOCKET__RELABELFROM 0x00000080UL
743#define NETLINK_IP6FW_SOCKET__RELABELTO 0x00000100UL
744#define NETLINK_IP6FW_SOCKET__APPEND 0x00000200UL
745#define NETLINK_IP6FW_SOCKET__BIND 0x00000400UL
746#define NETLINK_IP6FW_SOCKET__CONNECT 0x00000800UL
747#define NETLINK_IP6FW_SOCKET__LISTEN 0x00001000UL
748#define NETLINK_IP6FW_SOCKET__ACCEPT 0x00002000UL
749#define NETLINK_IP6FW_SOCKET__GETOPT 0x00004000UL
750#define NETLINK_IP6FW_SOCKET__SETOPT 0x00008000UL
751#define NETLINK_IP6FW_SOCKET__SHUTDOWN 0x00010000UL
752#define NETLINK_IP6FW_SOCKET__RECVFROM 0x00020000UL
753#define NETLINK_IP6FW_SOCKET__SENDTO 0x00040000UL
754#define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL
755#define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL
756#define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL
757#define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL
758#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL
759#define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL
760#define NETLINK_DNRT_SOCKET__READ 0x00000002UL
761#define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL
762#define NETLINK_DNRT_SOCKET__CREATE 0x00000008UL
763#define NETLINK_DNRT_SOCKET__GETATTR 0x00000010UL
764#define NETLINK_DNRT_SOCKET__SETATTR 0x00000020UL
765#define NETLINK_DNRT_SOCKET__LOCK 0x00000040UL
766#define NETLINK_DNRT_SOCKET__RELABELFROM 0x00000080UL
767#define NETLINK_DNRT_SOCKET__RELABELTO 0x00000100UL
768#define NETLINK_DNRT_SOCKET__APPEND 0x00000200UL
769#define NETLINK_DNRT_SOCKET__BIND 0x00000400UL
770#define NETLINK_DNRT_SOCKET__CONNECT 0x00000800UL
771#define NETLINK_DNRT_SOCKET__LISTEN 0x00001000UL
772#define NETLINK_DNRT_SOCKET__ACCEPT 0x00002000UL
773#define NETLINK_DNRT_SOCKET__GETOPT 0x00004000UL
774#define NETLINK_DNRT_SOCKET__SETOPT 0x00008000UL
775#define NETLINK_DNRT_SOCKET__SHUTDOWN 0x00010000UL
776#define NETLINK_DNRT_SOCKET__RECVFROM 0x00020000UL
777#define NETLINK_DNRT_SOCKET__SENDTO 0x00040000UL
778#define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL
779#define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL
780#define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL
781#define ASSOCIATION__SENDTO 0x00000001UL
782#define ASSOCIATION__RECVFROM 0x00000002UL
783#define ASSOCIATION__SETCONTEXT 0x00000004UL
784#define ASSOCIATION__POLMATCH 0x00000008UL
785#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
786#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
787#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
788#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
789#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
790#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
791#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
792#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
793#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
794#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
795#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
796#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
797#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
798#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
799#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
800#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
801#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
802#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
803#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
804#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
805#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
806#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
807#define APPLETALK_SOCKET__IOCTL 0x00000001UL
808#define APPLETALK_SOCKET__READ 0x00000002UL
809#define APPLETALK_SOCKET__WRITE 0x00000004UL
810#define APPLETALK_SOCKET__CREATE 0x00000008UL
811#define APPLETALK_SOCKET__GETATTR 0x00000010UL
812#define APPLETALK_SOCKET__SETATTR 0x00000020UL
813#define APPLETALK_SOCKET__LOCK 0x00000040UL
814#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL
815#define APPLETALK_SOCKET__RELABELTO 0x00000100UL
816#define APPLETALK_SOCKET__APPEND 0x00000200UL
817#define APPLETALK_SOCKET__BIND 0x00000400UL
818#define APPLETALK_SOCKET__CONNECT 0x00000800UL
819#define APPLETALK_SOCKET__LISTEN 0x00001000UL
820#define APPLETALK_SOCKET__ACCEPT 0x00002000UL
821#define APPLETALK_SOCKET__GETOPT 0x00004000UL
822#define APPLETALK_SOCKET__SETOPT 0x00008000UL
823#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL
824#define APPLETALK_SOCKET__RECVFROM 0x00020000UL
825#define APPLETALK_SOCKET__SENDTO 0x00040000UL
826#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL
827#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL
828#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL
829#define PACKET__SEND 0x00000001UL
830#define PACKET__RECV 0x00000002UL
831#define PACKET__RELABELTO 0x00000004UL
832#define PACKET__FLOW_IN 0x00000008UL
833#define PACKET__FLOW_OUT 0x00000010UL
834#define PACKET__FORWARD_IN 0x00000020UL
835#define PACKET__FORWARD_OUT 0x00000040UL
836#define KEY__VIEW 0x00000001UL
837#define KEY__READ 0x00000002UL
838#define KEY__WRITE 0x00000004UL
839#define KEY__SEARCH 0x00000008UL
840#define KEY__LINK 0x00000010UL
841#define KEY__SETATTR 0x00000020UL
842#define KEY__CREATE 0x00000040UL
843#define DCCP_SOCKET__IOCTL 0x00000001UL
844#define DCCP_SOCKET__READ 0x00000002UL
845#define DCCP_SOCKET__WRITE 0x00000004UL
846#define DCCP_SOCKET__CREATE 0x00000008UL
847#define DCCP_SOCKET__GETATTR 0x00000010UL
848#define DCCP_SOCKET__SETATTR 0x00000020UL
849#define DCCP_SOCKET__LOCK 0x00000040UL
850#define DCCP_SOCKET__RELABELFROM 0x00000080UL
851#define DCCP_SOCKET__RELABELTO 0x00000100UL
852#define DCCP_SOCKET__APPEND 0x00000200UL
853#define DCCP_SOCKET__BIND 0x00000400UL
854#define DCCP_SOCKET__CONNECT 0x00000800UL
855#define DCCP_SOCKET__LISTEN 0x00001000UL
856#define DCCP_SOCKET__ACCEPT 0x00002000UL
857#define DCCP_SOCKET__GETOPT 0x00004000UL
858#define DCCP_SOCKET__SETOPT 0x00008000UL
859#define DCCP_SOCKET__SHUTDOWN 0x00010000UL
860#define DCCP_SOCKET__RECVFROM 0x00020000UL
861#define DCCP_SOCKET__SENDTO 0x00040000UL
862#define DCCP_SOCKET__RECV_MSG 0x00080000UL
863#define DCCP_SOCKET__SEND_MSG 0x00100000UL
864#define DCCP_SOCKET__NAME_BIND 0x00200000UL
865#define DCCP_SOCKET__NODE_BIND 0x00400000UL
866#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
867#define MEMPROTECT__MMAP_ZERO 0x00000001UL
868#define PEER__RECV 0x00000001UL
869#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
870#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index bb1ec801bdfe..4677aa519b04 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -10,26 +10,13 @@
10 10
11int avc_ss_reset(u32 seqno); 11int avc_ss_reset(u32 seqno);
12 12
13struct av_perm_to_string { 13/* Class/perm mapping support */
14 u16 tclass; 14struct security_class_mapping {
15 u32 value;
16 const char *name; 15 const char *name;
16 const char *perms[sizeof(u32) * 8 + 1];
17}; 17};
18 18
19struct av_inherit { 19extern struct security_class_mapping secclass_map[];
20 const char **common_pts;
21 u32 common_base;
22 u16 tclass;
23};
24
25struct selinux_class_perm {
26 const struct av_perm_to_string *av_perm_to_string;
27 u32 av_pts_len;
28 u32 cts_len;
29 const char **class_to_string;
30 const struct av_inherit *av_inherit;
31 u32 av_inherit_len;
32};
33 20
34#endif /* _SELINUX_AVC_SS_H_ */ 21#endif /* _SELINUX_AVC_SS_H_ */
35 22
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
deleted file mode 100644
index 7ab9299bfb6b..000000000000
--- a/security/selinux/include/class_to_string.h
+++ /dev/null
@@ -1,80 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2/*
3 * Security object class definitions
4 */
5 S_(NULL)
6 S_("security")
7 S_("process")
8 S_("system")
9 S_("capability")
10 S_("filesystem")
11 S_("file")
12 S_("dir")
13 S_("fd")
14 S_("lnk_file")
15 S_("chr_file")
16 S_("blk_file")
17 S_("sock_file")
18 S_("fifo_file")
19 S_("socket")
20 S_("tcp_socket")
21 S_("udp_socket")
22 S_("rawip_socket")
23 S_("node")
24 S_("netif")
25 S_("netlink_socket")
26 S_("packet_socket")
27 S_("key_socket")
28 S_("unix_stream_socket")
29 S_("unix_dgram_socket")
30 S_("sem")
31 S_("msg")
32 S_("msgq")
33 S_("shm")
34 S_("ipc")
35 S_(NULL)
36 S_(NULL)
37 S_(NULL)
38 S_(NULL)
39 S_(NULL)
40 S_(NULL)
41 S_(NULL)
42 S_(NULL)
43 S_(NULL)
44 S_(NULL)
45 S_(NULL)
46 S_(NULL)
47 S_(NULL)
48 S_("netlink_route_socket")
49 S_("netlink_firewall_socket")
50 S_("netlink_tcpdiag_socket")
51 S_("netlink_nflog_socket")
52 S_("netlink_xfrm_socket")
53 S_("netlink_selinux_socket")
54 S_("netlink_audit_socket")
55 S_("netlink_ip6fw_socket")
56 S_("netlink_dnrt_socket")
57 S_(NULL)
58 S_(NULL)
59 S_("association")
60 S_("netlink_kobject_uevent_socket")
61 S_("appletalk_socket")
62 S_("packet")
63 S_("key")
64 S_(NULL)
65 S_("dccp_socket")
66 S_("memprotect")
67 S_(NULL)
68 S_(NULL)
69 S_(NULL)
70 S_(NULL)
71 S_(NULL)
72 S_(NULL)
73 S_("peer")
74 S_("capability2")
75 S_(NULL)
76 S_(NULL)
77 S_(NULL)
78 S_(NULL)
79 S_("kernel_service")
80 S_("tun_socket")
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
new file mode 100644
index 000000000000..8b32e959bb2e
--- /dev/null
+++ b/security/selinux/include/classmap.h
@@ -0,0 +1,150 @@
1#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
2 "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
3
4#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
5 "rename", "execute", "swapon", "quotaon", "mounton"
6
7#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
8 "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
9 "sendto", "recv_msg", "send_msg", "name_bind"
10
11#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
12 "write", "associate", "unix_read", "unix_write"
13
14struct security_class_mapping secclass_map[] = {
15 { "security",
16 { "compute_av", "compute_create", "compute_member",
17 "check_context", "load_policy", "compute_relabel",
18 "compute_user", "setenforce", "setbool", "setsecparam",
19 "setcheckreqprot", NULL } },
20 { "process",
21 { "fork", "transition", "sigchld", "sigkill",
22 "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
23 "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
24 "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
25 "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
26 "execmem", "execstack", "execheap", "setkeycreate",
27 "setsockcreate", NULL } },
28 { "system",
29 { "ipc_info", "syslog_read", "syslog_mod",
30 "syslog_console", "module_request", NULL } },
31 { "capability",
32 { "chown", "dac_override", "dac_read_search",
33 "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
34 "linux_immutable", "net_bind_service", "net_broadcast",
35 "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
36 "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
37 "sys_boot", "sys_nice", "sys_resource", "sys_time",
38 "sys_tty_config", "mknod", "lease", "audit_write",
39 "audit_control", "setfcap", NULL } },
40 { "filesystem",
41 { "mount", "remount", "unmount", "getattr",
42 "relabelfrom", "relabelto", "transition", "associate", "quotamod",
43 "quotaget", NULL } },
44 { "file",
45 { COMMON_FILE_PERMS,
46 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
47 { "dir",
48 { COMMON_FILE_PERMS, "add_name", "remove_name",
49 "reparent", "search", "rmdir", "open", NULL } },
50 { "fd", { "use", NULL } },
51 { "lnk_file",
52 { COMMON_FILE_PERMS, NULL } },
53 { "chr_file",
54 { COMMON_FILE_PERMS,
55 "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
56 { "blk_file",
57 { COMMON_FILE_PERMS, "open", NULL } },
58 { "sock_file",
59 { COMMON_FILE_PERMS, "open", NULL } },
60 { "fifo_file",
61 { COMMON_FILE_PERMS, "open", NULL } },
62 { "socket",
63 { COMMON_SOCK_PERMS, NULL } },
64 { "tcp_socket",
65 { COMMON_SOCK_PERMS,
66 "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
67 NULL } },
68 { "udp_socket",
69 { COMMON_SOCK_PERMS,
70 "node_bind", NULL } },
71 { "rawip_socket",
72 { COMMON_SOCK_PERMS,
73 "node_bind", NULL } },
74 { "node",
75 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
76 "rawip_recv", "rawip_send", "enforce_dest",
77 "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
78 { "netif",
79 { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
80 "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
81 "ingress", "egress", NULL } },
82 { "netlink_socket",
83 { COMMON_SOCK_PERMS, NULL } },
84 { "packet_socket",
85 { COMMON_SOCK_PERMS, NULL } },
86 { "key_socket",
87 { COMMON_SOCK_PERMS, NULL } },
88 { "unix_stream_socket",
89 { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
90 } },
91 { "unix_dgram_socket",
92 { COMMON_SOCK_PERMS, NULL
93 } },
94 { "sem",
95 { COMMON_IPC_PERMS, NULL } },
96 { "msg", { "send", "receive", NULL } },
97 { "msgq",
98 { COMMON_IPC_PERMS, "enqueue", NULL } },
99 { "shm",
100 { COMMON_IPC_PERMS, "lock", NULL } },
101 { "ipc",
102 { COMMON_IPC_PERMS, NULL } },
103 { "netlink_route_socket",
104 { COMMON_SOCK_PERMS,
105 "nlmsg_read", "nlmsg_write", NULL } },
106 { "netlink_firewall_socket",
107 { COMMON_SOCK_PERMS,
108 "nlmsg_read", "nlmsg_write", NULL } },
109 { "netlink_tcpdiag_socket",
110 { COMMON_SOCK_PERMS,
111 "nlmsg_read", "nlmsg_write", NULL } },
112 { "netlink_nflog_socket",
113 { COMMON_SOCK_PERMS, NULL } },
114 { "netlink_xfrm_socket",
115 { COMMON_SOCK_PERMS,
116 "nlmsg_read", "nlmsg_write", NULL } },
117 { "netlink_selinux_socket",
118 { COMMON_SOCK_PERMS, NULL } },
119 { "netlink_audit_socket",
120 { COMMON_SOCK_PERMS,
121 "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
122 "nlmsg_tty_audit", NULL } },
123 { "netlink_ip6fw_socket",
124 { COMMON_SOCK_PERMS,
125 "nlmsg_read", "nlmsg_write", NULL } },
126 { "netlink_dnrt_socket",
127 { COMMON_SOCK_PERMS, NULL } },
128 { "association",
129 { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
130 { "netlink_kobject_uevent_socket",
131 { COMMON_SOCK_PERMS, NULL } },
132 { "appletalk_socket",
133 { COMMON_SOCK_PERMS, NULL } },
134 { "packet",
135 { "send", "recv", "relabelto", "flow_in", "flow_out",
136 "forward_in", "forward_out", NULL } },
137 { "key",
138 { "view", "read", "write", "search", "link", "setattr", "create",
139 NULL } },
140 { "dccp_socket",
141 { COMMON_SOCK_PERMS,
142 "node_bind", "name_connect", NULL } },
143 { "memprotect", { "mmap_zero", NULL } },
144 { "peer", { "recv", NULL } },
145 { "capability2", { "mac_override", "mac_admin", NULL } },
146 { "kernel_service", { "use_as_override", "create_files_as", NULL } },
147 { "tun_socket",
148 { COMMON_SOCK_PERMS, NULL } },
149 { NULL }
150 };
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h
deleted file mode 100644
index ce5b6e2fe9dd..000000000000
--- a/security/selinux/include/common_perm_to_string.h
+++ /dev/null
@@ -1,58 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2TB_(common_file_perm_to_string)
3 S_("ioctl")
4 S_("read")
5 S_("write")
6 S_("create")
7 S_("getattr")
8 S_("setattr")
9 S_("lock")
10 S_("relabelfrom")
11 S_("relabelto")
12 S_("append")
13 S_("unlink")
14 S_("link")
15 S_("rename")
16 S_("execute")
17 S_("swapon")
18 S_("quotaon")
19 S_("mounton")
20TE_(common_file_perm_to_string)
21
22TB_(common_socket_perm_to_string)
23 S_("ioctl")
24 S_("read")
25 S_("write")
26 S_("create")
27 S_("getattr")
28 S_("setattr")
29 S_("lock")
30 S_("relabelfrom")
31 S_("relabelto")
32 S_("append")
33 S_("bind")
34 S_("connect")
35 S_("listen")
36 S_("accept")
37 S_("getopt")
38 S_("setopt")
39 S_("shutdown")
40 S_("recvfrom")
41 S_("sendto")
42 S_("recv_msg")
43 S_("send_msg")
44 S_("name_bind")
45TE_(common_socket_perm_to_string)
46
47TB_(common_ipc_perm_to_string)
48 S_("create")
49 S_("destroy")
50 S_("getattr")
51 S_("setattr")
52 S_("read")
53 S_("write")
54 S_("associate")
55 S_("unix_read")
56 S_("unix_write")
57TE_(common_ipc_perm_to_string)
58
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
deleted file mode 100644
index f248500a1e3c..000000000000
--- a/security/selinux/include/flask.h
+++ /dev/null
@@ -1,91 +0,0 @@
1/* This file is automatically generated. Do not edit. */
2#ifndef _SELINUX_FLASK_H_
3#define _SELINUX_FLASK_H_
4
5/*
6 * Security object class definitions
7 */
8#define SECCLASS_SECURITY 1
9#define SECCLASS_PROCESS 2
10#define SECCLASS_SYSTEM 3
11#define SECCLASS_CAPABILITY 4
12#define SECCLASS_FILESYSTEM 5
13#define SECCLASS_FILE 6
14#define SECCLASS_DIR 7
15#define SECCLASS_FD 8
16#define SECCLASS_LNK_FILE 9
17#define SECCLASS_CHR_FILE 10
18#define SECCLASS_BLK_FILE 11
19#define SECCLASS_SOCK_FILE 12
20#define SECCLASS_FIFO_FILE 13
21#define SECCLASS_SOCKET 14
22#define SECCLASS_TCP_SOCKET 15
23#define SECCLASS_UDP_SOCKET 16
24#define SECCLASS_RAWIP_SOCKET 17
25#define SECCLASS_NODE 18
26#define SECCLASS_NETIF 19
27#define SECCLASS_NETLINK_SOCKET 20
28#define SECCLASS_PACKET_SOCKET 21
29#define SECCLASS_KEY_SOCKET 22
30#define SECCLASS_UNIX_STREAM_SOCKET 23
31#define SECCLASS_UNIX_DGRAM_SOCKET 24
32#define SECCLASS_SEM 25
33#define SECCLASS_MSG 26
34#define SECCLASS_MSGQ 27
35#define SECCLASS_SHM 28
36#define SECCLASS_IPC 29
37#define SECCLASS_NETLINK_ROUTE_SOCKET 43
38#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
39#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
40#define SECCLASS_NETLINK_NFLOG_SOCKET 46
41#define SECCLASS_NETLINK_XFRM_SOCKET 47
42#define SECCLASS_NETLINK_SELINUX_SOCKET 48
43#define SECCLASS_NETLINK_AUDIT_SOCKET 49
44#define SECCLASS_NETLINK_IP6FW_SOCKET 50
45#define SECCLASS_NETLINK_DNRT_SOCKET 51
46#define SECCLASS_ASSOCIATION 54
47#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
48#define SECCLASS_APPLETALK_SOCKET 56
49#define SECCLASS_PACKET 57
50#define SECCLASS_KEY 58
51#define SECCLASS_DCCP_SOCKET 60
52#define SECCLASS_MEMPROTECT 61
53#define SECCLASS_PEER 68
54#define SECCLASS_CAPABILITY2 69
55#define SECCLASS_KERNEL_SERVICE 74
56#define SECCLASS_TUN_SOCKET 75
57
58/*
59 * Security identifier indices for initial entities
60 */
61#define SECINITSID_KERNEL 1
62#define SECINITSID_SECURITY 2
63#define SECINITSID_UNLABELED 3
64#define SECINITSID_FS 4
65#define SECINITSID_FILE 5
66#define SECINITSID_FILE_LABELS 6
67#define SECINITSID_INIT 7
68#define SECINITSID_ANY_SOCKET 8
69#define SECINITSID_PORT 9
70#define SECINITSID_NETIF 10
71#define SECINITSID_NETMSG 11
72#define SECINITSID_NODE 12
73#define SECINITSID_IGMP_PACKET 13
74#define SECINITSID_ICMP_SOCKET 14
75#define SECINITSID_TCP_SOCKET 15
76#define SECINITSID_SYSCTL_MODPROBE 16
77#define SECINITSID_SYSCTL 17
78#define SECINITSID_SYSCTL_FS 18
79#define SECINITSID_SYSCTL_KERNEL 19
80#define SECINITSID_SYSCTL_NET 20
81#define SECINITSID_SYSCTL_NET_UNIX 21
82#define SECINITSID_SYSCTL_VM 22
83#define SECINITSID_SYSCTL_DEV 23
84#define SECINITSID_KMOD 24
85#define SECINITSID_POLICY 25
86#define SECINITSID_SCMP_PACKET 26
87#define SECINITSID_DEVNULL 27
88
89#define SECINITSID_NUM 27
90
91#endif
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ca835795a8b3..1f7c2491d3dc 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -57,7 +57,6 @@
57struct netlbl_lsm_secattr; 57struct netlbl_lsm_secattr;
58 58
59extern int selinux_enabled; 59extern int selinux_enabled;
60extern int selinux_mls_enabled;
61 60
62/* Policy capabilities */ 61/* Policy capabilities */
63enum { 62enum {
@@ -80,6 +79,8 @@ extern int selinux_policycap_openperm;
80/* limitation of boundary depth */ 79/* limitation of boundary depth */
81#define POLICYDB_BOUNDS_MAXDEPTH 4 80#define POLICYDB_BOUNDS_MAXDEPTH 4
82 81
82int security_mls_enabled(void);
83
83int security_load_policy(void *data, size_t len); 84int security_load_policy(void *data, size_t len);
84 85
85int security_policycap_supported(unsigned int req_cap); 86int security_policycap_supported(unsigned int req_cap);
@@ -96,12 +97,17 @@ struct av_decision {
96/* definitions of av_decision.flags */ 97/* definitions of av_decision.flags */
97#define AVD_FLAGS_PERMISSIVE 0x0001 98#define AVD_FLAGS_PERMISSIVE 0x0001
98 99
99int security_compute_av(u32 ssid, u32 tsid, 100void security_compute_av(u32 ssid, u32 tsid,
100 u16 tclass, u32 requested, 101 u16 tclass, struct av_decision *avd);
101 struct av_decision *avd); 102
103void security_compute_av_user(u32 ssid, u32 tsid,
104 u16 tclass, struct av_decision *avd);
102 105
103int security_transition_sid(u32 ssid, u32 tsid, 106int security_transition_sid(u32 ssid, u32 tsid,
104 u16 tclass, u32 *out_sid); 107 u16 tclass, u32 *out_sid);
108
109int security_transition_sid_user(u32 ssid, u32 tsid,
110 u16 tclass, u32 *out_sid);
105 111
106int security_member_sid(u32 ssid, u32 tsid, 112int security_member_sid(u32 ssid, u32 tsid,
107 u16 tclass, u32 *out_sid); 113 u16 tclass, u32 *out_sid);
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index e68823741ad5..2534400317c5 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -204,7 +204,7 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
204 * 204 *
205 * Description 205 * Description
206 * Call the NetLabel mechanism to set the label of a packet using @sid. 206 * Call the NetLabel mechanism to set the label of a packet using @sid.
207 * Returns zero on auccess, negative values on failure. 207 * Returns zero on success, negative values on failure.
208 * 208 *
209 */ 209 */
210int selinux_netlbl_skbuff_setsid(struct sk_buff *skb, 210int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b4fc506e7a87..cd191bbec03c 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -282,7 +282,8 @@ static ssize_t sel_read_mls(struct file *filp, char __user *buf,
282 char tmpbuf[TMPBUFLEN]; 282 char tmpbuf[TMPBUFLEN];
283 ssize_t length; 283 ssize_t length;
284 284
285 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled); 285 length = scnprintf(tmpbuf, TMPBUFLEN, "%d",
286 security_mls_enabled());
286 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 287 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
287} 288}
288 289
@@ -494,7 +495,6 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
494 char *scon, *tcon; 495 char *scon, *tcon;
495 u32 ssid, tsid; 496 u32 ssid, tsid;
496 u16 tclass; 497 u16 tclass;
497 u32 req;
498 struct av_decision avd; 498 struct av_decision avd;
499 ssize_t length; 499 ssize_t length;
500 500
@@ -512,7 +512,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
512 goto out; 512 goto out;
513 513
514 length = -EINVAL; 514 length = -EINVAL;
515 if (sscanf(buf, "%s %s %hu %x", scon, tcon, &tclass, &req) != 4) 515 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
516 goto out2; 516 goto out2;
517 517
518 length = security_context_to_sid(scon, strlen(scon)+1, &ssid); 518 length = security_context_to_sid(scon, strlen(scon)+1, &ssid);
@@ -522,9 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
522 if (length < 0) 522 if (length < 0)
523 goto out2; 523 goto out2;
524 524
525 length = security_compute_av(ssid, tsid, tclass, req, &avd); 525 security_compute_av_user(ssid, tsid, tclass, &avd);
526 if (length < 0)
527 goto out2;
528 526
529 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, 527 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
530 "%x %x %x %x %u %x", 528 "%x %x %x %x %u %x",
@@ -571,7 +569,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
571 if (length < 0) 569 if (length < 0)
572 goto out2; 570 goto out2;
573 571
574 length = security_transition_sid(ssid, tsid, tclass, &newsid); 572 length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
575 if (length < 0) 573 if (length < 0)
576 goto out2; 574 goto out2;
577 575
@@ -979,6 +977,8 @@ static int sel_make_bools(void)
979 u32 sid; 977 u32 sid;
980 978
981 /* remove any existing files */ 979 /* remove any existing files */
980 for (i = 0; i < bool_num; i++)
981 kfree(bool_pending_names[i]);
982 kfree(bool_pending_names); 982 kfree(bool_pending_names);
983 kfree(bool_pending_values); 983 kfree(bool_pending_values);
984 bool_pending_names = NULL; 984 bool_pending_names = NULL;
diff --git a/security/selinux/ss/Makefile b/security/selinux/ss/Makefile
index bad78779b9b0..15d4e62917de 100644
--- a/security/selinux/ss/Makefile
+++ b/security/selinux/ss/Makefile
@@ -2,7 +2,7 @@
2# Makefile for building the SELinux security server as part of the kernel tree. 2# Makefile for building the SELinux security server as part of the kernel tree.
3# 3#
4 4
5EXTRA_CFLAGS += -Isecurity/selinux/include 5EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
6obj-y := ss.o 6obj-y := ss.o
7 7
8ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o 8ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
diff --git a/security/selinux/ss/context.h b/security/selinux/ss/context.h
index d9dd7a2f6a8a..45e8fb0515f8 100644
--- a/security/selinux/ss/context.h
+++ b/security/selinux/ss/context.h
@@ -41,9 +41,6 @@ static inline int mls_context_cpy(struct context *dst, struct context *src)
41{ 41{
42 int rc; 42 int rc;
43 43
44 if (!selinux_mls_enabled)
45 return 0;
46
47 dst->range.level[0].sens = src->range.level[0].sens; 44 dst->range.level[0].sens = src->range.level[0].sens;
48 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); 45 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
49 if (rc) 46 if (rc)
@@ -64,9 +61,6 @@ static inline int mls_context_cpy_low(struct context *dst, struct context *src)
64{ 61{
65 int rc; 62 int rc;
66 63
67 if (!selinux_mls_enabled)
68 return 0;
69
70 dst->range.level[0].sens = src->range.level[0].sens; 64 dst->range.level[0].sens = src->range.level[0].sens;
71 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat); 65 rc = ebitmap_cpy(&dst->range.level[0].cat, &src->range.level[0].cat);
72 if (rc) 66 if (rc)
@@ -82,9 +76,6 @@ out:
82 76
83static inline int mls_context_cmp(struct context *c1, struct context *c2) 77static inline int mls_context_cmp(struct context *c1, struct context *c2)
84{ 78{
85 if (!selinux_mls_enabled)
86 return 1;
87
88 return ((c1->range.level[0].sens == c2->range.level[0].sens) && 79 return ((c1->range.level[0].sens == c2->range.level[0].sens) &&
89 ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) && 80 ebitmap_cmp(&c1->range.level[0].cat, &c2->range.level[0].cat) &&
90 (c1->range.level[1].sens == c2->range.level[1].sens) && 81 (c1->range.level[1].sens == c2->range.level[1].sens) &&
@@ -93,9 +84,6 @@ static inline int mls_context_cmp(struct context *c1, struct context *c2)
93 84
94static inline void mls_context_destroy(struct context *c) 85static inline void mls_context_destroy(struct context *c)
95{ 86{
96 if (!selinux_mls_enabled)
97 return;
98
99 ebitmap_destroy(&c->range.level[0].cat); 87 ebitmap_destroy(&c->range.level[0].cat);
100 ebitmap_destroy(&c->range.level[1].cat); 88 ebitmap_destroy(&c->range.level[1].cat);
101 mls_context_init(c); 89 mls_context_init(c);
diff --git a/security/selinux/ss/ebitmap.c b/security/selinux/ss/ebitmap.c
index 68c7348d1acc..04b6145d767f 100644
--- a/security/selinux/ss/ebitmap.c
+++ b/security/selinux/ss/ebitmap.c
@@ -128,7 +128,7 @@ int ebitmap_netlbl_export(struct ebitmap *ebmap,
128 cmap_idx = delta / NETLBL_CATMAP_MAPSIZE; 128 cmap_idx = delta / NETLBL_CATMAP_MAPSIZE;
129 cmap_sft = delta % NETLBL_CATMAP_MAPSIZE; 129 cmap_sft = delta % NETLBL_CATMAP_MAPSIZE;
130 c_iter->bitmap[cmap_idx] 130 c_iter->bitmap[cmap_idx]
131 |= e_iter->maps[cmap_idx] << cmap_sft; 131 |= e_iter->maps[i] << cmap_sft;
132 } 132 }
133 e_iter = e_iter->next; 133 e_iter = e_iter->next;
134 } 134 }
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b5407f16c2a4..372b773f8210 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -39,7 +39,7 @@ int mls_compute_context_len(struct context *context)
39 struct ebitmap *e; 39 struct ebitmap *e;
40 struct ebitmap_node *node; 40 struct ebitmap_node *node;
41 41
42 if (!selinux_mls_enabled) 42 if (!policydb.mls_enabled)
43 return 0; 43 return 0;
44 44
45 len = 1; /* for the beginning ":" */ 45 len = 1; /* for the beginning ":" */
@@ -93,7 +93,7 @@ void mls_sid_to_context(struct context *context,
93 struct ebitmap *e; 93 struct ebitmap *e;
94 struct ebitmap_node *node; 94 struct ebitmap_node *node;
95 95
96 if (!selinux_mls_enabled) 96 if (!policydb.mls_enabled)
97 return; 97 return;
98 98
99 scontextp = *scontext; 99 scontextp = *scontext;
@@ -200,7 +200,7 @@ int mls_context_isvalid(struct policydb *p, struct context *c)
200{ 200{
201 struct user_datum *usrdatum; 201 struct user_datum *usrdatum;
202 202
203 if (!selinux_mls_enabled) 203 if (!p->mls_enabled)
204 return 1; 204 return 1;
205 205
206 if (!mls_range_isvalid(p, &c->range)) 206 if (!mls_range_isvalid(p, &c->range))
@@ -253,7 +253,7 @@ int mls_context_to_sid(struct policydb *pol,
253 struct cat_datum *catdatum, *rngdatum; 253 struct cat_datum *catdatum, *rngdatum;
254 int l, rc = -EINVAL; 254 int l, rc = -EINVAL;
255 255
256 if (!selinux_mls_enabled) { 256 if (!pol->mls_enabled) {
257 if (def_sid != SECSID_NULL && oldc) 257 if (def_sid != SECSID_NULL && oldc)
258 *scontext += strlen(*scontext)+1; 258 *scontext += strlen(*scontext)+1;
259 return 0; 259 return 0;
@@ -387,7 +387,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
387 char *tmpstr, *freestr; 387 char *tmpstr, *freestr;
388 int rc; 388 int rc;
389 389
390 if (!selinux_mls_enabled) 390 if (!policydb.mls_enabled)
391 return -EINVAL; 391 return -EINVAL;
392 392
393 /* we need freestr because mls_context_to_sid will change 393 /* we need freestr because mls_context_to_sid will change
@@ -407,7 +407,7 @@ int mls_from_string(char *str, struct context *context, gfp_t gfp_mask)
407/* 407/*
408 * Copies the MLS range `range' into `context'. 408 * Copies the MLS range `range' into `context'.
409 */ 409 */
410static inline int mls_range_set(struct context *context, 410int mls_range_set(struct context *context,
411 struct mls_range *range) 411 struct mls_range *range)
412{ 412{
413 int l, rc = 0; 413 int l, rc = 0;
@@ -427,7 +427,7 @@ static inline int mls_range_set(struct context *context,
427int mls_setup_user_range(struct context *fromcon, struct user_datum *user, 427int mls_setup_user_range(struct context *fromcon, struct user_datum *user,
428 struct context *usercon) 428 struct context *usercon)
429{ 429{
430 if (selinux_mls_enabled) { 430 if (policydb.mls_enabled) {
431 struct mls_level *fromcon_sen = &(fromcon->range.level[0]); 431 struct mls_level *fromcon_sen = &(fromcon->range.level[0]);
432 struct mls_level *fromcon_clr = &(fromcon->range.level[1]); 432 struct mls_level *fromcon_clr = &(fromcon->range.level[1]);
433 struct mls_level *user_low = &(user->range.level[0]); 433 struct mls_level *user_low = &(user->range.level[0]);
@@ -477,7 +477,7 @@ int mls_convert_context(struct policydb *oldp,
477 struct ebitmap_node *node; 477 struct ebitmap_node *node;
478 int l, i; 478 int l, i;
479 479
480 if (!selinux_mls_enabled) 480 if (!policydb.mls_enabled)
481 return 0; 481 return 0;
482 482
483 for (l = 0; l < 2; l++) { 483 for (l = 0; l < 2; l++) {
@@ -513,26 +513,24 @@ int mls_compute_sid(struct context *scontext,
513 u32 specified, 513 u32 specified,
514 struct context *newcontext) 514 struct context *newcontext)
515{ 515{
516 struct range_trans *rtr; 516 struct range_trans rtr;
517 struct mls_range *r;
517 518
518 if (!selinux_mls_enabled) 519 if (!policydb.mls_enabled)
519 return 0; 520 return 0;
520 521
521 switch (specified) { 522 switch (specified) {
522 case AVTAB_TRANSITION: 523 case AVTAB_TRANSITION:
523 /* Look for a range transition rule. */ 524 /* Look for a range transition rule. */
524 for (rtr = policydb.range_tr; rtr; rtr = rtr->next) { 525 rtr.source_type = scontext->type;
525 if (rtr->source_type == scontext->type && 526 rtr.target_type = tcontext->type;
526 rtr->target_type == tcontext->type && 527 rtr.target_class = tclass;
527 rtr->target_class == tclass) { 528 r = hashtab_search(policydb.range_tr, &rtr);
528 /* Set the range from the rule */ 529 if (r)
529 return mls_range_set(newcontext, 530 return mls_range_set(newcontext, r);
530 &rtr->target_range);
531 }
532 }
533 /* Fallthrough */ 531 /* Fallthrough */
534 case AVTAB_CHANGE: 532 case AVTAB_CHANGE:
535 if (tclass == SECCLASS_PROCESS) 533 if (tclass == policydb.process_class)
536 /* Use the process MLS attributes. */ 534 /* Use the process MLS attributes. */
537 return mls_context_cpy(newcontext, scontext); 535 return mls_context_cpy(newcontext, scontext);
538 else 536 else
@@ -541,8 +539,8 @@ int mls_compute_sid(struct context *scontext,
541 case AVTAB_MEMBER: 539 case AVTAB_MEMBER:
542 /* Use the process effective MLS attributes. */ 540 /* Use the process effective MLS attributes. */
543 return mls_context_cpy_low(newcontext, scontext); 541 return mls_context_cpy_low(newcontext, scontext);
544 default: 542
545 return -EINVAL; 543 /* fall through */
546 } 544 }
547 return -EINVAL; 545 return -EINVAL;
548} 546}
@@ -561,7 +559,7 @@ int mls_compute_sid(struct context *scontext,
561void mls_export_netlbl_lvl(struct context *context, 559void mls_export_netlbl_lvl(struct context *context,
562 struct netlbl_lsm_secattr *secattr) 560 struct netlbl_lsm_secattr *secattr)
563{ 561{
564 if (!selinux_mls_enabled) 562 if (!policydb.mls_enabled)
565 return; 563 return;
566 564
567 secattr->attr.mls.lvl = context->range.level[0].sens - 1; 565 secattr->attr.mls.lvl = context->range.level[0].sens - 1;
@@ -581,7 +579,7 @@ void mls_export_netlbl_lvl(struct context *context,
581void mls_import_netlbl_lvl(struct context *context, 579void mls_import_netlbl_lvl(struct context *context,
582 struct netlbl_lsm_secattr *secattr) 580 struct netlbl_lsm_secattr *secattr)
583{ 581{
584 if (!selinux_mls_enabled) 582 if (!policydb.mls_enabled)
585 return; 583 return;
586 584
587 context->range.level[0].sens = secattr->attr.mls.lvl + 1; 585 context->range.level[0].sens = secattr->attr.mls.lvl + 1;
@@ -603,7 +601,7 @@ int mls_export_netlbl_cat(struct context *context,
603{ 601{
604 int rc; 602 int rc;
605 603
606 if (!selinux_mls_enabled) 604 if (!policydb.mls_enabled)
607 return 0; 605 return 0;
608 606
609 rc = ebitmap_netlbl_export(&context->range.level[0].cat, 607 rc = ebitmap_netlbl_export(&context->range.level[0].cat,
@@ -631,7 +629,7 @@ int mls_import_netlbl_cat(struct context *context,
631{ 629{
632 int rc; 630 int rc;
633 631
634 if (!selinux_mls_enabled) 632 if (!policydb.mls_enabled)
635 return 0; 633 return 0;
636 634
637 rc = ebitmap_netlbl_import(&context->range.level[0].cat, 635 rc = ebitmap_netlbl_import(&context->range.level[0].cat,
diff --git a/security/selinux/ss/mls.h b/security/selinux/ss/mls.h
index 1276715aaa8b..cd9152632e54 100644
--- a/security/selinux/ss/mls.h
+++ b/security/selinux/ss/mls.h
@@ -39,6 +39,8 @@ int mls_context_to_sid(struct policydb *p,
39 39
40int mls_from_string(char *str, struct context *context, gfp_t gfp_mask); 40int mls_from_string(char *str, struct context *context, gfp_t gfp_mask);
41 41
42int mls_range_set(struct context *context, struct mls_range *range);
43
42int mls_convert_context(struct policydb *oldp, 44int mls_convert_context(struct policydb *oldp,
43 struct policydb *newp, 45 struct policydb *newp,
44 struct context *context); 46 struct context *context);
diff --git a/security/selinux/ss/mls_types.h b/security/selinux/ss/mls_types.h
index b6e943a21061..03bed52a8052 100644
--- a/security/selinux/ss/mls_types.h
+++ b/security/selinux/ss/mls_types.h
@@ -15,6 +15,7 @@
15#define _SS_MLS_TYPES_H_ 15#define _SS_MLS_TYPES_H_
16 16
17#include "security.h" 17#include "security.h"
18#include "ebitmap.h"
18 19
19struct mls_level { 20struct mls_level {
20 u32 sens; /* sensitivity */ 21 u32 sens; /* sensitivity */
@@ -27,18 +28,12 @@ struct mls_range {
27 28
28static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2) 29static inline int mls_level_eq(struct mls_level *l1, struct mls_level *l2)
29{ 30{
30 if (!selinux_mls_enabled)
31 return 1;
32
33 return ((l1->sens == l2->sens) && 31 return ((l1->sens == l2->sens) &&
34 ebitmap_cmp(&l1->cat, &l2->cat)); 32 ebitmap_cmp(&l1->cat, &l2->cat));
35} 33}
36 34
37static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2) 35static inline int mls_level_dom(struct mls_level *l1, struct mls_level *l2)
38{ 36{
39 if (!selinux_mls_enabled)
40 return 1;
41
42 return ((l1->sens >= l2->sens) && 37 return ((l1->sens >= l2->sens) &&
43 ebitmap_contains(&l1->cat, &l2->cat)); 38 ebitmap_contains(&l1->cat, &l2->cat));
44} 39}
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 72e4a54973aa..23c6e53c102c 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -52,8 +52,6 @@ static char *symtab_name[SYM_NUM] = {
52}; 52};
53#endif 53#endif
54 54
55int selinux_mls_enabled;
56
57static unsigned int symtab_sizes[SYM_NUM] = { 55static unsigned int symtab_sizes[SYM_NUM] = {
58 2, 56 2,
59 32, 57 32,
@@ -177,6 +175,21 @@ out_free_role:
177 goto out; 175 goto out;
178} 176}
179 177
178static u32 rangetr_hash(struct hashtab *h, const void *k)
179{
180 const struct range_trans *key = k;
181 return (key->source_type + (key->target_type << 3) +
182 (key->target_class << 5)) & (h->size - 1);
183}
184
185static int rangetr_cmp(struct hashtab *h, const void *k1, const void *k2)
186{
187 const struct range_trans *key1 = k1, *key2 = k2;
188 return (key1->source_type != key2->source_type ||
189 key1->target_type != key2->target_type ||
190 key1->target_class != key2->target_class);
191}
192
180/* 193/*
181 * Initialize a policy database structure. 194 * Initialize a policy database structure.
182 */ 195 */
@@ -204,6 +217,10 @@ static int policydb_init(struct policydb *p)
204 if (rc) 217 if (rc)
205 goto out_free_symtab; 218 goto out_free_symtab;
206 219
220 p->range_tr = hashtab_create(rangetr_hash, rangetr_cmp, 256);
221 if (!p->range_tr)
222 goto out_free_symtab;
223
207 ebitmap_init(&p->policycaps); 224 ebitmap_init(&p->policycaps);
208 ebitmap_init(&p->permissive_map); 225 ebitmap_init(&p->permissive_map);
209 226
@@ -408,6 +425,20 @@ static void symtab_hash_eval(struct symtab *s)
408 info.slots_used, h->size, info.max_chain_len); 425 info.slots_used, h->size, info.max_chain_len);
409 } 426 }
410} 427}
428
429static void rangetr_hash_eval(struct hashtab *h)
430{
431 struct hashtab_info info;
432
433 hashtab_stat(h, &info);
434 printk(KERN_DEBUG "SELinux: rangetr: %d entries and %d/%d buckets used, "
435 "longest chain length %d\n", h->nel,
436 info.slots_used, h->size, info.max_chain_len);
437}
438#else
439static inline void rangetr_hash_eval(struct hashtab *h)
440{
441}
411#endif 442#endif
412 443
413/* 444/*
@@ -422,7 +453,7 @@ static int policydb_index_others(struct policydb *p)
422 453
423 printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools", 454 printk(KERN_DEBUG "SELinux: %d users, %d roles, %d types, %d bools",
424 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); 455 p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
425 if (selinux_mls_enabled) 456 if (p->mls_enabled)
426 printk(", %d sens, %d cats", p->p_levels.nprim, 457 printk(", %d sens, %d cats", p->p_levels.nprim,
427 p->p_cats.nprim); 458 p->p_cats.nprim);
428 printk("\n"); 459 printk("\n");
@@ -612,6 +643,17 @@ static int (*destroy_f[SYM_NUM]) (void *key, void *datum, void *datap) =
612 cat_destroy, 643 cat_destroy,
613}; 644};
614 645
646static int range_tr_destroy(void *key, void *datum, void *p)
647{
648 struct mls_range *rt = datum;
649 kfree(key);
650 ebitmap_destroy(&rt->level[0].cat);
651 ebitmap_destroy(&rt->level[1].cat);
652 kfree(datum);
653 cond_resched();
654 return 0;
655}
656
615static void ocontext_destroy(struct ocontext *c, int i) 657static void ocontext_destroy(struct ocontext *c, int i)
616{ 658{
617 context_destroy(&c->context[0]); 659 context_destroy(&c->context[0]);
@@ -632,7 +674,6 @@ void policydb_destroy(struct policydb *p)
632 int i; 674 int i;
633 struct role_allow *ra, *lra = NULL; 675 struct role_allow *ra, *lra = NULL;
634 struct role_trans *tr, *ltr = NULL; 676 struct role_trans *tr, *ltr = NULL;
635 struct range_trans *rt, *lrt = NULL;
636 677
637 for (i = 0; i < SYM_NUM; i++) { 678 for (i = 0; i < SYM_NUM; i++) {
638 cond_resched(); 679 cond_resched();
@@ -693,27 +734,14 @@ void policydb_destroy(struct policydb *p)
693 } 734 }
694 kfree(lra); 735 kfree(lra);
695 736
696 for (rt = p->range_tr; rt; rt = rt->next) { 737 hashtab_map(p->range_tr, range_tr_destroy, NULL);
697 cond_resched(); 738 hashtab_destroy(p->range_tr);
698 if (lrt) {
699 ebitmap_destroy(&lrt->target_range.level[0].cat);
700 ebitmap_destroy(&lrt->target_range.level[1].cat);
701 kfree(lrt);
702 }
703 lrt = rt;
704 }
705 if (lrt) {
706 ebitmap_destroy(&lrt->target_range.level[0].cat);
707 ebitmap_destroy(&lrt->target_range.level[1].cat);
708 kfree(lrt);
709 }
710 739
711 if (p->type_attr_map) { 740 if (p->type_attr_map) {
712 for (i = 0; i < p->p_types.nprim; i++) 741 for (i = 0; i < p->p_types.nprim; i++)
713 ebitmap_destroy(&p->type_attr_map[i]); 742 ebitmap_destroy(&p->type_attr_map[i]);
714 } 743 }
715 kfree(p->type_attr_map); 744 kfree(p->type_attr_map);
716 kfree(p->undefined_perms);
717 ebitmap_destroy(&p->policycaps); 745 ebitmap_destroy(&p->policycaps);
718 ebitmap_destroy(&p->permissive_map); 746 ebitmap_destroy(&p->permissive_map);
719 747
@@ -1640,6 +1668,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
1640 1668
1641extern int ss_initialized; 1669extern int ss_initialized;
1642 1670
1671u16 string_to_security_class(struct policydb *p, const char *name)
1672{
1673 struct class_datum *cladatum;
1674
1675 cladatum = hashtab_search(p->p_classes.table, name);
1676 if (!cladatum)
1677 return 0;
1678
1679 return cladatum->value;
1680}
1681
1682u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
1683{
1684 struct class_datum *cladatum;
1685 struct perm_datum *perdatum = NULL;
1686 struct common_datum *comdatum;
1687
1688 if (!tclass || tclass > p->p_classes.nprim)
1689 return 0;
1690
1691 cladatum = p->class_val_to_struct[tclass-1];
1692 comdatum = cladatum->comdatum;
1693 if (comdatum)
1694 perdatum = hashtab_search(comdatum->permissions.table,
1695 name);
1696 if (!perdatum)
1697 perdatum = hashtab_search(cladatum->permissions.table,
1698 name);
1699 if (!perdatum)
1700 return 0;
1701
1702 return 1U << (perdatum->value-1);
1703}
1704
1643/* 1705/*
1644 * Read the configuration data from a policy database binary 1706 * Read the configuration data from a policy database binary
1645 * representation file into a policy database structure. 1707 * representation file into a policy database structure.
@@ -1653,12 +1715,11 @@ int policydb_read(struct policydb *p, void *fp)
1653 int i, j, rc; 1715 int i, j, rc;
1654 __le32 buf[4]; 1716 __le32 buf[4];
1655 u32 nodebuf[8]; 1717 u32 nodebuf[8];
1656 u32 len, len2, config, nprim, nel, nel2; 1718 u32 len, len2, nprim, nel, nel2;
1657 char *policydb_str; 1719 char *policydb_str;
1658 struct policydb_compat_info *info; 1720 struct policydb_compat_info *info;
1659 struct range_trans *rt, *lrt; 1721 struct range_trans *rt;
1660 1722 struct mls_range *r;
1661 config = 0;
1662 1723
1663 rc = policydb_init(p); 1724 rc = policydb_init(p);
1664 if (rc) 1725 if (rc)
@@ -1707,7 +1768,7 @@ int policydb_read(struct policydb *p, void *fp)
1707 kfree(policydb_str); 1768 kfree(policydb_str);
1708 policydb_str = NULL; 1769 policydb_str = NULL;
1709 1770
1710 /* Read the version, config, and table sizes. */ 1771 /* Read the version and table sizes. */
1711 rc = next_entry(buf, fp, sizeof(u32)*4); 1772 rc = next_entry(buf, fp, sizeof(u32)*4);
1712 if (rc < 0) 1773 if (rc < 0)
1713 goto bad; 1774 goto bad;
@@ -1722,13 +1783,7 @@ int policydb_read(struct policydb *p, void *fp)
1722 } 1783 }
1723 1784
1724 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) { 1785 if ((le32_to_cpu(buf[1]) & POLICYDB_CONFIG_MLS)) {
1725 if (ss_initialized && !selinux_mls_enabled) { 1786 p->mls_enabled = 1;
1726 printk(KERN_ERR "SELinux: Cannot switch between non-MLS"
1727 " and MLS policies\n");
1728 goto bad;
1729 }
1730 selinux_mls_enabled = 1;
1731 config |= POLICYDB_CONFIG_MLS;
1732 1787
1733 if (p->policyvers < POLICYDB_VERSION_MLS) { 1788 if (p->policyvers < POLICYDB_VERSION_MLS) {
1734 printk(KERN_ERR "SELinux: security policydb version %d " 1789 printk(KERN_ERR "SELinux: security policydb version %d "
@@ -1736,12 +1791,6 @@ int policydb_read(struct policydb *p, void *fp)
1736 p->policyvers); 1791 p->policyvers);
1737 goto bad; 1792 goto bad;
1738 } 1793 }
1739 } else {
1740 if (ss_initialized && selinux_mls_enabled) {
1741 printk(KERN_ERR "SELinux: Cannot switch between MLS and"
1742 " non-MLS policies\n");
1743 goto bad;
1744 }
1745 } 1794 }
1746 p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN); 1795 p->reject_unknown = !!(le32_to_cpu(buf[1]) & REJECT_UNKNOWN);
1747 p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN); 1796 p->allow_unknown = !!(le32_to_cpu(buf[1]) & ALLOW_UNKNOWN);
@@ -1861,6 +1910,16 @@ int policydb_read(struct policydb *p, void *fp)
1861 if (rc) 1910 if (rc)
1862 goto bad; 1911 goto bad;
1863 1912
1913 p->process_class = string_to_security_class(p, "process");
1914 if (!p->process_class)
1915 goto bad;
1916 p->process_trans_perms = string_to_av_perm(p, p->process_class,
1917 "transition");
1918 p->process_trans_perms |= string_to_av_perm(p, p->process_class,
1919 "dyntransition");
1920 if (!p->process_trans_perms)
1921 goto bad;
1922
1864 for (i = 0; i < info->ocon_num; i++) { 1923 for (i = 0; i < info->ocon_num; i++) {
1865 rc = next_entry(buf, fp, sizeof(u32)); 1924 rc = next_entry(buf, fp, sizeof(u32));
1866 if (rc < 0) 1925 if (rc < 0)
@@ -2079,44 +2138,61 @@ int policydb_read(struct policydb *p, void *fp)
2079 if (rc < 0) 2138 if (rc < 0)
2080 goto bad; 2139 goto bad;
2081 nel = le32_to_cpu(buf[0]); 2140 nel = le32_to_cpu(buf[0]);
2082 lrt = NULL;
2083 for (i = 0; i < nel; i++) { 2141 for (i = 0; i < nel; i++) {
2084 rt = kzalloc(sizeof(*rt), GFP_KERNEL); 2142 rt = kzalloc(sizeof(*rt), GFP_KERNEL);
2085 if (!rt) { 2143 if (!rt) {
2086 rc = -ENOMEM; 2144 rc = -ENOMEM;
2087 goto bad; 2145 goto bad;
2088 } 2146 }
2089 if (lrt)
2090 lrt->next = rt;
2091 else
2092 p->range_tr = rt;
2093 rc = next_entry(buf, fp, (sizeof(u32) * 2)); 2147 rc = next_entry(buf, fp, (sizeof(u32) * 2));
2094 if (rc < 0) 2148 if (rc < 0) {
2149 kfree(rt);
2095 goto bad; 2150 goto bad;
2151 }
2096 rt->source_type = le32_to_cpu(buf[0]); 2152 rt->source_type = le32_to_cpu(buf[0]);
2097 rt->target_type = le32_to_cpu(buf[1]); 2153 rt->target_type = le32_to_cpu(buf[1]);
2098 if (new_rangetr) { 2154 if (new_rangetr) {
2099 rc = next_entry(buf, fp, sizeof(u32)); 2155 rc = next_entry(buf, fp, sizeof(u32));
2100 if (rc < 0) 2156 if (rc < 0) {
2157 kfree(rt);
2101 goto bad; 2158 goto bad;
2159 }
2102 rt->target_class = le32_to_cpu(buf[0]); 2160 rt->target_class = le32_to_cpu(buf[0]);
2103 } else 2161 } else
2104 rt->target_class = SECCLASS_PROCESS; 2162 rt->target_class = p->process_class;
2105 if (!policydb_type_isvalid(p, rt->source_type) || 2163 if (!policydb_type_isvalid(p, rt->source_type) ||
2106 !policydb_type_isvalid(p, rt->target_type) || 2164 !policydb_type_isvalid(p, rt->target_type) ||
2107 !policydb_class_isvalid(p, rt->target_class)) { 2165 !policydb_class_isvalid(p, rt->target_class)) {
2166 kfree(rt);
2108 rc = -EINVAL; 2167 rc = -EINVAL;
2109 goto bad; 2168 goto bad;
2110 } 2169 }
2111 rc = mls_read_range_helper(&rt->target_range, fp); 2170 r = kzalloc(sizeof(*r), GFP_KERNEL);
2112 if (rc) 2171 if (!r) {
2172 kfree(rt);
2173 rc = -ENOMEM;
2174 goto bad;
2175 }
2176 rc = mls_read_range_helper(r, fp);
2177 if (rc) {
2178 kfree(rt);
2179 kfree(r);
2113 goto bad; 2180 goto bad;
2114 if (!mls_range_isvalid(p, &rt->target_range)) { 2181 }
2182 if (!mls_range_isvalid(p, r)) {
2115 printk(KERN_WARNING "SELinux: rangetrans: invalid range\n"); 2183 printk(KERN_WARNING "SELinux: rangetrans: invalid range\n");
2184 kfree(rt);
2185 kfree(r);
2186 goto bad;
2187 }
2188 rc = hashtab_insert(p->range_tr, rt, r);
2189 if (rc) {
2190 kfree(rt);
2191 kfree(r);
2116 goto bad; 2192 goto bad;
2117 } 2193 }
2118 lrt = rt;
2119 } 2194 }
2195 rangetr_hash_eval(p->range_tr);
2120 } 2196 }
2121 2197
2122 p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL); 2198 p->type_attr_map = kmalloc(p->p_types.nprim*sizeof(struct ebitmap), GFP_KERNEL);
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 55152d498b53..26d9adf8542b 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -27,6 +27,8 @@
27#include "symtab.h" 27#include "symtab.h"
28#include "avtab.h" 28#include "avtab.h"
29#include "sidtab.h" 29#include "sidtab.h"
30#include "ebitmap.h"
31#include "mls_types.h"
30#include "context.h" 32#include "context.h"
31#include "constraint.h" 33#include "constraint.h"
32 34
@@ -113,8 +115,6 @@ struct range_trans {
113 u32 source_type; 115 u32 source_type;
114 u32 target_type; 116 u32 target_type;
115 u32 target_class; 117 u32 target_class;
116 struct mls_range target_range;
117 struct range_trans *next;
118}; 118};
119 119
120/* Boolean data type */ 120/* Boolean data type */
@@ -187,6 +187,8 @@ struct genfs {
187 187
188/* The policy database */ 188/* The policy database */
189struct policydb { 189struct policydb {
190 int mls_enabled;
191
190 /* symbol tables */ 192 /* symbol tables */
191 struct symtab symtab[SYM_NUM]; 193 struct symtab symtab[SYM_NUM];
192#define p_commons symtab[SYM_COMMONS] 194#define p_commons symtab[SYM_COMMONS]
@@ -240,8 +242,8 @@ struct policydb {
240 fixed labeling behavior. */ 242 fixed labeling behavior. */
241 struct genfs *genfs; 243 struct genfs *genfs;
242 244
243 /* range transitions */ 245 /* range transitions table (range_trans_key -> mls_range) */
244 struct range_trans *range_tr; 246 struct hashtab *range_tr;
245 247
246 /* type -> attribute reverse mapping */ 248 /* type -> attribute reverse mapping */
247 struct ebitmap *type_attr_map; 249 struct ebitmap *type_attr_map;
@@ -254,7 +256,9 @@ struct policydb {
254 256
255 unsigned int reject_unknown : 1; 257 unsigned int reject_unknown : 1;
256 unsigned int allow_unknown : 1; 258 unsigned int allow_unknown : 1;
257 u32 *undefined_perms; 259
260 u16 process_class;
261 u32 process_trans_perms;
258}; 262};
259 263
260extern void policydb_destroy(struct policydb *p); 264extern void policydb_destroy(struct policydb *p);
@@ -295,5 +299,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
295 return 0; 299 return 0;
296} 300}
297 301
302extern u16 string_to_security_class(struct policydb *p, const char *name);
303extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
304
298#endif /* _SS_POLICYDB_H_ */ 305#endif /* _SS_POLICYDB_H_ */
299 306
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ff17820d35ec..cf27b3ee1a95 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -26,6 +26,10 @@
26 * 26 *
27 * Added support for bounds domain and audit messaged on masked permissions 27 * Added support for bounds domain and audit messaged on masked permissions
28 * 28 *
29 * Updated: Guido Trentalancia <guido@trentalancia.com>
30 *
31 * Added support for runtime switching of the policy type
32 *
29 * Copyright (C) 2008, 2009 NEC Corporation 33 * Copyright (C) 2008, 2009 NEC Corporation
30 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P. 34 * Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
31 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc. 35 * Copyright (C) 2004-2006 Trusted Computer Solutions, Inc.
@@ -65,16 +69,10 @@
65#include "audit.h" 69#include "audit.h"
66 70
67extern void selnl_notify_policyload(u32 seqno); 71extern void selnl_notify_policyload(u32 seqno);
68unsigned int policydb_loaded_version;
69 72
70int selinux_policycap_netpeer; 73int selinux_policycap_netpeer;
71int selinux_policycap_openperm; 74int selinux_policycap_openperm;
72 75
73/*
74 * This is declared in avc.c
75 */
76extern const struct selinux_class_perm selinux_class_perm;
77
78static DEFINE_RWLOCK(policy_rwlock); 76static DEFINE_RWLOCK(policy_rwlock);
79 77
80static struct sidtab sidtab; 78static struct sidtab sidtab;
@@ -93,11 +91,156 @@ static u32 latest_granting;
93static int context_struct_to_string(struct context *context, char **scontext, 91static int context_struct_to_string(struct context *context, char **scontext,
94 u32 *scontext_len); 92 u32 *scontext_len);
95 93
96static int context_struct_compute_av(struct context *scontext, 94static void context_struct_compute_av(struct context *scontext,
97 struct context *tcontext, 95 struct context *tcontext,
98 u16 tclass, 96 u16 tclass,
99 u32 requested, 97 struct av_decision *avd);
100 struct av_decision *avd); 98
99struct selinux_mapping {
100 u16 value; /* policy value */
101 unsigned num_perms;
102 u32 perms[sizeof(u32) * 8];
103};
104
105static struct selinux_mapping *current_mapping;
106static u16 current_mapping_size;
107
108static int selinux_set_mapping(struct policydb *pol,
109 struct security_class_mapping *map,
110 struct selinux_mapping **out_map_p,
111 u16 *out_map_size)
112{
113 struct selinux_mapping *out_map = NULL;
114 size_t size = sizeof(struct selinux_mapping);
115 u16 i, j;
116 unsigned k;
117 bool print_unknown_handle = false;
118
119 /* Find number of classes in the input mapping */
120 if (!map)
121 return -EINVAL;
122 i = 0;
123 while (map[i].name)
124 i++;
125
126 /* Allocate space for the class records, plus one for class zero */
127 out_map = kcalloc(++i, size, GFP_ATOMIC);
128 if (!out_map)
129 return -ENOMEM;
130
131 /* Store the raw class and permission values */
132 j = 0;
133 while (map[j].name) {
134 struct security_class_mapping *p_in = map + (j++);
135 struct selinux_mapping *p_out = out_map + j;
136
137 /* An empty class string skips ahead */
138 if (!strcmp(p_in->name, "")) {
139 p_out->num_perms = 0;
140 continue;
141 }
142
143 p_out->value = string_to_security_class(pol, p_in->name);
144 if (!p_out->value) {
145 printk(KERN_INFO
146 "SELinux: Class %s not defined in policy.\n",
147 p_in->name);
148 if (pol->reject_unknown)
149 goto err;
150 p_out->num_perms = 0;
151 print_unknown_handle = true;
152 continue;
153 }
154
155 k = 0;
156 while (p_in->perms && p_in->perms[k]) {
157 /* An empty permission string skips ahead */
158 if (!*p_in->perms[k]) {
159 k++;
160 continue;
161 }
162 p_out->perms[k] = string_to_av_perm(pol, p_out->value,
163 p_in->perms[k]);
164 if (!p_out->perms[k]) {
165 printk(KERN_INFO
166 "SELinux: Permission %s in class %s not defined in policy.\n",
167 p_in->perms[k], p_in->name);
168 if (pol->reject_unknown)
169 goto err;
170 print_unknown_handle = true;
171 }
172
173 k++;
174 }
175 p_out->num_perms = k;
176 }
177
178 if (print_unknown_handle)
179 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
180 pol->allow_unknown ? "allowed" : "denied");
181
182 *out_map_p = out_map;
183 *out_map_size = i;
184 return 0;
185err:
186 kfree(out_map);
187 return -EINVAL;
188}
189
190/*
191 * Get real, policy values from mapped values
192 */
193
194static u16 unmap_class(u16 tclass)
195{
196 if (tclass < current_mapping_size)
197 return current_mapping[tclass].value;
198
199 return tclass;
200}
201
202static void map_decision(u16 tclass, struct av_decision *avd,
203 int allow_unknown)
204{
205 if (tclass < current_mapping_size) {
206 unsigned i, n = current_mapping[tclass].num_perms;
207 u32 result;
208
209 for (i = 0, result = 0; i < n; i++) {
210 if (avd->allowed & current_mapping[tclass].perms[i])
211 result |= 1<<i;
212 if (allow_unknown && !current_mapping[tclass].perms[i])
213 result |= 1<<i;
214 }
215 avd->allowed = result;
216
217 for (i = 0, result = 0; i < n; i++)
218 if (avd->auditallow & current_mapping[tclass].perms[i])
219 result |= 1<<i;
220 avd->auditallow = result;
221
222 for (i = 0, result = 0; i < n; i++) {
223 if (avd->auditdeny & current_mapping[tclass].perms[i])
224 result |= 1<<i;
225 if (!allow_unknown && !current_mapping[tclass].perms[i])
226 result |= 1<<i;
227 }
228 /*
229 * In case the kernel has a bug and requests a permission
230 * between num_perms and the maximum permission number, we
231 * should audit that denial
232 */
233 for (; i < (sizeof(u32)*8); i++)
234 result |= 1<<i;
235 avd->auditdeny = result;
236 }
237}
238
239int security_mls_enabled(void)
240{
241 return policydb.mls_enabled;
242}
243
101/* 244/*
102 * Return the boolean value of a constraint expression 245 * Return the boolean value of a constraint expression
103 * when it is applied to the specified source and target 246 * when it is applied to the specified source and target
@@ -312,7 +455,8 @@ static void security_dump_masked_av(struct context *scontext,
312 char *scontext_name = NULL; 455 char *scontext_name = NULL;
313 char *tcontext_name = NULL; 456 char *tcontext_name = NULL;
314 char *permission_names[32]; 457 char *permission_names[32];
315 int index, length; 458 int index;
459 u32 length;
316 bool need_comma = false; 460 bool need_comma = false;
317 461
318 if (!permissions) 462 if (!permissions)
@@ -379,7 +523,6 @@ out:
379static void type_attribute_bounds_av(struct context *scontext, 523static void type_attribute_bounds_av(struct context *scontext,
380 struct context *tcontext, 524 struct context *tcontext,
381 u16 tclass, 525 u16 tclass,
382 u32 requested,
383 struct av_decision *avd) 526 struct av_decision *avd)
384{ 527{
385 struct context lo_scontext; 528 struct context lo_scontext;
@@ -400,7 +543,6 @@ static void type_attribute_bounds_av(struct context *scontext,
400 context_struct_compute_av(&lo_scontext, 543 context_struct_compute_av(&lo_scontext,
401 tcontext, 544 tcontext,
402 tclass, 545 tclass,
403 requested,
404 &lo_avd); 546 &lo_avd);
405 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 547 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
406 return; /* no masked permission */ 548 return; /* no masked permission */
@@ -416,7 +558,6 @@ static void type_attribute_bounds_av(struct context *scontext,
416 context_struct_compute_av(scontext, 558 context_struct_compute_av(scontext,
417 &lo_tcontext, 559 &lo_tcontext,
418 tclass, 560 tclass,
419 requested,
420 &lo_avd); 561 &lo_avd);
421 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 562 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
422 return; /* no masked permission */ 563 return; /* no masked permission */
@@ -433,7 +574,6 @@ static void type_attribute_bounds_av(struct context *scontext,
433 context_struct_compute_av(&lo_scontext, 574 context_struct_compute_av(&lo_scontext,
434 &lo_tcontext, 575 &lo_tcontext,
435 tclass, 576 tclass,
436 requested,
437 &lo_avd); 577 &lo_avd);
438 if ((lo_avd.allowed & avd->allowed) == avd->allowed) 578 if ((lo_avd.allowed & avd->allowed) == avd->allowed)
439 return; /* no masked permission */ 579 return; /* no masked permission */
@@ -454,11 +594,10 @@ static void type_attribute_bounds_av(struct context *scontext,
454 * Compute access vectors based on a context structure pair for 594 * Compute access vectors based on a context structure pair for
455 * the permissions in a particular class. 595 * the permissions in a particular class.
456 */ 596 */
457static int context_struct_compute_av(struct context *scontext, 597static void context_struct_compute_av(struct context *scontext,
458 struct context *tcontext, 598 struct context *tcontext,
459 u16 tclass, 599 u16 tclass,
460 u32 requested, 600 struct av_decision *avd)
461 struct av_decision *avd)
462{ 601{
463 struct constraint_node *constraint; 602 struct constraint_node *constraint;
464 struct role_allow *ra; 603 struct role_allow *ra;
@@ -467,56 +606,17 @@ static int context_struct_compute_av(struct context *scontext,
467 struct class_datum *tclass_datum; 606 struct class_datum *tclass_datum;
468 struct ebitmap *sattr, *tattr; 607 struct ebitmap *sattr, *tattr;
469 struct ebitmap_node *snode, *tnode; 608 struct ebitmap_node *snode, *tnode;
470 const struct selinux_class_perm *kdefs = &selinux_class_perm;
471 unsigned int i, j; 609 unsigned int i, j;
472 610
473 /*
474 * Remap extended Netlink classes for old policy versions.
475 * Do this here rather than socket_type_to_security_class()
476 * in case a newer policy version is loaded, allowing sockets
477 * to remain in the correct class.
478 */
479 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
480 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
481 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
482 tclass = SECCLASS_NETLINK_SOCKET;
483
484 /*
485 * Initialize the access vectors to the default values.
486 */
487 avd->allowed = 0; 611 avd->allowed = 0;
488 avd->auditallow = 0; 612 avd->auditallow = 0;
489 avd->auditdeny = 0xffffffff; 613 avd->auditdeny = 0xffffffff;
490 avd->seqno = latest_granting;
491 avd->flags = 0;
492 614
493 /* 615 if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
494 * Check for all the invalid cases. 616 if (printk_ratelimit())
495 * - tclass 0 617 printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
496 * - tclass > policy and > kernel 618 return;
497 * - tclass > policy but is a userspace class 619 }
498 * - tclass > policy but we do not allow unknowns
499 */
500 if (unlikely(!tclass))
501 goto inval_class;
502 if (unlikely(tclass > policydb.p_classes.nprim))
503 if (tclass > kdefs->cts_len ||
504 !kdefs->class_to_string[tclass] ||
505 !policydb.allow_unknown)
506 goto inval_class;
507
508 /*
509 * Kernel class and we allow unknown so pad the allow decision
510 * the pad will be all 1 for unknown classes.
511 */
512 if (tclass <= kdefs->cts_len && policydb.allow_unknown)
513 avd->allowed = policydb.undefined_perms[tclass - 1];
514
515 /*
516 * Not in policy. Since decision is completed (all 1 or all 0) return.
517 */
518 if (unlikely(tclass > policydb.p_classes.nprim))
519 return 0;
520 620
521 tclass_datum = policydb.class_val_to_struct[tclass - 1]; 621 tclass_datum = policydb.class_val_to_struct[tclass - 1];
522 622
@@ -568,8 +668,8 @@ static int context_struct_compute_av(struct context *scontext,
568 * role is changing, then check the (current_role, new_role) 668 * role is changing, then check the (current_role, new_role)
569 * pair. 669 * pair.
570 */ 670 */
571 if (tclass == SECCLASS_PROCESS && 671 if (tclass == policydb.process_class &&
572 (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) && 672 (avd->allowed & policydb.process_trans_perms) &&
573 scontext->role != tcontext->role) { 673 scontext->role != tcontext->role) {
574 for (ra = policydb.role_allow; ra; ra = ra->next) { 674 for (ra = policydb.role_allow; ra; ra = ra->next) {
575 if (scontext->role == ra->role && 675 if (scontext->role == ra->role &&
@@ -577,8 +677,7 @@ static int context_struct_compute_av(struct context *scontext,
577 break; 677 break;
578 } 678 }
579 if (!ra) 679 if (!ra)
580 avd->allowed &= ~(PROCESS__TRANSITION | 680 avd->allowed &= ~policydb.process_trans_perms;
581 PROCESS__DYNTRANSITION);
582 } 681 }
583 682
584 /* 683 /*
@@ -587,24 +686,7 @@ static int context_struct_compute_av(struct context *scontext,
587 * permission and notice it to userspace via audit. 686 * permission and notice it to userspace via audit.
588 */ 687 */
589 type_attribute_bounds_av(scontext, tcontext, 688 type_attribute_bounds_av(scontext, tcontext,
590 tclass, requested, avd); 689 tclass, avd);
591
592 return 0;
593
594inval_class:
595 if (!tclass || tclass > kdefs->cts_len ||
596 !kdefs->class_to_string[tclass]) {
597 if (printk_ratelimit())
598 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
599 __func__, tclass);
600 return -EINVAL;
601 }
602
603 /*
604 * Known to the kernel, but not to the policy.
605 * Handle as a denial (allowed is 0).
606 */
607 return 0;
608} 690}
609 691
610static int security_validtrans_handle_fail(struct context *ocontext, 692static int security_validtrans_handle_fail(struct context *ocontext,
@@ -636,13 +718,14 @@ out:
636} 718}
637 719
638int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid, 720int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
639 u16 tclass) 721 u16 orig_tclass)
640{ 722{
641 struct context *ocontext; 723 struct context *ocontext;
642 struct context *ncontext; 724 struct context *ncontext;
643 struct context *tcontext; 725 struct context *tcontext;
644 struct class_datum *tclass_datum; 726 struct class_datum *tclass_datum;
645 struct constraint_node *constraint; 727 struct constraint_node *constraint;
728 u16 tclass;
646 int rc = 0; 729 int rc = 0;
647 730
648 if (!ss_initialized) 731 if (!ss_initialized)
@@ -650,16 +733,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
650 733
651 read_lock(&policy_rwlock); 734 read_lock(&policy_rwlock);
652 735
653 /* 736 tclass = unmap_class(orig_tclass);
654 * Remap extended Netlink classes for old policy versions.
655 * Do this here rather than socket_type_to_security_class()
656 * in case a newer policy version is loaded, allowing sockets
657 * to remain in the correct class.
658 */
659 if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
660 if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
661 tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
662 tclass = SECCLASS_NETLINK_SOCKET;
663 737
664 if (!tclass || tclass > policydb.p_classes.nprim) { 738 if (!tclass || tclass > policydb.p_classes.nprim) {
665 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n", 739 printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
@@ -741,7 +815,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
741 goto out; 815 goto out;
742 } 816 }
743 817
744 /* type/domain unchaned */ 818 /* type/domain unchanged */
745 if (old_context->type == new_context->type) { 819 if (old_context->type == new_context->type) {
746 rc = 0; 820 rc = 0;
747 goto out; 821 goto out;
@@ -769,7 +843,7 @@ int security_bounded_transition(u32 old_sid, u32 new_sid)
769 if (rc) { 843 if (rc) {
770 char *old_name = NULL; 844 char *old_name = NULL;
771 char *new_name = NULL; 845 char *new_name = NULL;
772 int length; 846 u32 length;
773 847
774 if (!context_struct_to_string(old_context, 848 if (!context_struct_to_string(old_context,
775 &old_name, &length) && 849 &old_name, &length) &&
@@ -791,63 +865,116 @@ out:
791 return rc; 865 return rc;
792} 866}
793 867
868static void avd_init(struct av_decision *avd)
869{
870 avd->allowed = 0;
871 avd->auditallow = 0;
872 avd->auditdeny = 0xffffffff;
873 avd->seqno = latest_granting;
874 avd->flags = 0;
875}
876
794 877
795/** 878/**
796 * security_compute_av - Compute access vector decisions. 879 * security_compute_av - Compute access vector decisions.
797 * @ssid: source security identifier 880 * @ssid: source security identifier
798 * @tsid: target security identifier 881 * @tsid: target security identifier
799 * @tclass: target security class 882 * @tclass: target security class
800 * @requested: requested permissions
801 * @avd: access vector decisions 883 * @avd: access vector decisions
802 * 884 *
803 * Compute a set of access vector decisions based on the 885 * Compute a set of access vector decisions based on the
804 * SID pair (@ssid, @tsid) for the permissions in @tclass. 886 * SID pair (@ssid, @tsid) for the permissions in @tclass.
805 * Return -%EINVAL if any of the parameters are invalid or %0
806 * if the access vector decisions were computed successfully.
807 */ 887 */
808int security_compute_av(u32 ssid, 888void security_compute_av(u32 ssid,
809 u32 tsid, 889 u32 tsid,
810 u16 tclass, 890 u16 orig_tclass,
811 u32 requested, 891 struct av_decision *avd)
812 struct av_decision *avd)
813{ 892{
893 u16 tclass;
814 struct context *scontext = NULL, *tcontext = NULL; 894 struct context *scontext = NULL, *tcontext = NULL;
815 int rc = 0;
816
817 if (!ss_initialized) {
818 avd->allowed = 0xffffffff;
819 avd->auditallow = 0;
820 avd->auditdeny = 0xffffffff;
821 avd->seqno = latest_granting;
822 return 0;
823 }
824 895
825 read_lock(&policy_rwlock); 896 read_lock(&policy_rwlock);
897 avd_init(avd);
898 if (!ss_initialized)
899 goto allow;
826 900
827 scontext = sidtab_search(&sidtab, ssid); 901 scontext = sidtab_search(&sidtab, ssid);
828 if (!scontext) { 902 if (!scontext) {
829 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 903 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
830 __func__, ssid); 904 __func__, ssid);
831 rc = -EINVAL;
832 goto out; 905 goto out;
833 } 906 }
907
908 /* permissive domain? */
909 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
910 avd->flags |= AVD_FLAGS_PERMISSIVE;
911
834 tcontext = sidtab_search(&sidtab, tsid); 912 tcontext = sidtab_search(&sidtab, tsid);
835 if (!tcontext) { 913 if (!tcontext) {
836 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 914 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
837 __func__, tsid); 915 __func__, tsid);
838 rc = -EINVAL;
839 goto out; 916 goto out;
840 } 917 }
841 918
842 rc = context_struct_compute_av(scontext, tcontext, tclass, 919 tclass = unmap_class(orig_tclass);
843 requested, avd); 920 if (unlikely(orig_tclass && !tclass)) {
921 if (policydb.allow_unknown)
922 goto allow;
923 goto out;
924 }
925 context_struct_compute_av(scontext, tcontext, tclass, avd);
926 map_decision(orig_tclass, avd, policydb.allow_unknown);
927out:
928 read_unlock(&policy_rwlock);
929 return;
930allow:
931 avd->allowed = 0xffffffff;
932 goto out;
933}
934
935void security_compute_av_user(u32 ssid,
936 u32 tsid,
937 u16 tclass,
938 struct av_decision *avd)
939{
940 struct context *scontext = NULL, *tcontext = NULL;
941
942 read_lock(&policy_rwlock);
943 avd_init(avd);
944 if (!ss_initialized)
945 goto allow;
946
947 scontext = sidtab_search(&sidtab, ssid);
948 if (!scontext) {
949 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
950 __func__, ssid);
951 goto out;
952 }
844 953
845 /* permissive domain? */ 954 /* permissive domain? */
846 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type)) 955 if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
847 avd->flags |= AVD_FLAGS_PERMISSIVE; 956 avd->flags |= AVD_FLAGS_PERMISSIVE;
848out: 957
958 tcontext = sidtab_search(&sidtab, tsid);
959 if (!tcontext) {
960 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
961 __func__, tsid);
962 goto out;
963 }
964
965 if (unlikely(!tclass)) {
966 if (policydb.allow_unknown)
967 goto allow;
968 goto out;
969 }
970
971 context_struct_compute_av(scontext, tcontext, tclass, avd);
972 out:
849 read_unlock(&policy_rwlock); 973 read_unlock(&policy_rwlock);
850 return rc; 974 return;
975allow:
976 avd->allowed = 0xffffffff;
977 goto out;
851} 978}
852 979
853/* 980/*
@@ -1204,20 +1331,22 @@ out:
1204 1331
1205static int security_compute_sid(u32 ssid, 1332static int security_compute_sid(u32 ssid,
1206 u32 tsid, 1333 u32 tsid,
1207 u16 tclass, 1334 u16 orig_tclass,
1208 u32 specified, 1335 u32 specified,
1209 u32 *out_sid) 1336 u32 *out_sid,
1337 bool kern)
1210{ 1338{
1211 struct context *scontext = NULL, *tcontext = NULL, newcontext; 1339 struct context *scontext = NULL, *tcontext = NULL, newcontext;
1212 struct role_trans *roletr = NULL; 1340 struct role_trans *roletr = NULL;
1213 struct avtab_key avkey; 1341 struct avtab_key avkey;
1214 struct avtab_datum *avdatum; 1342 struct avtab_datum *avdatum;
1215 struct avtab_node *node; 1343 struct avtab_node *node;
1344 u16 tclass;
1216 int rc = 0; 1345 int rc = 0;
1217 1346
1218 if (!ss_initialized) { 1347 if (!ss_initialized) {
1219 switch (tclass) { 1348 switch (orig_tclass) {
1220 case SECCLASS_PROCESS: 1349 case SECCLASS_PROCESS: /* kernel value */
1221 *out_sid = ssid; 1350 *out_sid = ssid;
1222 break; 1351 break;
1223 default: 1352 default:
@@ -1231,6 +1360,11 @@ static int security_compute_sid(u32 ssid,
1231 1360
1232 read_lock(&policy_rwlock); 1361 read_lock(&policy_rwlock);
1233 1362
1363 if (kern)
1364 tclass = unmap_class(orig_tclass);
1365 else
1366 tclass = orig_tclass;
1367
1234 scontext = sidtab_search(&sidtab, ssid); 1368 scontext = sidtab_search(&sidtab, ssid);
1235 if (!scontext) { 1369 if (!scontext) {
1236 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n", 1370 printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
@@ -1260,13 +1394,11 @@ static int security_compute_sid(u32 ssid,
1260 } 1394 }
1261 1395
1262 /* Set the role and type to default values. */ 1396 /* Set the role and type to default values. */
1263 switch (tclass) { 1397 if (tclass == policydb.process_class) {
1264 case SECCLASS_PROCESS:
1265 /* Use the current role and type of process. */ 1398 /* Use the current role and type of process. */
1266 newcontext.role = scontext->role; 1399 newcontext.role = scontext->role;
1267 newcontext.type = scontext->type; 1400 newcontext.type = scontext->type;
1268 break; 1401 } else {
1269 default:
1270 /* Use the well-defined object role. */ 1402 /* Use the well-defined object role. */
1271 newcontext.role = OBJECT_R_VAL; 1403 newcontext.role = OBJECT_R_VAL;
1272 /* Use the type of the related object. */ 1404 /* Use the type of the related object. */
@@ -1297,8 +1429,7 @@ static int security_compute_sid(u32 ssid,
1297 } 1429 }
1298 1430
1299 /* Check for class-specific changes. */ 1431 /* Check for class-specific changes. */
1300 switch (tclass) { 1432 if (tclass == policydb.process_class) {
1301 case SECCLASS_PROCESS:
1302 if (specified & AVTAB_TRANSITION) { 1433 if (specified & AVTAB_TRANSITION) {
1303 /* Look for a role transition rule. */ 1434 /* Look for a role transition rule. */
1304 for (roletr = policydb.role_tr; roletr; 1435 for (roletr = policydb.role_tr; roletr;
@@ -1311,9 +1442,6 @@ static int security_compute_sid(u32 ssid,
1311 } 1442 }
1312 } 1443 }
1313 } 1444 }
1314 break;
1315 default:
1316 break;
1317 } 1445 }
1318 1446
1319 /* Set the MLS attributes. 1447 /* Set the MLS attributes.
@@ -1358,7 +1486,17 @@ int security_transition_sid(u32 ssid,
1358 u16 tclass, 1486 u16 tclass,
1359 u32 *out_sid) 1487 u32 *out_sid)
1360{ 1488{
1361 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid); 1489 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1490 out_sid, true);
1491}
1492
1493int security_transition_sid_user(u32 ssid,
1494 u32 tsid,
1495 u16 tclass,
1496 u32 *out_sid)
1497{
1498 return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
1499 out_sid, false);
1362} 1500}
1363 1501
1364/** 1502/**
@@ -1379,7 +1517,8 @@ int security_member_sid(u32 ssid,
1379 u16 tclass, 1517 u16 tclass,
1380 u32 *out_sid) 1518 u32 *out_sid)
1381{ 1519{
1382 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid); 1520 return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
1521 false);
1383} 1522}
1384 1523
1385/** 1524/**
@@ -1400,144 +1539,8 @@ int security_change_sid(u32 ssid,
1400 u16 tclass, 1539 u16 tclass,
1401 u32 *out_sid) 1540 u32 *out_sid)
1402{ 1541{
1403 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid); 1542 return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
1404} 1543 false);
1405
1406/*
1407 * Verify that each kernel class that is defined in the
1408 * policy is correct
1409 */
1410static int validate_classes(struct policydb *p)
1411{
1412 int i, j;
1413 struct class_datum *cladatum;
1414 struct perm_datum *perdatum;
1415 u32 nprim, tmp, common_pts_len, perm_val, pol_val;
1416 u16 class_val;
1417 const struct selinux_class_perm *kdefs = &selinux_class_perm;
1418 const char *def_class, *def_perm, *pol_class;
1419 struct symtab *perms;
1420 bool print_unknown_handle = 0;
1421
1422 if (p->allow_unknown) {
1423 u32 num_classes = kdefs->cts_len;
1424 p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
1425 if (!p->undefined_perms)
1426 return -ENOMEM;
1427 }
1428
1429 for (i = 1; i < kdefs->cts_len; i++) {
1430 def_class = kdefs->class_to_string[i];
1431 if (!def_class)
1432 continue;
1433 if (i > p->p_classes.nprim) {
1434 printk(KERN_INFO
1435 "SELinux: class %s not defined in policy\n",
1436 def_class);
1437 if (p->reject_unknown)
1438 return -EINVAL;
1439 if (p->allow_unknown)
1440 p->undefined_perms[i-1] = ~0U;
1441 print_unknown_handle = 1;
1442 continue;
1443 }
1444 pol_class = p->p_class_val_to_name[i-1];
1445 if (strcmp(pol_class, def_class)) {
1446 printk(KERN_ERR
1447 "SELinux: class %d is incorrect, found %s but should be %s\n",
1448 i, pol_class, def_class);
1449 return -EINVAL;
1450 }
1451 }
1452 for (i = 0; i < kdefs->av_pts_len; i++) {
1453 class_val = kdefs->av_perm_to_string[i].tclass;
1454 perm_val = kdefs->av_perm_to_string[i].value;
1455 def_perm = kdefs->av_perm_to_string[i].name;
1456 if (class_val > p->p_classes.nprim)
1457 continue;
1458 pol_class = p->p_class_val_to_name[class_val-1];
1459 cladatum = hashtab_search(p->p_classes.table, pol_class);
1460 BUG_ON(!cladatum);
1461 perms = &cladatum->permissions;
1462 nprim = 1 << (perms->nprim - 1);
1463 if (perm_val > nprim) {
1464 printk(KERN_INFO
1465 "SELinux: permission %s in class %s not defined in policy\n",
1466 def_perm, pol_class);
1467 if (p->reject_unknown)
1468 return -EINVAL;
1469 if (p->allow_unknown)
1470 p->undefined_perms[class_val-1] |= perm_val;
1471 print_unknown_handle = 1;
1472 continue;
1473 }
1474 perdatum = hashtab_search(perms->table, def_perm);
1475 if (perdatum == NULL) {
1476 printk(KERN_ERR
1477 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1478 def_perm, pol_class);
1479 return -EINVAL;
1480 }
1481 pol_val = 1 << (perdatum->value - 1);
1482 if (pol_val != perm_val) {
1483 printk(KERN_ERR
1484 "SELinux: permission %s in class %s has incorrect value\n",
1485 def_perm, pol_class);
1486 return -EINVAL;
1487 }
1488 }
1489 for (i = 0; i < kdefs->av_inherit_len; i++) {
1490 class_val = kdefs->av_inherit[i].tclass;
1491 if (class_val > p->p_classes.nprim)
1492 continue;
1493 pol_class = p->p_class_val_to_name[class_val-1];
1494 cladatum = hashtab_search(p->p_classes.table, pol_class);
1495 BUG_ON(!cladatum);
1496 if (!cladatum->comdatum) {
1497 printk(KERN_ERR
1498 "SELinux: class %s should have an inherits clause but does not\n",
1499 pol_class);
1500 return -EINVAL;
1501 }
1502 tmp = kdefs->av_inherit[i].common_base;
1503 common_pts_len = 0;
1504 while (!(tmp & 0x01)) {
1505 common_pts_len++;
1506 tmp >>= 1;
1507 }
1508 perms = &cladatum->comdatum->permissions;
1509 for (j = 0; j < common_pts_len; j++) {
1510 def_perm = kdefs->av_inherit[i].common_pts[j];
1511 if (j >= perms->nprim) {
1512 printk(KERN_INFO
1513 "SELinux: permission %s in class %s not defined in policy\n",
1514 def_perm, pol_class);
1515 if (p->reject_unknown)
1516 return -EINVAL;
1517 if (p->allow_unknown)
1518 p->undefined_perms[class_val-1] |= (1 << j);
1519 print_unknown_handle = 1;
1520 continue;
1521 }
1522 perdatum = hashtab_search(perms->table, def_perm);
1523 if (perdatum == NULL) {
1524 printk(KERN_ERR
1525 "SELinux: permission %s in class %s not found in policy, bad policy\n",
1526 def_perm, pol_class);
1527 return -EINVAL;
1528 }
1529 if (perdatum->value != j + 1) {
1530 printk(KERN_ERR
1531 "SELinux: permission %s in class %s has incorrect value\n",
1532 def_perm, pol_class);
1533 return -EINVAL;
1534 }
1535 }
1536 }
1537 if (print_unknown_handle)
1538 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
1539 (security_get_allow_unknown() ? "allowed" : "denied"));
1540 return 0;
1541} 1544}
1542 1545
1543/* Clone the SID into the new SID table. */ 1546/* Clone the SID into the new SID table. */
@@ -1547,7 +1550,10 @@ static int clone_sid(u32 sid,
1547{ 1550{
1548 struct sidtab *s = arg; 1551 struct sidtab *s = arg;
1549 1552
1550 return sidtab_insert(s, sid, context); 1553 if (sid > SECINITSID_NUM)
1554 return sidtab_insert(s, sid, context);
1555 else
1556 return 0;
1551} 1557}
1552 1558
1553static inline int convert_context_handle_invalid_context(struct context *context) 1559static inline int convert_context_handle_invalid_context(struct context *context)
@@ -1588,12 +1594,17 @@ static int convert_context(u32 key,
1588{ 1594{
1589 struct convert_context_args *args; 1595 struct convert_context_args *args;
1590 struct context oldc; 1596 struct context oldc;
1597 struct ocontext *oc;
1598 struct mls_range *range;
1591 struct role_datum *role; 1599 struct role_datum *role;
1592 struct type_datum *typdatum; 1600 struct type_datum *typdatum;
1593 struct user_datum *usrdatum; 1601 struct user_datum *usrdatum;
1594 char *s; 1602 char *s;
1595 u32 len; 1603 u32 len;
1596 int rc; 1604 int rc = 0;
1605
1606 if (key <= SECINITSID_NUM)
1607 goto out;
1597 1608
1598 args = p; 1609 args = p;
1599 1610
@@ -1655,9 +1666,39 @@ static int convert_context(u32 key,
1655 goto bad; 1666 goto bad;
1656 c->type = typdatum->value; 1667 c->type = typdatum->value;
1657 1668
1658 rc = mls_convert_context(args->oldp, args->newp, c); 1669 /* Convert the MLS fields if dealing with MLS policies */
1659 if (rc) 1670 if (args->oldp->mls_enabled && args->newp->mls_enabled) {
1660 goto bad; 1671 rc = mls_convert_context(args->oldp, args->newp, c);
1672 if (rc)
1673 goto bad;
1674 } else if (args->oldp->mls_enabled && !args->newp->mls_enabled) {
1675 /*
1676 * Switching between MLS and non-MLS policy:
1677 * free any storage used by the MLS fields in the
1678 * context for all existing entries in the sidtab.
1679 */
1680 mls_context_destroy(c);
1681 } else if (!args->oldp->mls_enabled && args->newp->mls_enabled) {
1682 /*
1683 * Switching between non-MLS and MLS policy:
1684 * ensure that the MLS fields of the context for all
1685 * existing entries in the sidtab are filled in with a
1686 * suitable default value, likely taken from one of the
1687 * initial SIDs.
1688 */
1689 oc = args->newp->ocontexts[OCON_ISID];
1690 while (oc && oc->sid[0] != SECINITSID_UNLABELED)
1691 oc = oc->next;
1692 if (!oc) {
1693 printk(KERN_ERR "SELinux: unable to look up"
1694 " the initial SIDs list\n");
1695 goto bad;
1696 }
1697 range = &oc->context[0].range;
1698 rc = mls_range_set(c, range);
1699 if (rc)
1700 goto bad;
1701 }
1661 1702
1662 /* Check the validity of the new context. */ 1703 /* Check the validity of the new context. */
1663 if (!policydb_context_isvalid(args->newp, c)) { 1704 if (!policydb_context_isvalid(args->newp, c)) {
@@ -1710,8 +1751,10 @@ int security_load_policy(void *data, size_t len)
1710{ 1751{
1711 struct policydb oldpolicydb, newpolicydb; 1752 struct policydb oldpolicydb, newpolicydb;
1712 struct sidtab oldsidtab, newsidtab; 1753 struct sidtab oldsidtab, newsidtab;
1754 struct selinux_mapping *oldmap, *map = NULL;
1713 struct convert_context_args args; 1755 struct convert_context_args args;
1714 u32 seqno; 1756 u32 seqno;
1757 u16 map_size;
1715 int rc = 0; 1758 int rc = 0;
1716 struct policy_file file = { data, len }, *fp = &file; 1759 struct policy_file file = { data, len }, *fp = &file;
1717 1760
@@ -1721,22 +1764,19 @@ int security_load_policy(void *data, size_t len)
1721 avtab_cache_destroy(); 1764 avtab_cache_destroy();
1722 return -EINVAL; 1765 return -EINVAL;
1723 } 1766 }
1724 if (policydb_load_isids(&policydb, &sidtab)) { 1767 if (selinux_set_mapping(&policydb, secclass_map,
1768 &current_mapping,
1769 &current_mapping_size)) {
1725 policydb_destroy(&policydb); 1770 policydb_destroy(&policydb);
1726 avtab_cache_destroy(); 1771 avtab_cache_destroy();
1727 return -EINVAL; 1772 return -EINVAL;
1728 } 1773 }
1729 /* Verify that the kernel defined classes are correct. */ 1774 if (policydb_load_isids(&policydb, &sidtab)) {
1730 if (validate_classes(&policydb)) {
1731 printk(KERN_ERR
1732 "SELinux: the definition of a class is incorrect\n");
1733 sidtab_destroy(&sidtab);
1734 policydb_destroy(&policydb); 1775 policydb_destroy(&policydb);
1735 avtab_cache_destroy(); 1776 avtab_cache_destroy();
1736 return -EINVAL; 1777 return -EINVAL;
1737 } 1778 }
1738 security_load_policycaps(); 1779 security_load_policycaps();
1739 policydb_loaded_version = policydb.policyvers;
1740 ss_initialized = 1; 1780 ss_initialized = 1;
1741 seqno = ++latest_granting; 1781 seqno = ++latest_granting;
1742 selinux_complete_init(); 1782 selinux_complete_init();
@@ -1754,18 +1794,22 @@ int security_load_policy(void *data, size_t len)
1754 if (policydb_read(&newpolicydb, fp)) 1794 if (policydb_read(&newpolicydb, fp))
1755 return -EINVAL; 1795 return -EINVAL;
1756 1796
1757 if (sidtab_init(&newsidtab)) { 1797 /* If switching between different policy types, log MLS status */
1798 if (policydb.mls_enabled && !newpolicydb.mls_enabled)
1799 printk(KERN_INFO "SELinux: Disabling MLS support...\n");
1800 else if (!policydb.mls_enabled && newpolicydb.mls_enabled)
1801 printk(KERN_INFO "SELinux: Enabling MLS support...\n");
1802
1803 rc = policydb_load_isids(&newpolicydb, &newsidtab);
1804 if (rc) {
1805 printk(KERN_ERR "SELinux: unable to load the initial SIDs\n");
1758 policydb_destroy(&newpolicydb); 1806 policydb_destroy(&newpolicydb);
1759 return -ENOMEM; 1807 return rc;
1760 } 1808 }
1761 1809
1762 /* Verify that the kernel defined classes are correct. */ 1810 if (selinux_set_mapping(&newpolicydb, secclass_map,
1763 if (validate_classes(&newpolicydb)) { 1811 &map, &map_size))
1764 printk(KERN_ERR
1765 "SELinux: the definition of a class is incorrect\n");
1766 rc = -EINVAL;
1767 goto err; 1812 goto err;
1768 }
1769 1813
1770 rc = security_preserve_bools(&newpolicydb); 1814 rc = security_preserve_bools(&newpolicydb);
1771 if (rc) { 1815 if (rc) {
@@ -1787,8 +1831,12 @@ int security_load_policy(void *data, size_t len)
1787 args.oldp = &policydb; 1831 args.oldp = &policydb;
1788 args.newp = &newpolicydb; 1832 args.newp = &newpolicydb;
1789 rc = sidtab_map(&newsidtab, convert_context, &args); 1833 rc = sidtab_map(&newsidtab, convert_context, &args);
1790 if (rc) 1834 if (rc) {
1835 printk(KERN_ERR "SELinux: unable to convert the internal"
1836 " representation of contexts in the new SID"
1837 " table\n");
1791 goto err; 1838 goto err;
1839 }
1792 1840
1793 /* Save the old policydb and SID table to free later. */ 1841 /* Save the old policydb and SID table to free later. */
1794 memcpy(&oldpolicydb, &policydb, sizeof policydb); 1842 memcpy(&oldpolicydb, &policydb, sizeof policydb);
@@ -1799,13 +1847,16 @@ int security_load_policy(void *data, size_t len)
1799 memcpy(&policydb, &newpolicydb, sizeof policydb); 1847 memcpy(&policydb, &newpolicydb, sizeof policydb);
1800 sidtab_set(&sidtab, &newsidtab); 1848 sidtab_set(&sidtab, &newsidtab);
1801 security_load_policycaps(); 1849 security_load_policycaps();
1850 oldmap = current_mapping;
1851 current_mapping = map;
1852 current_mapping_size = map_size;
1802 seqno = ++latest_granting; 1853 seqno = ++latest_granting;
1803 policydb_loaded_version = policydb.policyvers;
1804 write_unlock_irq(&policy_rwlock); 1854 write_unlock_irq(&policy_rwlock);
1805 1855
1806 /* Free the old policydb and SID table. */ 1856 /* Free the old policydb and SID table. */
1807 policydb_destroy(&oldpolicydb); 1857 policydb_destroy(&oldpolicydb);
1808 sidtab_destroy(&oldsidtab); 1858 sidtab_destroy(&oldsidtab);
1859 kfree(oldmap);
1809 1860
1810 avc_ss_reset(seqno); 1861 avc_ss_reset(seqno);
1811 selnl_notify_policyload(seqno); 1862 selnl_notify_policyload(seqno);
@@ -1815,6 +1866,7 @@ int security_load_policy(void *data, size_t len)
1815 return 0; 1866 return 0;
1816 1867
1817err: 1868err:
1869 kfree(map);
1818 sidtab_destroy(&newsidtab); 1870 sidtab_destroy(&newsidtab);
1819 policydb_destroy(&newpolicydb); 1871 policydb_destroy(&newpolicydb);
1820 return rc; 1872 return rc;
@@ -2091,7 +2143,7 @@ out_unlock:
2091 } 2143 }
2092 for (i = 0, j = 0; i < mynel; i++) { 2144 for (i = 0, j = 0; i < mynel; i++) {
2093 rc = avc_has_perm_noaudit(fromsid, mysids[i], 2145 rc = avc_has_perm_noaudit(fromsid, mysids[i],
2094 SECCLASS_PROCESS, 2146 SECCLASS_PROCESS, /* kernel value */
2095 PROCESS__TRANSITION, AVC_STRICT, 2147 PROCESS__TRANSITION, AVC_STRICT,
2096 NULL); 2148 NULL);
2097 if (!rc) 2149 if (!rc)
@@ -2119,10 +2171,11 @@ out:
2119 */ 2171 */
2120int security_genfs_sid(const char *fstype, 2172int security_genfs_sid(const char *fstype,
2121 char *path, 2173 char *path,
2122 u16 sclass, 2174 u16 orig_sclass,
2123 u32 *sid) 2175 u32 *sid)
2124{ 2176{
2125 int len; 2177 int len;
2178 u16 sclass;
2126 struct genfs *genfs; 2179 struct genfs *genfs;
2127 struct ocontext *c; 2180 struct ocontext *c;
2128 int rc = 0, cmp = 0; 2181 int rc = 0, cmp = 0;
@@ -2132,6 +2185,8 @@ int security_genfs_sid(const char *fstype,
2132 2185
2133 read_lock(&policy_rwlock); 2186 read_lock(&policy_rwlock);
2134 2187
2188 sclass = unmap_class(orig_sclass);
2189
2135 for (genfs = policydb.genfs; genfs; genfs = genfs->next) { 2190 for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
2136 cmp = strcmp(fstype, genfs->fstype); 2191 cmp = strcmp(fstype, genfs->fstype);
2137 if (cmp <= 0) 2192 if (cmp <= 0)
@@ -2377,7 +2432,7 @@ int security_sid_mls_copy(u32 sid, u32 mls_sid, u32 *new_sid)
2377 u32 len; 2432 u32 len;
2378 int rc = 0; 2433 int rc = 0;
2379 2434
2380 if (!ss_initialized || !selinux_mls_enabled) { 2435 if (!ss_initialized || !policydb.mls_enabled) {
2381 *new_sid = sid; 2436 *new_sid = sid;
2382 goto out; 2437 goto out;
2383 } 2438 }
@@ -2478,7 +2533,7 @@ int security_net_peersid_resolve(u32 nlbl_sid, u32 nlbl_type,
2478 /* we don't need to check ss_initialized here since the only way both 2533 /* we don't need to check ss_initialized here since the only way both
2479 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the 2534 * nlbl_sid and xfrm_sid are not equal to SECSID_NULL would be if the
2480 * security server was initialized and ss_initialized was true */ 2535 * security server was initialized and ss_initialized was true */
2481 if (!selinux_mls_enabled) { 2536 if (!policydb.mls_enabled) {
2482 *peer_sid = SECSID_NULL; 2537 *peer_sid = SECSID_NULL;
2483 return 0; 2538 return 0;
2484 } 2539 }
@@ -2535,7 +2590,7 @@ int security_get_classes(char ***classes, int *nclasses)
2535 read_lock(&policy_rwlock); 2590 read_lock(&policy_rwlock);
2536 2591
2537 *nclasses = policydb.p_classes.nprim; 2592 *nclasses = policydb.p_classes.nprim;
2538 *classes = kcalloc(*nclasses, sizeof(*classes), GFP_ATOMIC); 2593 *classes = kcalloc(*nclasses, sizeof(**classes), GFP_ATOMIC);
2539 if (!*classes) 2594 if (!*classes)
2540 goto out; 2595 goto out;
2541 2596
@@ -2582,7 +2637,7 @@ int security_get_permissions(char *class, char ***perms, int *nperms)
2582 } 2637 }
2583 2638
2584 *nperms = match->permissions.nprim; 2639 *nperms = match->permissions.nprim;
2585 *perms = kcalloc(*nperms, sizeof(*perms), GFP_ATOMIC); 2640 *perms = kcalloc(*nperms, sizeof(**perms), GFP_ATOMIC);
2586 if (!*perms) 2641 if (!*perms)
2587 goto out; 2642 goto out;
2588 2643
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-30 01:30:04 -0500