summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig54
-rw-r--r--security/Makefile1
-rw-r--r--security/capability.c21
-rw-r--r--security/commoncap.c74
-rw-r--r--security/integrity/ima/Kconfig1
-rw-r--r--security/keys/sysctl.c17
-rw-r--r--security/lsm_audit.c16
-rw-r--r--security/min_addr.c3
-rw-r--r--security/root_plug.c90
-rw-r--r--security/security.c61
-rw-r--r--security/selinux/.gitignore2
-rw-r--r--security/selinux/Makefile10
-rw-r--r--security/selinux/avc.c78
-rw-r--r--security/selinux/hooks.c31
-rw-r--r--security/selinux/include/av_inherit.h34
-rw-r--r--security/selinux/include/av_perm_to_string.h183
-rw-r--r--security/selinux/include/av_permissions.h870
-rw-r--r--security/selinux/include/avc_ss.h21
-rw-r--r--security/selinux/include/class_to_string.h80
-rw-r--r--security/selinux/include/classmap.h150
-rw-r--r--security/selinux/include/common_perm_to_string.h58
-rw-r--r--security/selinux/include/flask.h91
-rw-r--r--security/selinux/include/security.h13
-rw-r--r--security/selinux/selinuxfs.c4
-rw-r--r--security/selinux/ss/Makefile2
-rw-r--r--security/selinux/ss/mls.c2
-rw-r--r--security/selinux/ss/policydb.c47
-rw-r--r--security/selinux/ss/policydb.h7
-rw-r--r--security/selinux/ss/services.c562
-rw-r--r--security/smack/smack_lsm.c4
-rw-r--r--security/tomoyo/common.c200
-rw-r--r--security/tomoyo/common.h4
-rw-r--r--security/tomoyo/file.c21
-rw-r--r--security/tomoyo/realpath.c22
-rw-r--r--security/tomoyo/tomoyo.c80
-rw-r--r--security/tomoyo/tomoyo.h2
36 files changed, 817 insertions, 2099 deletions
diff --git a/security/Kconfig b/security/Kconfig
index fb363cd81cf6..226b9556b25f 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -91,28 +91,6 @@ config SECURITY_PATH
implement pathname based access controls.
If you are unsure how to answer this question, answer N.
-config SECURITY_FILE_CAPABILITIES
- bool "File POSIX Capabilities"
- default n
- help
- This enables filesystem capabilities, allowing you to give
- binaries a subset of root's powers without using setuid 0.
-
- If in doubt, answer N.
-
-config SECURITY_ROOTPLUG
- bool "Root Plug Support"
- depends on USB=y && SECURITY
- help
- This is a sample LSM module that should only be used as such.
- It prevents any programs running with egid == 0 if a specific
- USB device is not present in the system.
-
- See <http://www.linuxjournal.com/article.php?sid=6279> for
- more information about this module.
-
- If you are unsure how to answer this question, answer N.
-
config INTEL_TXT
bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
depends on HAVE_INTEL_TXT
@@ -165,5 +143,37 @@ source security/tomoyo/Kconfig
source security/integrity/ima/Kconfig
+choice
+ prompt "Default security module"
+ default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
+ default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
+ default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+ default DEFAULT_SECURITY_DAC
+
+ help
+ Select the security module that will be used by default if the
+ kernel parameter security= is not specified.
+
+ config DEFAULT_SECURITY_SELINUX
+ bool "SELinux" if SECURITY_SELINUX=y
+
+ config DEFAULT_SECURITY_SMACK
+ bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y
+
+ config DEFAULT_SECURITY_TOMOYO
+ bool "TOMOYO" if SECURITY_TOMOYO=y
+
+ config DEFAULT_SECURITY_DAC
+ bool "Unix Discretionary Access Controls"
+
+endchoice
+
+config DEFAULT_SECURITY
+ string
+ default "selinux" if DEFAULT_SECURITY_SELINUX
+ default "smack" if DEFAULT_SECURITY_SMACK
+ default "tomoyo" if DEFAULT_SECURITY_TOMOYO
+ default "" if DEFAULT_SECURITY_DAC
+
endmenu
diff --git a/security/Makefile b/security/Makefile
index 95ecc06392d7..bb44e350c618 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -18,7 +18,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
obj-$(CONFIG_AUDIT) += lsm_audit.o
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
-obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/capability.c b/security/capability.c
index fce07a7bc825..5c700e1a4fd3 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -308,6 +308,22 @@ static int cap_path_truncate(struct path *path, loff_t length,
{
return 0;
}
+
+static int cap_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+ mode_t mode)
+{
+ return 0;
+}
+
+static int cap_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+ return 0;
+}
+
+static int cap_path_chroot(struct path *root)
+{
+ return 0;
+}
#endif
static int cap_file_permission(struct file *file, int mask)
@@ -405,7 +421,7 @@ static int cap_kernel_create_files_as(struct cred *new, struct inode *inode)
return 0;
}
-static int cap_kernel_module_request(void)
+static int cap_kernel_module_request(char *kmod_name)
{
return 0;
}
@@ -977,6 +993,9 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, path_link);
set_to_cap_if_null(ops, path_rename);
set_to_cap_if_null(ops, path_truncate);
+ set_to_cap_if_null(ops, path_chmod);
+ set_to_cap_if_null(ops, path_chown);
+ set_to_cap_if_null(ops, path_chroot);
#endif
set_to_cap_if_null(ops, file_permission);
set_to_cap_if_null(ops, file_alloc_security);
diff --git a/security/commoncap.c b/security/commoncap.c
index fe30751a6cd9..f800fdb3de94 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1,4 +1,4 @@
-/* Common capabilities, needed by capability.o and root_plug.o
+/* Common capabilities, needed by capability.o.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -173,7 +173,6 @@ int cap_capget(struct task_struct *target, kernel_cap_t *effective,
*/
static inline int cap_inh_is_capped(void)
{
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
/* they are so limited unless the current task has the CAP_SETPCAP
* capability
@@ -181,7 +180,6 @@ static inline int cap_inh_is_capped(void)
if (cap_capable(current, current_cred(), CAP_SETPCAP,
SECURITY_CAP_AUDIT) == 0)
return 0;
-#endif
return 1;
}
@@ -239,8 +237,6 @@ static inline void bprm_clear_caps(struct linux_binprm *bprm)
bprm->cap_effective = false;
}
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
-
/**
* cap_inode_need_killpriv - Determine if inode change affects privileges
* @dentry: The inode/dentry in being changed with change marked ATTR_KILL_PRIV
@@ -421,49 +417,6 @@ out:
return rc;
}
-#else
-int cap_inode_need_killpriv(struct dentry *dentry)
-{
- return 0;
-}
-
-int cap_inode_killpriv(struct dentry *dentry)
-{
- return 0;
-}
-
-int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps)
-{
- memset(cpu_caps, 0, sizeof(struct cpu_vfs_cap_data));
- return -ENODATA;
-}
-
-static inline int get_file_caps(struct linux_binprm *bprm, bool *effective)
-{
- bprm_clear_caps(bprm);
- return 0;
-}
-#endif
-
-/*
- * Determine whether a exec'ing process's new permitted capabilities should be
- * limited to just what it already has.
- *
- * This prevents processes that are being ptraced from gaining access to
- * CAP_SETPCAP, unless the process they're tracing already has it, and the
- * binary they're executing has filecaps that elevate it.
- *
- * Returns 1 if they should be limited, 0 if they are not.
- */
-static inline int cap_limit_ptraced_target(void)
-{
-#ifndef CONFIG_SECURITY_FILE_CAPABILITIES
- if (capable(CAP_SETPCAP))
- return 0;
-#endif
- return 1;
-}
-
/**
* cap_bprm_set_creds - Set up the proposed credentials for execve().
* @bprm: The execution parameters, including the proposed creds
@@ -523,9 +476,8 @@ skip:
new->euid = new->uid;
new->egid = new->gid;
}
- if (cap_limit_ptraced_target())
- new->cap_permitted = cap_intersect(new->cap_permitted,
- old->cap_permitted);
+ new->cap_permitted = cap_intersect(new->cap_permitted,
+ old->cap_permitted);
}
new->suid = new->fsuid = new->euid;
@@ -739,7 +691,6 @@ int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags)
return 0;
}
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
/*
* Rationale: code calling task_setscheduler, task_setioprio, and
* task_setnice, assumes that
@@ -820,22 +771,6 @@ static long cap_prctl_drop(struct cred *new, unsigned long cap)
return 0;
}
-#else
-int cap_task_setscheduler (struct task_struct *p, int policy,
- struct sched_param *lp)
-{
- return 0;
-}
-int cap_task_setioprio (struct task_struct *p, int ioprio)
-{
- return 0;
-}
-int cap_task_setnice (struct task_struct *p, int nice)
-{
- return 0;
-}
-#endif
-
/**
* cap_task_prctl - Implement process control functions for this security module
* @option: The process control function requested
@@ -866,7 +801,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
error = !!cap_raised(new->cap_bset, arg2);
goto no_change;
-#ifdef CONFIG_SECURITY_FILE_CAPABILITIES
case PR_CAPBSET_DROP:
error = cap_prctl_drop(new, arg2);
if (error < 0)
@@ -917,8 +851,6 @@ int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
error = new->securebits;
goto no_change;
-#endif /* def CONFIG_SECURITY_FILE_CAPABILITIES */
-
case PR_GET_KEEPCAPS:
if (issecure(SECURE_KEEP_CAPS))
error = 1;
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 53d9764e8f09..3d7846de8069 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -3,6 +3,7 @@
config IMA
bool "Integrity Measurement Architecture(IMA)"
depends on ACPI
+ depends on SECURITY
select SECURITYFS
select CRYPTO
select CRYPTO_HMAC
diff --git a/security/keys/sysctl.c b/security/keys/sysctl.c
index 5e05dc09e2db..ee32d181764a 100644
--- a/security/keys/sysctl.c
+++ b/security/keys/sysctl.c
@@ -17,54 +17,49 @@ static const int zero, one = 1, max = INT_MAX;
ctl_table key_sysctls[] = {
{
- .ctl_name = CTL_UNNUMBERED,
.procname = "maxkeys",
.data = &key_quota_maxkeys,
.maxlen = sizeof(unsigned),
.mode = 0644,
- .proc_handler = &proc_dointvec_minmax,
+ .proc_handler = proc_dointvec_minmax,
.extra1 = (void *) &one,
.extra2 = (void *) &max,
},
{
- .ctl_name = CTL_UNNUMBERED,
.procname = "maxbytes",
.data = &key_quota_maxbytes,
.maxlen = sizeof(unsigned),
.mode = 0644,
- .proc_handler = &proc_dointvec_minmax,
+ .proc_handler = proc_dointvec_minmax,
.extra1 = (void *) &one,
.extra2 = (void *) &max,
},
{
- .ctl_name = CTL_UNNUMBERED,
.procname = "root_maxkeys",
.data = &key_quota_root_maxkeys,
.maxlen = sizeof(unsigned),
.mode = 0644,
- .proc_handler = &proc_dointvec_minmax,
+ .proc_handler = proc_dointvec_minmax,
.extra1 = (void *) &one,
.extra2 = (void *) &max,
},
{
- .ctl_name = CTL_UNNUMBERED,
.procname = "root_maxbytes",
.data = &key_quota_root_maxbytes,
.maxlen = sizeof(unsigned),
.mode = 0644,
- .proc_handler = &proc_dointvec_minmax,
+ .proc_handler = proc_dointvec_minmax,
.extra1 = (void *) &one,
.extra2 = (void *) &max,
},
{
- .ctl_name = CTL_UNNUMBERED,
.procname = "gc_delay",
.data = &key_gc_delay,
.maxlen = sizeof(unsigned),
.mode = 0644,
- .proc_handler = &proc_dointvec_minmax,
+ .proc_handler = proc_dointvec_minmax,
.extra1 = (void *) &zero,
.extra2 = (void *) &max,
},
- { .ctl_name = 0 }
+ { }
};
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 3bb90b6f1dd3..acba3dfc8d29 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -273,11 +273,11 @@ static void dump_common_audit_data(struct audit_buffer *ab,
case AF_INET: {
struct inet_sock *inet = inet_sk(sk);
- print_ipv4_addr(ab, inet->rcv_saddr,
- inet->sport,
+ print_ipv4_addr(ab, inet->inet_rcv_saddr,
+ inet->inet_sport,
"laddr", "lport");
- print_ipv4_addr(ab, inet->daddr,
- inet->dport,
+ print_ipv4_addr(ab, inet->inet_daddr,
+ inet->inet_dport,
"faddr", "fport");
break;
}
@@ -286,10 +286,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
struct ipv6_pinfo *inet6 = inet6_sk(sk);
print_ipv6_addr(ab, &inet6->rcv_saddr,
- inet->sport,
+ inet->inet_sport,
"laddr", "lport");
print_ipv6_addr(ab, &inet6->daddr,
- inet->dport,
+ inet->inet_dport,
"faddr", "fport");
break;
}
@@ -354,6 +354,10 @@ static void dump_common_audit_data(struct audit_buffer *ab,
}
break;
#endif
+ case LSM_AUDIT_DATA_KMOD:
+ audit_log_format(ab, " kmod=");
+ audit_log_untrustedstring(ab, a->u.kmod_name);
+ break;
} /* switch (a->type) */
}
diff --git a/security/min_addr.c b/security/min_addr.c
index c844eed7915d..fc43c9d37084 100644
--- a/security/min_addr.c
+++ b/security/min_addr.c
@@ -33,6 +33,9 @@ int mmap_min_addr_handler(struct ctl_table *table, int write,
{
int ret;
+ if (!capable(CAP_SYS_RAWIO))
+ return -EPERM;
+
ret = proc_doulongvec_minmax(table, write, buffer, lenp, ppos);
update_mmap_min_addr();
diff --git a/security/root_plug.c b/security/root_plug.c
deleted file mode 100644
index 2f7ffa67c4d2..000000000000
--- a/security/root_plug.c
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * Root Plug sample LSM module
- *
- * Originally written for a Linux Journal.
- *
- * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
- *
- * Prevents any programs running with egid == 0 if a specific USB device
- * is not present in the system. Yes, it can be gotten around, but is a
- * nice starting point for people to play with, and learn the LSM
- * interface.
- *
- * If you want to turn this into something with a semblance of security,
- * you need to hook the task_* functions also.
- *
- * See http://www.linuxjournal.com/article.php?sid=6279 for more information
- * about this code.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- */
-
-#include <linux/kernel.h>
-#include <linux/init.h>
-#include <linux/security.h>
-#include <linux/usb.h>
-#include <linux/moduleparam.h>
-
-/* default is a generic type of usb to serial converter */
-static int vendor_id = 0x0557;
-static int product_id = 0x2008;
-
-module_param(vendor_id, uint, 0400);
-module_param(product_id, uint, 0400);
-
-/* should we print out debug messages */
-static int debug = 0;
-
-module_param(debug, bool, 0600);
-
-#define MY_NAME "root_plug"
-
-#define root_dbg(fmt, arg...) \
- do { \
- if (debug) \
- printk(KERN_DEBUG "%s: %s: " fmt , \
- MY_NAME , __func__ , \
- ## arg); \
- } while (0)
-
-static int rootplug_bprm_check_security (struct linux_binprm *bprm)
-{
- struct usb_device *dev;
-
- root_dbg("file %s, e_uid = %d, e_gid = %d\n",
- bprm->filename, bprm->cred->euid, bprm->cred->egid);
-
- if (bprm->cred->egid == 0) {
- dev = usb_find_device(vendor_id, product_id);
- if (!dev) {
- root_dbg("e_gid = 0, and device not found, "
- "task not allowed to run...\n");
- return -EPERM;
- }
- usb_put_dev(dev);
- }
-
- return 0;
-}
-
-static struct security_operations rootplug_security_ops = {
- .bprm_check_security = rootplug_bprm_check_security,
-};
-
-static int __init rootplug_init (void)
-{
- /* register ourselves with the security framework */
- if (register_security (&rootplug_security_ops)) {
- printk (KERN_INFO
- "Failure registering Root Plug module with the kernel\n");
- return -EINVAL;
- }
- printk (KERN_INFO "Root Plug module initialized, "
- "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
- return 0;
-}
-
-security_initcall (rootplug_init);
diff --git a/security/security.c b/security/security.c
index c4c673240c1c..24e060be9fa5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -16,9 +16,11 @@
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/security.h>
+#include <linux/ima.h>
/* Boot-time LSM user choice */
-static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
+static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
+ CONFIG_DEFAULT_SECURITY;
/* things that live in capability.c */
extern struct security_operations default_security_ops;
@@ -79,8 +81,10 @@ __setup("security=", choose_lsm);
*
* Return true if:
* -The passed LSM is the one chosen by user at boot time,
- * -or user didn't specify a specific LSM and we're the first to ask
- * for registration permission,
+ * -or the passed LSM is configured as the default and the user did not
+ * choose an alternate LSM at boot time,
+ * -or there is no default LSM set and the user didn't specify a
+ * specific LSM and we're the first to ask for registration permission,
* -or the passed LSM is currently loaded.
* Otherwise, return false.
*/
@@ -235,7 +239,12 @@ int security_bprm_set_creds(struct linux_binprm *bprm)
int security_bprm_check(struct linux_binprm *bprm)
{
- return security_ops->bprm_check_security(bprm);
+ int ret;
+
+ ret = security_ops->bprm_check_security(bprm);
+ if (ret)
+ return ret;
+ return ima_bprm_check(bprm);
}
void security_bprm_committing_creds(struct linux_binprm *bprm)
@@ -352,12 +361,21 @@ EXPORT_SYMBOL(security_sb_parse_opts_str);
int security_inode_alloc(struct inode *inode)
{
+ int ret;
+
inode->i_security = NULL;
- return security_ops->inode_alloc_security(inode);
+ ret = security_ops->inode_alloc_security(inode);
+ if (ret)
+ return ret;
+ ret = ima_inode_alloc(inode);
+ if (ret)
+ security_inode_free(inode);
+ return ret;
}
void security_inode_free(struct inode *inode)
{
+ ima_inode_free(inode);
security_ops->inode_free_security(inode);
}
@@ -434,6 +452,26 @@ int security_path_truncate(struct path *path, loff_t length,
return 0;
return security_ops->path_truncate(path, length, time_attrs);
}
+
+int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
+ mode_t mode)
+{
+ if (unlikely(IS_PRIVATE(dentry->d_inode)))
+ return 0;
+ return security_ops->path_chmod(dentry, mnt, mode);
+}
+
+int security_path_chown(struct path *path, uid_t uid, gid_t gid)
+{
+ if (unlikely(IS_PRIVATE(path->dentry->d_inode)))
+ return 0;
+ return security_ops->path_chown(path, uid, gid);
+}
+
+int security_path_chroot(struct path *path)
+{
+ return security_ops->path_chroot(path);
+}
#endif
int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
@@ -628,6 +666,8 @@ int security_file_alloc(struct file *file)
void security_file_free(struct file *file)
{
security_ops->file_free_security(file);
+ if (file->f_dentry)
+ ima_file_free(file);
}
int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
@@ -639,7 +679,12 @@ int security_file_mmap(struct file *file, unsigned long reqprot,
unsigned long prot, unsigned long flags,
unsigned long addr, unsigned long addr_only)
{
- return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ int ret;
+
+ ret = security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
+ if (ret)
+ return ret;
+ return ima_file_mmap(file, prot);
}
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
@@ -719,9 +764,9 @@ int security_kernel_create_files_as(struct cred *new, struct inode *inode)
return security_ops->kernel_create_files_as(new, inode);
}
-int security_kernel_module_request(void)
+int security_kernel_module_request(char *kmod_name)
{
- return security_ops->kernel_module_request();
+ return security_ops->kernel_module_request(kmod_name);
}
int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
diff --git a/security/selinux/.gitignore b/security/selinux/.gitignore
new file mode 100644
index 000000000000..2e5040a3d48b
--- /dev/null
+++ b/security/selinux/.gitignore
@@ -0,0 +1,2 @@
+av_permissions.h
+flask.h
diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index d47fc5e545e0..f013982df417 100644
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -18,5 +18,13 @@ selinux-$(CONFIG_SECURITY_NETWORK_XFRM) += xfrm.o
selinux-$(CONFIG_NETLABEL) += netlabel.o
-EXTRA_CFLAGS += -Isecurity/selinux/include
+EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
+$(obj)/avc.o: $(obj)/flask.h
+
+quiet_cmd_flask = GEN $(obj)/flask.h $(obj)/av_permissions.h
+ cmd_flask = scripts/selinux/genheaders/genheaders $(obj)/flask.h $(obj)/av_permissions.h
+
+targets += flask.h
+$(obj)/flask.h: $(src)/include/classmap.h FORCE
+ $(call if_changed,flask)
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index b4b5da1c0a42..f2dde268165a 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -31,43 +31,7 @@
#include <net/ipv6.h>
#include "avc.h"
#include "avc_ss.h"
-
-static const struct av_perm_to_string av_perm_to_string[] = {
-#define S_(c, v, s) { c, v, s },
-#include "av_perm_to_string.h"
-#undef S_
-};
-
-static const char *class_to_string[] = {
-#define S_(s) s,
-#include "class_to_string.h"
-#undef S_
-};
-
-#define TB_(s) static const char *s[] = {
-#define TE_(s) };
-#define S_(s) s,
-#include "common_perm_to_string.h"
-#undef TB_
-#undef TE_
-#undef S_
-
-static const struct av_inherit av_inherit[] = {
-#define S_(c, i, b) { .tclass = c,\
- .common_pts = common_##i##_perm_to_string,\
- .common_base = b },
-#include "av_inherit.h"
-#undef S_
-};
-
-const struct selinux_class_perm selinux_class_perm = {
- .av_perm_to_string = av_perm_to_string,
- .av_pts_len = ARRAY_SIZE(av_perm_to_string),
- .class_to_string = class_to_string,
- .cts_len = ARRAY_SIZE(class_to_string),
- .av_inherit = av_inherit,
- .av_inherit_len = ARRAY_SIZE(av_inherit)
-};
+#include "classmap.h"
#define AVC_CACHE_SLOTS 512
#define AVC_DEF_CACHE_THRESHOLD 512
@@ -139,52 +103,28 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass)
*/
static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av)
{
- const char **common_pts = NULL;
- u32 common_base = 0;
- int i, i2, perm;
+ const char **perms;
+ int i, perm;
if (av == 0) {
audit_log_format(ab, " null");
return;
}
- for (i = 0; i < ARRAY_SIZE(av_inherit); i++) {
- if (av_inherit[i].tclass == tclass) {
- common_pts = av_inherit[i].common_pts;
- common_base = av_inherit[i].common_base;
- break;
- }
- }
+ perms = secclass_map[tclass-1].perms;
audit_log_format(ab, " {");
i = 0;
perm = 1;
- while (perm < common_base) {
- if (perm & av) {
- audit_log_format(ab, " %s", common_pts[i]);
+ while (i < (sizeof(av) * 8)) {
+ if ((perm & av) && perms[i]) {
+ audit_log_format(ab, " %s", perms[i]);
av &= ~perm;
}
i++;
perm <<= 1;
}
- while (i < sizeof(av) * 8) {
- if (perm & av) {
- for (i2 = 0; i2 < ARRAY_SIZE(av_perm_to_string); i2++) {
- if ((av_perm_to_string[i2].tclass == tclass) &&
- (av_perm_to_string[i2].value == perm))
- break;
- }
- if (i2 < ARRAY_SIZE(av_perm_to_string)) {
- audit_log_format(ab, " %s",
- av_perm_to_string[i2].name);
- av &= ~perm;
- }
- }
- i++;
- perm <<= 1;
- }
-
if (av)
audit_log_format(ab, " 0x%x", av);
@@ -219,8 +159,8 @@ static void avc_dump_query(struct audit_buffer *ab, u32 ssid, u32 tsid, u16 tcla
kfree(scontext);
}
- BUG_ON(tclass >= ARRAY_SIZE(class_to_string) || !class_to_string[tclass]);
- audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
+ BUG_ON(tclass >= ARRAY_SIZE(secclass_map));
+ audit_log_format(ab, " tclass=%s", secclass_map[tclass-1].name);
}
/**
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index bb230d5d7085..7a374c2eb043 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -91,7 +91,6 @@
#define NUM_SEL_MNT_OPTS 5
-extern unsigned int policydb_loaded_version;
extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
extern struct security_operations *security_ops;
@@ -3338,9 +3337,18 @@ static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
return 0;
}
-static int selinux_kernel_module_request(void)
+static int selinux_kernel_module_request(char *kmod_name)
{
- return task_has_system(current, SYSTEM__MODULE_REQUEST);
+ u32 sid;
+ struct common_audit_data ad;
+
+ sid = task_sid(current);
+
+ COMMON_AUDIT_DATA_INIT(&ad, KMOD);
+ ad.u.kmod_name = kmod_name;
+
+ return avc_has_perm(sid, SECINITSID_KERNEL, SECCLASS_SYSTEM,
+ SYSTEM__MODULE_REQUEST, &ad);
}
static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
@@ -4085,7 +4093,7 @@ static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
char *addrp;
COMMON_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = skb->iif;
+ ad.u.net.netif = skb->skb_iif;
ad.u.net.family = family;
err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
if (err)
@@ -4147,7 +4155,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
return 0;
COMMON_AUDIT_DATA_INIT(&ad, NET);
- ad.u.net.netif = skb->iif;
+ ad.u.net.netif = skb->skb_iif;
ad.u.net.family = family;
err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
if (err)
@@ -4159,7 +4167,7 @@ static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
if (err)
return err;
- err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
+ err = selinux_inet_sys_rcv_skb(skb->skb_iif, addrp, family,
peer_sid, &ad);
if (err) {
selinux_netlbl_err(skb, err, 0);
@@ -4714,10 +4722,7 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
if (err)
return err;
- if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
- err = selinux_nlmsg_perm(sk, skb);
-
- return err;
+ return selinux_nlmsg_perm(sk, skb);
}
static int selinux_netlink_recv(struct sk_buff *skb, int capability)
@@ -5830,12 +5835,12 @@ int selinux_disable(void)
selinux_disabled = 1;
selinux_enabled = 0;
- /* Try to destroy the avc node cache */
- avc_disable();
-
/* Reset security_ops to the secondary module, dummy or capability. */
security_ops = secondary_ops;
+ /* Try to destroy the avc node cache */
+ avc_disable();
+
/* Unregister netfilter hooks. */
selinux_nf_ip_exit();
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
deleted file mode 100644
index abedcd704dae..000000000000
--- a/security/selinux/include/av_inherit.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* This file is automatically generated. Do not edit. */
- S_(SECCLASS_DIR, file, 0x00020000UL)
- S_(SECCLASS_FILE, file, 0x00020000UL)
- S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
- S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
- S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
- S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
- S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
- S_(SECCLASS_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_IPC, ipc, 0x00000200UL)
- S_(SECCLASS_SEM, ipc, 0x00000200UL)
- S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
- S_(SECCLASS_SHM, ipc, 0x00000200UL)
- S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
deleted file mode 100644
index 2b683ad83d21..000000000000
--- a/security/selinux/include/av_perm_to_string.h
+++ /dev/null
@@ -1,183 +0,0 @@
-/* This file is automatically generated. Do not edit. */
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
- S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
- S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
- S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
- S_(SECCLASS_DIR, DIR__SEARCH, "search")
- S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
- S_(SECCLASS_DIR, DIR__OPEN, "open")
- S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
- S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
- S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
- S_(SECCLASS_FILE, FILE__OPEN, "open")
- S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
- S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
- S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
- S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
- S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
- S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
- S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
- S_(SECCLASS_FD, FD__USE, "use")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
- S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
- S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
- S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
- S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
- S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
- S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
- S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
- S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
- S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
- S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
- S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
- S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
- S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
- S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
- S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
- S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
- S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
- S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
- S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
- S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
- S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
- S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
- S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
- S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
- S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
- S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
- S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
- S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
- S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
- S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
- S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
- S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
- S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
- S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
- S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
- S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
- S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
- S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
- S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
- S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
- S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
- S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
- S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
- S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
- S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
- S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
- S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
- S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
- S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
- S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
- S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
- S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
- S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
- S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
- S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
- S_(SECCLASS_MSG, MSG__SEND, "send")
- S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
- S_(SECCLASS_SHM, SHM__LOCK, "lock")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
- S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
- S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
- S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
- S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
- S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
- S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
- S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
- S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
- S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
- S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
- S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
- S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
- S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
- S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
- S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
- S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
- S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
- S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
- S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
- S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
- S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
- S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
- S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
- S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
- S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
- S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
- S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
- S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
- S_(SECCLASS_PACKET, PACKET__SEND, "send")
- S_(SECCLASS_PACKET, PACKET__RECV, "recv")
- S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
- S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
- S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
- S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
- S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
- S_(SECCLASS_KEY, KEY__VIEW, "view")
- S_(SECCLASS_KEY, KEY__READ, "read")
- S_(SECCLASS_KEY, KEY__WRITE, "write")
- S_(SECCLASS_KEY, KEY__SEARCH, "search")
- S_(SECCLASS_KEY, KEY__LINK, "link")
- S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
- S_(SECCLASS_KEY, KEY__CREATE, "create")
- S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
- S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
- S_(SECCLASS_PEER, PEER__RECV, "recv")
- S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
- S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
deleted file mode 100644
index 0546d616ccac..000000000000
--- a/security/selinux/include/av_permissions.h
+++ /dev/null
@@ -1,870 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-#define COMMON_FILE__IOCTL 0x00000001UL
-#define COMMON_FILE__READ 0x00000002UL
-#define COMMON_FILE__WRITE 0x00000004UL
-#define COMMON_FILE__CREATE 0x00000008UL
-#define COMMON_FILE__GETATTR 0x00000010UL
-#define COMMON_FILE__SETATTR 0x00000020UL
-#define COMMON_FILE__LOCK 0x00000040UL
-#define COMMON_FILE__RELABELFROM 0x00000080UL
-#define COMMON_FILE__RELABELTO 0x00000100UL
-#define COMMON_FILE__APPEND 0x00000200UL
-#define COMMON_FILE__UNLINK 0x00000400UL
-#define COMMON_FILE__LINK 0x00000800UL
-#define COMMON_FILE__RENAME 0x00001000UL
-#define COMMON_FILE__EXECUTE 0x00002000UL
-#define COMMON_FILE__SWAPON 0x00004000UL
-#define COMMON_FILE__QUOTAON 0x00008000UL
-#define COMMON_FILE__MOUNTON 0x00010000UL
-#define COMMON_SOCKET__IOCTL 0x00000001UL
-#define COMMON_SOCKET__READ 0x00000002UL
-#define COMMON_SOCKET__WRITE 0x00000004UL
-#define COMMON_SOCKET__CREATE 0x00000008UL
-#define COMMON_SOCKET__GETATTR 0x00000010UL
-#define COMMON_SOCKET__SETATTR 0x00000020UL
-#define COMMON_SOCKET__LOCK 0x00000040UL
-#define COMMON_SOCKET__RELABELFROM 0x00000080UL
-#define COMMON_SOCKET__RELABELTO 0x00000100UL
-#define COMMON_SOCKET__APPEND 0x00000200UL
-#define COMMON_SOCKET__BIND 0x00000400UL
-#define COMMON_SOCKET__CONNECT 0x00000800UL
-#define COMMON_SOCKET__LISTEN 0x00001000UL
-#define COMMON_SOCKET__ACCEPT 0x00002000UL
-#define COMMON_SOCKET__GETOPT 0x00004000UL
-#define COMMON_SOCKET__SETOPT 0x00008000UL
-#define COMMON_SOCKET__SHUTDOWN 0x00010000UL
-#define COMMON_SOCKET__RECVFROM 0x00020000UL
-#define COMMON_SOCKET__SENDTO 0x00040000UL
-#define COMMON_SOCKET__RECV_MSG 0x00080000UL
-#define COMMON_SOCKET__SEND_MSG 0x00100000UL
-#define COMMON_SOCKET__NAME_BIND 0x00200000UL
-#define COMMON_IPC__CREATE 0x00000001UL
-#define COMMON_IPC__DESTROY 0x00000002UL
-#define COMMON_IPC__GETATTR 0x00000004UL
-#define COMMON_IPC__SETATTR 0x00000008UL
-#define COMMON_IPC__READ 0x00000010UL
-#define COMMON_IPC__WRITE 0x00000020UL
-#define COMMON_IPC__ASSOCIATE 0x00000040UL
-#define COMMON_IPC__UNIX_READ 0x00000080UL
-#define COMMON_IPC__UNIX_WRITE 0x00000100UL
-#define FILESYSTEM__MOUNT 0x00000001UL
-#define FILESYSTEM__REMOUNT 0x00000002UL
-#define FILESYSTEM__UNMOUNT 0x00000004UL
-#define FILESYSTEM__GETATTR 0x00000008UL
-#define FILESYSTEM__RELABELFROM 0x00000010UL
-#define FILESYSTEM__RELABELTO 0x00000020UL
-#define FILESYSTEM__TRANSITION 0x00000040UL
-#define FILESYSTEM__ASSOCIATE 0x00000080UL
-#define FILESYSTEM__QUOTAMOD 0x00000100UL
-#define FILESYSTEM__QUOTAGET 0x00000200UL
-#define DIR__IOCTL 0x00000001UL
-#define DIR__READ 0x00000002UL
-#define DIR__WRITE 0x00000004UL
-#define DIR__CREATE 0x00000008UL
-#define DIR__GETATTR 0x00000010UL
-#define DIR__SETATTR 0x00000020UL
-#define DIR__LOCK 0x00000040UL
-#define DIR__RELABELFROM 0x00000080UL
-#define DIR__RELABELTO 0x00000100UL
-#define DIR__APPEND 0x00000200UL
-#define DIR__UNLINK 0x00000400UL
-#define DIR__LINK 0x00000800UL
-#define DIR__RENAME 0x00001000UL
-#define DIR__EXECUTE 0x00002000UL
-#define DIR__SWAPON 0x00004000UL
-#define DIR__QUOTAON 0x00008000UL
-#define DIR__MOUNTON 0x00010000UL
-#define DIR__ADD_NAME 0x00020000UL
-#define DIR__REMOVE_NAME 0x00040000UL
-#define DIR__REPARENT 0x00080000UL
-#define DIR__SEARCH 0x00100000UL
-#define DIR__RMDIR 0x00200000UL
-#define DIR__OPEN 0x00400000UL
-#define FILE__IOCTL 0x00000001UL
-#define FILE__READ 0x00000002UL
-#define FILE__WRITE 0x00000004UL
-#define FILE__CREATE 0x00000008UL
-#define FILE__GETATTR 0x00000010UL
-#define FILE__SETATTR 0x00000020UL
-#define FILE__LOCK 0x00000040UL
-#define FILE__RELABELFROM 0x00000080UL
-#define FILE__RELABELTO 0x00000100UL
-#define FILE__APPEND 0x00000200UL
-#define FILE__UNLINK 0x00000400UL
-#define FILE__LINK 0x00000800UL
-#define FILE__RENAME 0x00001000UL
-#define FILE__EXECUTE 0x00002000UL
-#define FILE__SWAPON 0x00004000UL
-#define FILE__QUOTAON 0x00008000UL
-#define FILE__MOUNTON 0x00010000UL
-#define FILE__EXECUTE_NO_TRANS 0x00020000UL
-#define FILE__ENTRYPOINT 0x00040000UL
-#define FILE__EXECMOD 0x00080000UL
-#define FILE__OPEN 0x00100000UL
-#define LNK_FILE__IOCTL 0x00000001UL
-#define LNK_FILE__READ 0x00000002UL
-#define LNK_FILE__WRITE 0x00000004UL
-#define LNK_FILE__CREATE 0x00000008UL
-#define LNK_FILE__GETATTR 0x00000010UL
-#define LNK_FILE__SETATTR 0x00000020UL
-#define LNK_FILE__LOCK 0x00000040UL
-#define LNK_FILE__RELABELFROM 0x00000080UL
-#define LNK_FILE__RELABELTO 0x00000100UL
-#define LNK_FILE__APPEND 0x00000200UL
-#define LNK_FILE__UNLINK 0x00000400UL
-#define LNK_FILE__LINK 0x00000800UL
-#define LNK_FILE__RENAME 0x00001000UL
-#define LNK_FILE__EXECUTE 0x00002000UL
-#define LNK_FILE__SWAPON 0x00004000UL
-#define LNK_FILE__QUOTAON 0x00008000UL
-#define LNK_FILE__MOUNTON 0x00010000UL
-#define CHR_FILE__IOCTL 0x00000001UL
-#define CHR_FILE__READ 0x00000002UL
-#define CHR_FILE__WRITE 0x00000004UL
-#define CHR_FILE__CREATE 0x00000008UL
-#define CHR_FILE__GETATTR 0x00000010UL
-#define CHR_FILE__SETATTR 0x00000020UL
-#define CHR_FILE__LOCK 0x00000040UL
-#define CHR_FILE__RELABELFROM 0x00000080UL
-#define CHR_FILE__RELABELTO 0x00000100UL
-#define CHR_FILE__APPEND 0x00000200UL
-#define CHR_FILE__UNLINK 0x00000400UL
-#define CHR_FILE__LINK 0x00000800UL
-#define CHR_FILE__RENAME 0x00001000UL
-#define CHR_FILE__EXECUTE 0x00002000UL
-#define CHR_FILE__SWAPON 0x00004000UL
-#define CHR_FILE__QUOTAON 0x00008000UL
-#define CHR_FILE__MOUNTON 0x00010000UL
-#define CHR_FILE__EXECUTE_NO_TRANS 0x00020000UL
-#define CHR_FILE__ENTRYPOINT 0x00040000UL
-#define CHR_FILE__EXECMOD 0x00080000UL
-#define CHR_FILE__OPEN 0x00100000UL
-#define BLK_FILE__IOCTL 0x00000001UL
-#define BLK_FILE__READ 0x00000002UL
-#define BLK_FILE__WRITE 0x00000004UL
-#define BLK_FILE__CREATE 0x00000008UL
-#define BLK_FILE__GETATTR 0x00000010UL
-#define BLK_FILE__SETATTR 0x00000020UL
-#define BLK_FILE__LOCK 0x00000040UL
-#define BLK_FILE__RELABELFROM 0x00000080UL
-#define BLK_FILE__RELABELTO 0x00000100UL
-#define BLK_FILE__APPEND 0x00000200UL
-#define BLK_FILE__UNLINK 0x00000400UL
-#define BLK_FILE__LINK 0x00000800UL
-#define BLK_FILE__RENAME 0x00001000UL
-#define BLK_FILE__EXECUTE 0x00002000UL
-#define BLK_FILE__SWAPON 0x00004000UL
-#define BLK_FILE__QUOTAON 0x00008000UL
-#define BLK_FILE__MOUNTON 0x00010000UL
-#define BLK_FILE__OPEN 0x00020000UL
-#define SOCK_FILE__IOCTL 0x00000001UL
-#define SOCK_FILE__READ 0x00000002UL
-#define SOCK_FILE__WRITE 0x00000004UL
-#define SOCK_FILE__CREATE 0x00000008UL
-#define SOCK_FILE__GETATTR 0x00000010UL
-#define SOCK_FILE__SETATTR 0x00000020UL
-#define SOCK_FILE__LOCK 0x00000040UL
-#define SOCK_FILE__RELABELFROM 0x00000080UL
-#define SOCK_FILE__RELABELTO 0x00000100UL
-#define SOCK_FILE__APPEND 0x00000200UL
-#define SOCK_FILE__UNLINK 0x00000400UL
-#define SOCK_FILE__LINK 0x00000800UL
-#define SOCK_FILE__RENAME 0x00001000UL
-#define SOCK_FILE__EXECUTE 0x00002000UL
-#define SOCK_FILE__SWAPON 0x00004000UL
-#define SOCK_FILE__QUOTAON 0x00008000UL
-#define SOCK_FILE__MOUNTON 0x00010000UL
-#define SOCK_FILE__OPEN 0x00020000UL
-#define FIFO_FILE__IOCTL 0x00000001UL
-#define FIFO_FILE__READ 0x00000002UL
-#define FIFO_FILE__WRITE 0x00000004UL
-#define FIFO_FILE__CREATE 0x00000008UL
-#define FIFO_FILE__GETATTR 0x00000010UL
-#define FIFO_FILE__SETATTR 0x00000020UL
-#define FIFO_FILE__LOCK 0x00000040UL
-#define FIFO_FILE__RELABELFROM 0x00000080UL
-#define FIFO_FILE__RELABELTO 0x00000100UL
-#define FIFO_FILE__APPEND 0x00000200UL
-#define FIFO_FILE__UNLINK 0x00000400UL
-#define FIFO_FILE__LINK 0x00000800UL
-#define FIFO_FILE__RENAME 0x00001000UL
-#define FIFO_FILE__EXECUTE 0x00002000UL
-#define FIFO_FILE__SWAPON 0x00004000UL
-#define FIFO_FILE__QUOTAON 0x00008000UL
-#define FIFO_FILE__MOUNTON 0x00010000UL
-#define FIFO_FILE__OPEN 0x00020000UL
-#define FD__USE 0x00000001UL
-#define SOCKET__IOCTL 0x00000001UL
-#define SOCKET__READ 0x00000002UL
-#define SOCKET__WRITE 0x00000004UL
-#define SOCKET__CREATE 0x00000008UL
-#define SOCKET__GETATTR 0x00000010UL
-#define SOCKET__SETATTR 0x00000020UL
-#define SOCKET__LOCK 0x00000040UL
-#define SOCKET__RELABELFROM 0x00000080UL
-#define SOCKET__RELABELTO 0x00000100UL
-#define SOCKET__APPEND 0x00000200UL
-#define SOCKET__BIND 0x00000400UL
-#define SOCKET__CONNECT 0x00000800UL
-#define SOCKET__LISTEN 0x00001000UL
-#define SOCKET__ACCEPT 0x00002000UL
-#define SOCKET__GETOPT 0x00004000UL
-#define SOCKET__SETOPT 0x00008000UL
-#define SOCKET__SHUTDOWN 0x00010000UL
-#define SOCKET__RECVFROM 0x00020000UL
-#define SOCKET__SENDTO 0x00040000UL
-#define SOCKET__RECV_MSG 0x00080000UL
-#define SOCKET__SEND_MSG 0x00100000UL
-#define SOCKET__NAME_BIND 0x00200000UL
-#define TCP_SOCKET__IOCTL 0x00000001UL
-#define TCP_SOCKET__READ 0x00000002UL
-#define TCP_SOCKET__WRITE 0x00000004UL
-#define TCP_SOCKET__CREATE 0x00000008UL
-#define TCP_SOCKET__GETATTR 0x00000010UL
-#define TCP_SOCKET__SETATTR 0x00000020UL
-#define TCP_SOCKET__LOCK 0x00000040UL
-#define TCP_SOCKET__RELABELFROM 0x00000080UL
-#define TCP_SOCKET__RELABELTO 0x00000100UL
-#define TCP_SOCKET__APPEND 0x00000200UL
-#define TCP_SOCKET__BIND 0x00000400UL
-#define TCP_SOCKET__CONNECT 0x00000800UL
-#define TCP_SOCKET__LISTEN 0x00001000UL
-#define TCP_SOCKET__ACCEPT 0x00002000UL
-#define TCP_SOCKET__GETOPT 0x00004000UL
-#define TCP_SOCKET__SETOPT 0x00008000UL
-#define TCP_SOCKET__SHUTDOWN 0x00010000UL
-#define TCP_SOCKET__RECVFROM 0x00020000UL
-#define TCP_SOCKET__SENDTO 0x00040000UL
-#define TCP_SOCKET__RECV_MSG 0x00080000UL
-#define TCP_SOCKET__SEND_MSG 0x00100000UL
-#define TCP_SOCKET__NAME_BIND 0x00200000UL
-#define TCP_SOCKET__CONNECTTO 0x00400000UL
-#define TCP_SOCKET__NEWCONN 0x00800000UL
-#define TCP_SOCKET__ACCEPTFROM 0x01000000UL
-#define TCP_SOCKET__NODE_BIND 0x02000000UL
-#define TCP_SOCKET__NAME_CONNECT 0x04000000UL
-#define UDP_SOCKET__IOCTL 0x00000001UL
-#define UDP_SOCKET__READ 0x00000002UL
-#define UDP_SOCKET__WRITE 0x00000004UL
-#define UDP_SOCKET__CREATE 0x00000008UL
-#define UDP_SOCKET__GETATTR 0x00000010UL
-#define UDP_SOCKET__SETATTR 0x00000020UL
-#define UDP_SOCKET__LOCK 0x00000040UL
-#define UDP_SOCKET__RELABELFROM 0x00000080UL
-#define UDP_SOCKET__RELABELTO 0x00000100UL
-#define UDP_SOCKET__APPEND 0x00000200UL
-#define UDP_SOCKET__BIND 0x00000400UL
-#define UDP_SOCKET__CONNECT 0x00000800UL
-#define UDP_SOCKET__LISTEN 0x00001000UL
-#define UDP_SOCKET__ACCEPT 0x00002000UL
-#define UDP_SOCKET__GETOPT 0x00004000UL
-#define UDP_SOCKET__SETOPT 0x00008000UL
-#define UDP_SOCKET__SHUTDOWN 0x00010000UL
-#define UDP_SOCKET__RECVFROM 0x00020000UL
-#define UDP_SOCKET__SENDTO 0x00040000UL
-#define UDP_SOCKET__RECV_MSG 0x00080000UL
-#define UDP_SOCKET__SEND_MSG 0x00100000UL
-#define UDP_SOCKET__NAME_BIND 0x00200000UL
-#define UDP_SOCKET__NODE_BIND 0x00400000UL
-#define RAWIP_SOCKET__IOCTL 0x00000001UL
-#define RAWIP_SOCKET__READ 0x00000002UL
-#define RAWIP_SOCKET__WRITE 0x00000004UL
-#define RAWIP_SOCKET__CREATE 0x00000008UL
-#define RAWIP_SOCKET__GETATTR 0x00000010UL
-#define RAWIP_SOCKET__SETATTR 0x00000020UL
-#define RAWIP_SOCKET__LOCK 0x00000040UL
-#define RAWIP_SOCKET__RELABELFROM 0x00000080UL
-#define RAWIP_SOCKET__RELABELTO 0x00000100UL
-#define RAWIP_SOCKET__APPEND 0x00000200UL
-#define RAWIP_SOCKET__BIND 0x00000400UL
-#define RAWIP_SOCKET__CONNECT 0x00000800UL
-#define RAWIP_SOCKET__LISTEN 0x00001000UL
-#define RAWIP_SOCKET__ACCEPT 0x00002000UL
-#define RAWIP_SOCKET__GETOPT 0x00004000UL
-#define RAWIP_SOCKET__SETOPT 0x00008000UL
-#define RAWIP_SOCKET__SHUTDOWN 0x00010000UL
-#define RAWIP_SOCKET__RECVFROM 0x00020000UL
-#define RAWIP_SOCKET__SENDTO 0x00040000UL
-#define RAWIP_SOCKET__RECV_MSG 0x00080000UL
-#define RAWIP_SOCKET__SEND_MSG 0x00100000UL
-#define RAWIP_SOCKET__NAME_BIND 0x00200000UL
-#define RAWIP_SOCKET__NODE_BIND 0x00400000UL
-#define NODE__TCP_RECV 0x00000001UL
-#define NODE__TCP_SEND 0x00000002UL
-#define NODE__UDP_RECV 0x00000004UL
-#define NODE__UDP_SEND 0x00000008UL
-#define NODE__RAWIP_RECV 0x00000010UL
-#define NODE__RAWIP_SEND 0x00000020UL
-#define NODE__ENFORCE_DEST 0x00000040UL
-#define NODE__DCCP_RECV 0x00000080UL
-#define NODE__DCCP_SEND 0x00000100UL
-#define NODE__RECVFROM 0x00000200UL
-#define NODE__SENDTO 0x00000400UL
-#define NETIF__TCP_RECV 0x00000001UL
-#define NETIF__TCP_SEND 0x00000002UL
-#define NETIF__UDP_RECV 0x00000004UL
-#define NETIF__UDP_SEND 0x00000008UL
-#define NETIF__RAWIP_RECV 0x00000010UL
-#define NETIF__RAWIP_SEND 0x00000020UL
-#define NETIF__DCCP_RECV 0x00000040UL
-#define NETIF__DCCP_SEND 0x00000080UL
-#define NETIF__INGRESS 0x00000100UL
-#define NETIF__EGRESS 0x00000200UL
-#define NETLINK_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_SOCKET__READ 0x00000002UL
-#define NETLINK_SOCKET__WRITE 0x00000004UL
-#define NETLINK_SOCKET__CREATE 0x00000008UL
-#define NETLINK_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_SOCKET__LOCK 0x00000040UL
-#define NETLINK_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_SOCKET__APPEND 0x00000200UL
-#define NETLINK_SOCKET__BIND 0x00000400UL
-#define NETLINK_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_SOCKET__NAME_BIND 0x00200000UL
-#define PACKET_SOCKET__IOCTL 0x00000001UL
-#define PACKET_SOCKET__READ 0x00000002UL
-#define PACKET_SOCKET__WRITE 0x00000004UL
-#define PACKET_SOCKET__CREATE 0x00000008UL
-#define PACKET_SOCKET__GETATTR 0x00000010UL
-#define PACKET_SOCKET__SETATTR 0x00000020UL
-#define PACKET_SOCKET__LOCK 0x00000040UL
-#define PACKET_SOCKET__RELABELFROM 0x00000080UL
-#define PACKET_SOCKET__RELABELTO 0x00000100UL
-#define PACKET_SOCKET__APPEND 0x00000200UL
-#define PACKET_SOCKET__BIND 0x00000400UL
-#define PACKET_SOCKET__CONNECT 0x00000800UL
-#define PACKET_SOCKET__LISTEN 0x00001000UL
-#define PACKET_SOCKET__ACCEPT 0x00002000UL
-#define PACKET_SOCKET__GETOPT 0x00004000UL
-#define PACKET_SOCKET__SETOPT 0x00008000UL
-#define PACKET_SOCKET__SHUTDOWN 0x00010000UL
-#define PACKET_SOCKET__RECVFROM 0x00020000UL
-#define PACKET_SOCKET__SENDTO 0x00040000UL
-#define PACKET_SOCKET__RECV_MSG 0x00080000UL
-#define PACKET_SOCKET__SEND_MSG 0x00100000UL
-#define PACKET_SOCKET__NAME_BIND 0x00200000UL
-#define KEY_SOCKET__IOCTL 0x00000001UL
-#define KEY_SOCKET__READ 0x00000002UL
-#define KEY_SOCKET__WRITE 0x00000004UL
-#define KEY_SOCKET__CREATE 0x00000008UL
-#define KEY_SOCKET__GETATTR 0x00000010UL
-#define KEY_SOCKET__SETATTR 0x00000020UL
-#define KEY_SOCKET__LOCK 0x00000040UL
-#define KEY_SOCKET__RELABELFROM 0x00000080UL
-#define KEY_SOCKET__RELABELTO 0x00000100UL
-#define KEY_SOCKET__APPEND 0x00000200UL
-#define KEY_SOCKET__BIND 0x00000400UL
-#define KEY_SOCKET__CONNECT 0x00000800UL
-#define KEY_SOCKET__LISTEN 0x00001000UL
-#define KEY_SOCKET__ACCEPT 0x00002000UL
-#define KEY_SOCKET__GETOPT 0x00004000UL
-#define KEY_SOCKET__SETOPT 0x00008000UL
-#define KEY_SOCKET__SHUTDOWN 0x00010000UL
-#define KEY_SOCKET__RECVFROM 0x00020000UL
-#define KEY_SOCKET__SENDTO 0x00040000UL
-#define KEY_SOCKET__RECV_MSG 0x00080000UL
-#define KEY_SOCKET__SEND_MSG 0x00100000UL
-#define KEY_SOCKET__NAME_BIND 0x00200000UL
-#define UNIX_STREAM_SOCKET__IOCTL 0x00000001UL
-#define UNIX_STREAM_SOCKET__READ 0x00000002UL
-#define UNIX_STREAM_SOCKET__WRITE 0x00000004UL
-#define UNIX_STREAM_SOCKET__CREATE 0x00000008UL
-#define UNIX_STREAM_SOCKET__GETATTR 0x00000010UL
-#define UNIX_STREAM_SOCKET__SETATTR 0x00000020UL
-#define UNIX_STREAM_SOCKET__LOCK 0x00000040UL
-#define UNIX_STREAM_SOCKET__RELABELFROM 0x00000080UL
-#define UNIX_STREAM_SOCKET__RELABELTO 0x00000100UL
-#define UNIX_STREAM_SOCKET__APPEND 0x00000200UL
-#define UNIX_STREAM_SOCKET__BIND 0x00000400UL
-#define UNIX_STREAM_SOCKET__CONNECT 0x00000800UL
-#define UNIX_STREAM_SOCKET__LISTEN 0x00001000UL
-#define UNIX_STREAM_SOCKET__ACCEPT 0x00002000UL
-#define UNIX_STREAM_SOCKET__GETOPT 0x00004000UL
-#define UNIX_STREAM_SOCKET__SETOPT 0x00008000UL
-#define UNIX_STREAM_SOCKET__SHUTDOWN 0x00010000UL
-#define UNIX_STREAM_SOCKET__RECVFROM 0x00020000UL
-#define UNIX_STREAM_SOCKET__SENDTO 0x00040000UL
-#define UNIX_STREAM_SOCKET__RECV_MSG 0x00080000UL
-#define UNIX_STREAM_SOCKET__SEND_MSG 0x00100000UL
-#define UNIX_STREAM_SOCKET__NAME_BIND 0x00200000UL
-#define UNIX_STREAM_SOCKET__CONNECTTO 0x00400000UL
-#define UNIX_STREAM_SOCKET__NEWCONN 0x00800000UL
-#define UNIX_STREAM_SOCKET__ACCEPTFROM 0x01000000UL
-#define UNIX_DGRAM_SOCKET__IOCTL 0x00000001UL
-#define UNIX_DGRAM_SOCKET__READ 0x00000002UL
-#define UNIX_DGRAM_SOCKET__WRITE 0x00000004UL
-#define UNIX_DGRAM_SOCKET__CREATE 0x00000008UL
-#define UNIX_DGRAM_SOCKET__GETATTR 0x00000010UL
-#define UNIX_DGRAM_SOCKET__SETATTR 0x00000020UL
-#define UNIX_DGRAM_SOCKET__LOCK 0x00000040UL
-#define UNIX_DGRAM_SOCKET__RELABELFROM 0x00000080UL
-#define UNIX_DGRAM_SOCKET__RELABELTO 0x00000100UL
-#define UNIX_DGRAM_SOCKET__APPEND 0x00000200UL
-#define UNIX_DGRAM_SOCKET__BIND 0x00000400UL
-#define UNIX_DGRAM_SOCKET__CONNECT 0x00000800UL
-#define UNIX_DGRAM_SOCKET__LISTEN 0x00001000UL
-#define UNIX_DGRAM_SOCKET__ACCEPT 0x00002000UL
-#define UNIX_DGRAM_SOCKET__GETOPT 0x00004000UL
-#define UNIX_DGRAM_SOCKET__SETOPT 0x00008000UL
-#define UNIX_DGRAM_SOCKET__SHUTDOWN 0x00010000UL
-#define UNIX_DGRAM_SOCKET__RECVFROM 0x00020000UL
-#define UNIX_DGRAM_SOCKET__SENDTO 0x00040000UL
-#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
-#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
-#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
-#define TUN_SOCKET__IOCTL 0x00000001UL
-#define TUN_SOCKET__READ 0x00000002UL
-#define TUN_SOCKET__WRITE 0x00000004UL
-#define TUN_SOCKET__CREATE 0x00000008UL
-#define TUN_SOCKET__GETATTR 0x00000010UL
-#define TUN_SOCKET__SETATTR 0x00000020UL
-#define TUN_SOCKET__LOCK 0x00000040UL
-#define TUN_SOCKET__RELABELFROM 0x00000080UL
-#define TUN_SOCKET__RELABELTO 0x00000100UL
-#define TUN_SOCKET__APPEND 0x00000200UL
-#define TUN_SOCKET__BIND 0x00000400UL
-#define TUN_SOCKET__CONNECT 0x00000800UL
-#define TUN_SOCKET__LISTEN 0x00001000UL
-#define TUN_SOCKET__ACCEPT 0x00002000UL
-#define TUN_SOCKET__GETOPT 0x00004000UL
-#define TUN_SOCKET__SETOPT 0x00008000UL
-#define TUN_SOCKET__SHUTDOWN 0x00010000UL
-#define TUN_SOCKET__RECVFROM 0x00020000UL
-#define TUN_SOCKET__SENDTO 0x00040000UL
-#define TUN_SOCKET__RECV_MSG 0x00080000UL
-#define TUN_SOCKET__SEND_MSG 0x00100000UL
-#define TUN_SOCKET__NAME_BIND 0x00200000UL
-#define PROCESS__FORK 0x00000001UL
-#define PROCESS__TRANSITION 0x00000002UL
-#define PROCESS__SIGCHLD 0x00000004UL
-#define PROCESS__SIGKILL 0x00000008UL
-#define PROCESS__SIGSTOP 0x00000010UL
-#define PROCESS__SIGNULL 0x00000020UL
-#define PROCESS__SIGNAL 0x00000040UL
-#define PROCESS__PTRACE 0x00000080UL
-#define PROCESS__GETSCHED 0x00000100UL
-#define PROCESS__SETSCHED 0x00000200UL
-#define PROCESS__GETSESSION 0x00000400UL
-#define PROCESS__GETPGID 0x00000800UL
-#define PROCESS__SETPGID 0x00001000UL
-#define PROCESS__GETCAP 0x00002000UL
-#define PROCESS__SETCAP 0x00004000UL
-#define PROCESS__SHARE 0x00008000UL
-#define PROCESS__GETATTR 0x00010000UL
-#define PROCESS__SETEXEC 0x00020000UL
-#define PROCESS__SETFSCREATE 0x00040000UL
-#define PROCESS__NOATSECURE 0x00080000UL
-#define PROCESS__SIGINH 0x00100000UL
-#define PROCESS__SETRLIMIT 0x00200000UL
-#define PROCESS__RLIMITINH 0x00400000UL
-#define PROCESS__DYNTRANSITION 0x00800000UL
-#define PROCESS__SETCURRENT 0x01000000UL
-#define PROCESS__EXECMEM 0x02000000UL
-#define PROCESS__EXECSTACK 0x04000000UL
-#define PROCESS__EXECHEAP 0x08000000UL
-#define PROCESS__SETKEYCREATE 0x10000000UL
-#define PROCESS__SETSOCKCREATE 0x20000000UL
-#define IPC__CREATE 0x00000001UL
-#define IPC__DESTROY 0x00000002UL
-#define IPC__GETATTR 0x00000004UL
-#define IPC__SETATTR 0x00000008UL
-#define IPC__READ 0x00000010UL
-#define IPC__WRITE 0x00000020UL
-#define IPC__ASSOCIATE 0x00000040UL
-#define IPC__UNIX_READ 0x00000080UL
-#define IPC__UNIX_WRITE 0x00000100UL
-#define SEM__CREATE 0x00000001UL
-#define SEM__DESTROY 0x00000002UL
-#define SEM__GETATTR 0x00000004UL
-#define SEM__SETATTR 0x00000008UL
-#define SEM__READ 0x00000010UL
-#define SEM__WRITE 0x00000020UL
-#define SEM__ASSOCIATE 0x00000040UL
-#define SEM__UNIX_READ 0x00000080UL
-#define SEM__UNIX_WRITE 0x00000100UL
-#define MSGQ__CREATE 0x00000001UL
-#define MSGQ__DESTROY 0x00000002UL
-#define MSGQ__GETATTR 0x00000004UL
-#define MSGQ__SETATTR 0x00000008UL
-#define MSGQ__READ 0x00000010UL
-#define MSGQ__WRITE 0x00000020UL
-#define MSGQ__ASSOCIATE 0x00000040UL
-#define MSGQ__UNIX_READ 0x00000080UL
-#define MSGQ__UNIX_WRITE 0x00000100UL
-#define MSGQ__ENQUEUE 0x00000200UL
-#define MSG__SEND 0x00000001UL
-#define MSG__RECEIVE 0x00000002UL
-#define SHM__CREATE 0x00000001UL
-#define SHM__DESTROY 0x00000002UL
-#define SHM__GETATTR 0x00000004UL
-#define SHM__SETATTR 0x00000008UL
-#define SHM__READ 0x00000010UL
-#define SHM__WRITE 0x00000020UL
-#define SHM__ASSOCIATE 0x00000040UL
-#define SHM__UNIX_READ 0x00000080UL
-#define SHM__UNIX_WRITE 0x00000100UL
-#define SHM__LOCK 0x00000200UL
-#define SECURITY__COMPUTE_AV 0x00000001UL
-#define SECURITY__COMPUTE_CREATE 0x00000002UL
-#define SECURITY__COMPUTE_MEMBER 0x00000004UL
-#define SECURITY__CHECK_CONTEXT 0x00000008UL
-#define SECURITY__LOAD_POLICY 0x00000010UL
-#define SECURITY__COMPUTE_RELABEL 0x00000020UL
-#define SECURITY__COMPUTE_USER 0x00000040UL
-#define SECURITY__SETENFORCE 0x00000080UL
-#define SECURITY__SETBOOL 0x00000100UL
-#define SECURITY__SETSECPARAM 0x00000200UL
-#define SECURITY__SETCHECKREQPROT 0x00000400UL
-#define SYSTEM__IPC_INFO 0x00000001UL
-#define SYSTEM__SYSLOG_READ 0x00000002UL
-#define SYSTEM__SYSLOG_MOD 0x00000004UL
-#define SYSTEM__SYSLOG_CONSOLE 0x00000008UL
-#define SYSTEM__MODULE_REQUEST 0x00000010UL
-#define CAPABILITY__CHOWN 0x00000001UL
-#define CAPABILITY__DAC_OVERRIDE 0x00000002UL
-#define CAPABILITY__DAC_READ_SEARCH 0x00000004UL
-#define CAPABILITY__FOWNER 0x00000008UL
-#define CAPABILITY__FSETID 0x00000010UL
-#define CAPABILITY__KILL 0x00000020UL
-#define CAPABILITY__SETGID 0x00000040UL
-#define CAPABILITY__SETUID 0x00000080UL
-#define CAPABILITY__SETPCAP 0x00000100UL
-#define CAPABILITY__LINUX_IMMUTABLE 0x00000200UL
-#define CAPABILITY__NET_BIND_SERVICE 0x00000400UL
-#define CAPABILITY__NET_BROADCAST 0x00000800UL
-#define CAPABILITY__NET_ADMIN 0x00001000UL
-#define CAPABILITY__NET_RAW 0x00002000UL
-#define CAPABILITY__IPC_LOCK 0x00004000UL
-#define CAPABILITY__IPC_OWNER 0x00008000UL
-#define CAPABILITY__SYS_MODULE 0x00010000UL
-#define CAPABILITY__SYS_RAWIO 0x00020000UL
-#define CAPABILITY__SYS_CHROOT 0x00040000UL
-#define CAPABILITY__SYS_PTRACE 0x00080000UL
-#define CAPABILITY__SYS_PACCT 0x00100000UL
-#define CAPABILITY__SYS_ADMIN 0x00200000UL
-#define CAPABILITY__SYS_BOOT 0x00400000UL
-#define CAPABILITY__SYS_NICE 0x00800000UL
-#define CAPABILITY__SYS_RESOURCE 0x01000000UL
-#define CAPABILITY__SYS_TIME 0x02000000UL
-#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
-#define CAPABILITY__MKNOD 0x08000000UL
-#define CAPABILITY__LEASE 0x10000000UL
-#define CAPABILITY__AUDIT_WRITE 0x20000000UL
-#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
-#define CAPABILITY__SETFCAP 0x80000000UL
-#define CAPABILITY2__MAC_OVERRIDE 0x00000001UL
-#define CAPABILITY2__MAC_ADMIN 0x00000002UL
-#define NETLINK_ROUTE_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_ROUTE_SOCKET__READ 0x00000002UL
-#define NETLINK_ROUTE_SOCKET__WRITE 0x00000004UL
-#define NETLINK_ROUTE_SOCKET__CREATE 0x00000008UL
-#define NETLINK_ROUTE_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_ROUTE_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_ROUTE_SOCKET__LOCK 0x00000040UL
-#define NETLINK_ROUTE_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_ROUTE_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_ROUTE_SOCKET__APPEND 0x00000200UL
-#define NETLINK_ROUTE_SOCKET__BIND 0x00000400UL
-#define NETLINK_ROUTE_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_ROUTE_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_ROUTE_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_ROUTE_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_ROUTE_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_ROUTE_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_ROUTE_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_ROUTE_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_ROUTE_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_ROUTE_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_ROUTE_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_ROUTE_SOCKET__NLMSG_READ 0x00400000UL
-#define NETLINK_ROUTE_SOCKET__NLMSG_WRITE 0x00800000UL
-#define NETLINK_FIREWALL_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_FIREWALL_SOCKET__READ 0x00000002UL
-#define NETLINK_FIREWALL_SOCKET__WRITE 0x00000004UL
-#define NETLINK_FIREWALL_SOCKET__CREATE 0x00000008UL
-#define NETLINK_FIREWALL_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_FIREWALL_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_FIREWALL_SOCKET__LOCK 0x00000040UL
-#define NETLINK_FIREWALL_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_FIREWALL_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_FIREWALL_SOCKET__APPEND 0x00000200UL
-#define NETLINK_FIREWALL_SOCKET__BIND 0x00000400UL
-#define NETLINK_FIREWALL_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_FIREWALL_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_FIREWALL_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_FIREWALL_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_FIREWALL_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_FIREWALL_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_FIREWALL_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_FIREWALL_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_FIREWALL_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_FIREWALL_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_FIREWALL_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_FIREWALL_SOCKET__NLMSG_READ 0x00400000UL
-#define NETLINK_FIREWALL_SOCKET__NLMSG_WRITE 0x00800000UL
-#define NETLINK_TCPDIAG_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_TCPDIAG_SOCKET__READ 0x00000002UL
-#define NETLINK_TCPDIAG_SOCKET__WRITE 0x00000004UL
-#define NETLINK_TCPDIAG_SOCKET__CREATE 0x00000008UL
-#define NETLINK_TCPDIAG_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_TCPDIAG_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_TCPDIAG_SOCKET__LOCK 0x00000040UL
-#define NETLINK_TCPDIAG_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_TCPDIAG_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_TCPDIAG_SOCKET__APPEND 0x00000200UL
-#define NETLINK_TCPDIAG_SOCKET__BIND 0x00000400UL
-#define NETLINK_TCPDIAG_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_TCPDIAG_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_TCPDIAG_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_TCPDIAG_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_TCPDIAG_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_TCPDIAG_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_TCPDIAG_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_TCPDIAG_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_TCPDIAG_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_TCPDIAG_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_TCPDIAG_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_TCPDIAG_SOCKET__NLMSG_READ 0x00400000UL
-#define NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE 0x00800000UL
-#define NETLINK_NFLOG_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_NFLOG_SOCKET__READ 0x00000002UL
-#define NETLINK_NFLOG_SOCKET__WRITE 0x00000004UL
-#define NETLINK_NFLOG_SOCKET__CREATE 0x00000008UL
-#define NETLINK_NFLOG_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_NFLOG_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_NFLOG_SOCKET__LOCK 0x00000040UL
-#define NETLINK_NFLOG_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_NFLOG_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_NFLOG_SOCKET__APPEND 0x00000200UL
-#define NETLINK_NFLOG_SOCKET__BIND 0x00000400UL
-#define NETLINK_NFLOG_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_NFLOG_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_NFLOG_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_NFLOG_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_NFLOG_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_NFLOG_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_NFLOG_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_NFLOG_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_NFLOG_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_NFLOG_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_NFLOG_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_XFRM_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_XFRM_SOCKET__READ 0x00000002UL
-#define NETLINK_XFRM_SOCKET__WRITE 0x00000004UL
-#define NETLINK_XFRM_SOCKET__CREATE 0x00000008UL
-#define NETLINK_XFRM_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_XFRM_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_XFRM_SOCKET__LOCK 0x00000040UL
-#define NETLINK_XFRM_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_XFRM_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_XFRM_SOCKET__APPEND 0x00000200UL
-#define NETLINK_XFRM_SOCKET__BIND 0x00000400UL
-#define NETLINK_XFRM_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_XFRM_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_XFRM_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_XFRM_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_XFRM_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_XFRM_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_XFRM_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_XFRM_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_XFRM_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_XFRM_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_XFRM_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_XFRM_SOCKET__NLMSG_READ 0x00400000UL
-#define NETLINK_XFRM_SOCKET__NLMSG_WRITE 0x00800000UL
-#define NETLINK_SELINUX_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_SELINUX_SOCKET__READ 0x00000002UL
-#define NETLINK_SELINUX_SOCKET__WRITE 0x00000004UL
-#define NETLINK_SELINUX_SOCKET__CREATE 0x00000008UL
-#define NETLINK_SELINUX_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_SELINUX_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_SELINUX_SOCKET__LOCK 0x00000040UL
-#define NETLINK_SELINUX_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_SELINUX_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_SELINUX_SOCKET__APPEND 0x00000200UL
-#define NETLINK_SELINUX_SOCKET__BIND 0x00000400UL
-#define NETLINK_SELINUX_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_SELINUX_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_SELINUX_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_SELINUX_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_SELINUX_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_SELINUX_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_SELINUX_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_SELINUX_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_SELINUX_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_SELINUX_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_SELINUX_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_AUDIT_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_AUDIT_SOCKET__READ 0x00000002UL
-#define NETLINK_AUDIT_SOCKET__WRITE 0x00000004UL
-#define NETLINK_AUDIT_SOCKET__CREATE 0x00000008UL
-#define NETLINK_AUDIT_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_AUDIT_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_AUDIT_SOCKET__LOCK 0x00000040UL
-#define NETLINK_AUDIT_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_AUDIT_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_AUDIT_SOCKET__APPEND 0x00000200UL
-#define NETLINK_AUDIT_SOCKET__BIND 0x00000400UL
-#define NETLINK_AUDIT_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_AUDIT_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_AUDIT_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_AUDIT_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_AUDIT_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_AUDIT_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_AUDIT_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_AUDIT_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_AUDIT_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_AUDIT_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_AUDIT_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_READ 0x00400000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_WRITE 0x00800000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_RELAY 0x01000000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_READPRIV 0x02000000UL
-#define NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT 0x04000000UL
-#define NETLINK_IP6FW_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_IP6FW_SOCKET__READ 0x00000002UL
-#define NETLINK_IP6FW_SOCKET__WRITE 0x00000004UL
-#define NETLINK_IP6FW_SOCKET__CREATE 0x00000008UL
-#define NETLINK_IP6FW_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_IP6FW_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_IP6FW_SOCKET__LOCK 0x00000040UL
-#define NETLINK_IP6FW_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_IP6FW_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_IP6FW_SOCKET__APPEND 0x00000200UL
-#define NETLINK_IP6FW_SOCKET__BIND 0x00000400UL
-#define NETLINK_IP6FW_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_IP6FW_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_IP6FW_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_IP6FW_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_IP6FW_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_IP6FW_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_IP6FW_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_IP6FW_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_IP6FW_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_IP6FW_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_IP6FW_SOCKET__NAME_BIND 0x00200000UL
-#define NETLINK_IP6FW_SOCKET__NLMSG_READ 0x00400000UL
-#define NETLINK_IP6FW_SOCKET__NLMSG_WRITE 0x00800000UL
-#define NETLINK_DNRT_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_DNRT_SOCKET__READ 0x00000002UL
-#define NETLINK_DNRT_SOCKET__WRITE 0x00000004UL
-#define NETLINK_DNRT_SOCKET__CREATE 0x00000008UL
-#define NETLINK_DNRT_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_DNRT_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_DNRT_SOCKET__LOCK 0x00000040UL
-#define NETLINK_DNRT_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_DNRT_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_DNRT_SOCKET__APPEND 0x00000200UL
-#define NETLINK_DNRT_SOCKET__BIND 0x00000400UL
-#define NETLINK_DNRT_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_DNRT_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_DNRT_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_DNRT_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_DNRT_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_DNRT_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_DNRT_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_DNRT_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_DNRT_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_DNRT_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_DNRT_SOCKET__NAME_BIND 0x00200000UL
-#define ASSOCIATION__SENDTO 0x00000001UL
-#define ASSOCIATION__RECVFROM 0x00000002UL
-#define ASSOCIATION__SETCONTEXT 0x00000004UL
-#define ASSOCIATION__POLMATCH 0x00000008UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
-#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
-#define APPLETALK_SOCKET__IOCTL 0x00000001UL
-#define APPLETALK_SOCKET__READ 0x00000002UL
-#define APPLETALK_SOCKET__WRITE 0x00000004UL
-#define APPLETALK_SOCKET__CREATE 0x00000008UL
-#define APPLETALK_SOCKET__GETATTR 0x00000010UL
-#define APPLETALK_SOCKET__SETATTR 0x00000020UL
-#define APPLETALK_SOCKET__LOCK 0x00000040UL
-#define APPLETALK_SOCKET__RELABELFROM 0x00000080UL
-#define APPLETALK_SOCKET__RELABELTO 0x00000100UL
-#define APPLETALK_SOCKET__APPEND 0x00000200UL
-#define APPLETALK_SOCKET__BIND 0x00000400UL
-#define APPLETALK_SOCKET__CONNECT 0x00000800UL
-#define APPLETALK_SOCKET__LISTEN 0x00001000UL
-#define APPLETALK_SOCKET__ACCEPT 0x00002000UL
-#define APPLETALK_SOCKET__GETOPT 0x00004000UL
-#define APPLETALK_SOCKET__SETOPT 0x00008000UL
-#define APPLETALK_SOCKET__SHUTDOWN 0x00010000UL
-#define APPLETALK_SOCKET__RECVFROM 0x00020000UL
-#define APPLETALK_SOCKET__SENDTO 0x00040000UL
-#define APPLETALK_SOCKET__RECV_MSG 0x00080000UL
-#define APPLETALK_SOCKET__SEND_MSG 0x00100000UL
-#define APPLETALK_SOCKET__NAME_BIND 0x00200000UL
-#define PACKET__SEND 0x00000001UL
-#define PACKET__RECV 0x00000002UL
-#define PACKET__RELABELTO 0x00000004UL
-#define PACKET__FLOW_IN 0x00000008UL
-#define PACKET__FLOW_OUT 0x00000010UL
-#define PACKET__FORWARD_IN 0x00000020UL
-#define PACKET__FORWARD_OUT 0x00000040UL
-#define KEY__VIEW 0x00000001UL
-#define KEY__READ 0x00000002UL
-#define KEY__WRITE 0x00000004UL
-#define KEY__SEARCH 0x00000008UL
-#define KEY__LINK 0x00000010UL
-#define KEY__SETATTR 0x00000020UL
-#define KEY__CREATE 0x00000040UL
-#define DCCP_SOCKET__IOCTL 0x00000001UL
-#define DCCP_SOCKET__READ 0x00000002UL
-#define DCCP_SOCKET__WRITE 0x00000004UL
-#define DCCP_SOCKET__CREATE 0x00000008UL
-#define DCCP_SOCKET__GETATTR 0x00000010UL
-#define DCCP_SOCKET__SETATTR 0x00000020UL
-#define DCCP_SOCKET__LOCK 0x00000040UL
-#define DCCP_SOCKET__RELABELFROM 0x00000080UL
-#define DCCP_SOCKET__RELABELTO 0x00000100UL
-#define DCCP_SOCKET__APPEND 0x00000200UL
-#define DCCP_SOCKET__BIND 0x00000400UL
-#define DCCP_SOCKET__CONNECT 0x00000800UL
-#define DCCP_SOCKET__LISTEN 0x00001000UL
-#define DCCP_SOCKET__ACCEPT 0x00002000UL
-#define DCCP_SOCKET__GETOPT 0x00004000UL
-#define DCCP_SOCKET__SETOPT 0x00008000UL
-#define DCCP_SOCKET__SHUTDOWN 0x00010000UL
-#define DCCP_SOCKET__RECVFROM 0x00020000UL
-#define DCCP_SOCKET__SENDTO 0x00040000UL
-#define DCCP_SOCKET__RECV_MSG 0x00080000UL
-#define DCCP_SOCKET__SEND_MSG 0x00100000UL
-#define DCCP_SOCKET__NAME_BIND 0x00200000UL
-#define DCCP_SOCKET__NODE_BIND 0x00400000UL
-#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL
-#define MEMPROTECT__MMAP_ZERO 0x00000001UL
-#define PEER__RECV 0x00000001UL
-#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
-#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index bb1ec801bdfe..4677aa519b04 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -10,26 +10,13 @@
int avc_ss_reset(u32 seqno);
-struct av_perm_to_string {
- u16 tclass;
- u32 value;
+/* Class/perm mapping support */
+struct security_class_mapping {
const char *name;
+ const char *perms[sizeof(u32) * 8 + 1];
};
-struct av_inherit {
- const char **common_pts;
- u32 common_base;
- u16 tclass;
-};
-
-struct selinux_class_perm {
- const struct av_perm_to_string *av_perm_to_string;
- u32 av_pts_len;
- u32 cts_len;
- const char **class_to_string;
- const struct av_inherit *av_inherit;
- u32 av_inherit_len;
-};
+extern struct security_class_mapping secclass_map[];
#endif /* _SELINUX_AVC_SS_H_ */
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
deleted file mode 100644
index 7ab9299bfb6b..000000000000
--- a/security/selinux/include/class_to_string.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-/*
- * Security object class definitions
- */
- S_(NULL)
- S_("security")
- S_("process")
- S_("system")
- S_("capability")
- S_("filesystem")
- S_("file")
- S_("dir")
- S_("fd")
- S_("lnk_file")
- S_("chr_file")
- S_("blk_file")
- S_("sock_file")
- S_("fifo_file")
- S_("socket")
- S_("tcp_socket")
- S_("udp_socket")
- S_("rawip_socket")
- S_("node")
- S_("netif")
- S_("netlink_socket")
- S_("packet_socket")
- S_("key_socket")
- S_("unix_stream_socket")
- S_("unix_dgram_socket")
- S_("sem")
- S_("msg")
- S_("msgq")
- S_("shm")
- S_("ipc")
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_("netlink_route_socket")
- S_("netlink_firewall_socket")
- S_("netlink_tcpdiag_socket")
- S_("netlink_nflog_socket")
- S_("netlink_xfrm_socket")
- S_("netlink_selinux_socket")
- S_("netlink_audit_socket")
- S_("netlink_ip6fw_socket")
- S_("netlink_dnrt_socket")
- S_(NULL)
- S_(NULL)
- S_("association")
- S_("netlink_kobject_uevent_socket")
- S_("appletalk_socket")
- S_("packet")
- S_("key")
- S_(NULL)
- S_("dccp_socket")
- S_("memprotect")
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_("peer")
- S_("capability2")
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_("kernel_service")
- S_("tun_socket")
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
new file mode 100644
index 000000000000..8b32e959bb2e
--- /dev/null
+++ b/security/selinux/include/classmap.h
@@ -0,0 +1,150 @@
+#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
+ "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
+
+#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
+ "rename", "execute", "swapon", "quotaon", "mounton"
+
+#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
+ "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
+ "sendto", "recv_msg", "send_msg", "name_bind"
+
+#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
+ "write", "associate", "unix_read", "unix_write"
+
+struct security_class_mapping secclass_map[] = {
+ { "security",
+ { "compute_av", "compute_create", "compute_member",
+ "check_context", "load_policy", "compute_relabel",
+ "compute_user", "setenforce", "setbool", "setsecparam",
+ "setcheckreqprot", NULL } },
+ { "process",
+ { "fork", "transition", "sigchld", "sigkill",
+ "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
+ "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
+ "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
+ "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
+ "execmem", "execstack", "execheap", "setkeycreate",
+ "setsockcreate", NULL } },
+ { "system",
+ { "ipc_info", "syslog_read", "syslog_mod",
+ "syslog_console", "module_request", NULL } },
+ { "capability",
+ { "chown", "dac_override", "dac_read_search",
+ "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
+ "linux_immutable", "net_bind_service", "net_broadcast",
+ "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
+ "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
+ "sys_boot", "sys_nice", "sys_resource", "sys_time",
+ "sys_tty_config", "mknod", "lease", "audit_write",
+ "audit_control", "setfcap", NULL } },
+ { "filesystem",
+ { "mount", "remount", "unmount", "getattr",
+ "relabelfrom", "relabelto", "transition", "associate", "quotamod",
+ "quotaget", NULL } },
+ { "file",
+ { COMMON_FILE_PERMS,
+ "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+ { "dir",
+ { COMMON_FILE_PERMS, "add_name", "remove_name",
+ "reparent", "search", "rmdir", "open", NULL } },
+ { "fd", { "use", NULL } },
+ { "lnk_file",
+ { COMMON_FILE_PERMS, NULL } },
+ { "chr_file",
+ { COMMON_FILE_PERMS,
+ "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+ { "blk_file",
+ { COMMON_FILE_PERMS, "open", NULL } },
+ { "sock_file",
+ { COMMON_FILE_PERMS, "open", NULL } },
+ { "fifo_file",
+ { COMMON_FILE_PERMS, "open", NULL } },
+ { "socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "tcp_socket",
+ { COMMON_SOCK_PERMS,
+ "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
+ NULL } },
+ { "udp_socket",
+ { COMMON_SOCK_PERMS,
+ "node_bind", NULL } },
+ { "rawip_socket",
+ { COMMON_SOCK_PERMS,
+ "node_bind", NULL } },
+ { "node",
+ { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+ "rawip_recv", "rawip_send", "enforce_dest",
+ "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
+ { "netif",
+ { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+ "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
+ "ingress", "egress", NULL } },
+ { "netlink_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "packet_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "key_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "unix_stream_socket",
+ { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
+ } },
+ { "unix_dgram_socket",
+ { COMMON_SOCK_PERMS, NULL
+ } },
+ { "sem",
+ { COMMON_IPC_PERMS, NULL } },
+ { "msg", { "send", "receive", NULL } },
+ { "msgq",
+ { COMMON_IPC_PERMS, "enqueue", NULL } },
+ { "shm",
+ { COMMON_IPC_PERMS, "lock", NULL } },
+ { "ipc",
+ { COMMON_IPC_PERMS, NULL } },
+ { "netlink_route_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_firewall_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_tcpdiag_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_nflog_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_xfrm_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_selinux_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_audit_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
+ "nlmsg_tty_audit", NULL } },
+ { "netlink_ip6fw_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_dnrt_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "association",
+ { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
+ { "netlink_kobject_uevent_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "appletalk_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "packet",
+ { "send", "recv", "relabelto", "flow_in", "flow_out",
+ "forward_in", "forward_out", NULL } },
+ { "key",
+ { "view", "read", "write", "search", "link", "setattr", "create",
+ NULL } },
+ { "dccp_socket",
+ { COMMON_SOCK_PERMS,
+ "node_bind", "name_connect", NULL } },
+ { "memprotect", { "mmap_zero", NULL } },
+ { "peer", { "recv", NULL } },
+ { "capability2", { "mac_override", "mac_admin", NULL } },
+ { "kernel_service", { "use_as_override", "create_files_as", NULL } },
+ { "tun_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { NULL }
+ };
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h
deleted file mode 100644
index ce5b6e2fe9dd..000000000000
--- a/security/selinux/include/common_perm_to_string.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-TB_(common_file_perm_to_string)
- S_("ioctl")
- S_("read")
- S_("write")
- S_("create")
- S_("getattr")
- S_("setattr")
- S_("lock")
- S_("relabelfrom")
- S_("relabelto")
- S_("append")
- S_("unlink")
- S_("link")
- S_("rename")
- S_("execute")
- S_("swapon")
- S_("quotaon")
- S_("mounton")
-TE_(common_file_perm_to_string)
-
-TB_(common_socket_perm_to_string)
- S_("ioctl")
- S_("read")
- S_("write")
- S_("create")
- S_("getattr")
- S_("setattr")
- S_("lock")
- S_("relabelfrom")
- S_("relabelto")
- S_("append")
- S_("bind")
- S_("connect")
- S_("listen")
- S_("accept")
- S_("getopt")
- S_("setopt")
- S_("shutdown")
- S_("recvfrom")
- S_("sendto")
- S_("recv_msg")
- S_("send_msg")
- S_("name_bind")
-TE_(common_socket_perm_to_string)
-
-TB_(common_ipc_perm_to_string)
- S_("create")
- S_("destroy")
- S_("getattr")
- S_("setattr")
- S_("read")
- S_("write")
- S_("associate")
- S_("unix_read")
- S_("unix_write")
-TE_(common_ipc_perm_to_string)
-
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
deleted file mode 100644
index f248500a1e3c..000000000000
--- a/security/selinux/include/flask.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-#ifndef _SELINUX_FLASK_H_
-#define _SELINUX_FLASK_H_
-
-/*
- * Security object class definitions
- */
-#define SECCLASS_SECURITY 1
-#define SECCLASS_PROCESS 2
-#define SECCLASS_SYSTEM 3
-#define SECCLASS_CAPABILITY 4
-#define SECCLASS_FILESYSTEM 5
-#define SECCLASS_FILE 6
-#define SECCLASS_DIR 7
-#define SECCLASS_FD 8
-#define SECCLASS_LNK_FILE 9
-#define SECCLASS_CHR_FILE 10
-#define SECCLASS_BLK_FILE 11
-#define SECCLASS_SOCK_FILE 12
-#define SECCLASS_FIFO_FILE 13
-#define SECCLASS_SOCKET 14
-#define SECCLASS_TCP_SOCKET 15
-#define SECCLASS_UDP_SOCKET 16
-#define SECCLASS_RAWIP_SOCKET 17
-#define SECCLASS_NODE 18
-#define SECCLASS_NETIF 19
-#define SECCLASS_NETLINK_SOCKET 20
-#define SECCLASS_PACKET_SOCKET 21
-#define SECCLASS_KEY_SOCKET 22
-#define SECCLASS_UNIX_STREAM_SOCKET 23
-#define SECCLASS_UNIX_DGRAM_SOCKET 24
-#define SECCLASS_SEM 25
-#define SECCLASS_MSG 26
-#define SECCLASS_MSGQ 27
-#define SECCLASS_SHM 28
-#define SECCLASS_IPC 29
-#define SECCLASS_NETLINK_ROUTE_SOCKET 43
-#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
-#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
-#define SECCLASS_NETLINK_NFLOG_SOCKET 46
-#define SECCLASS_NETLINK_XFRM_SOCKET 47
-#define SECCLASS_NETLINK_SELINUX_SOCKET 48
-#define SECCLASS_NETLINK_AUDIT_SOCKET 49
-#define SECCLASS_NETLINK_IP6FW_SOCKET 50
-#define SECCLASS_NETLINK_DNRT_SOCKET 51
-#define SECCLASS_ASSOCIATION 54
-#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
-#define SECCLASS_APPLETALK_SOCKET 56
-#define SECCLASS_PACKET 57
-#define SECCLASS_KEY 58
-#define SECCLASS_DCCP_SOCKET 60
-#define SECCLASS_MEMPROTECT 61
-#define SECCLASS_PEER 68
-#define SECCLASS_CAPABILITY2 69
-#define SECCLASS_KERNEL_SERVICE 74
-#define SECCLASS_TUN_SOCKET 75
-
-/*
- * Security identifier indices for initial entities
- */
-#define SECINITSID_KERNEL 1
-#define SECINITSID_SECURITY 2
-#define SECINITSID_UNLABELED 3
-#define SECINITSID_FS 4
-#define SECINITSID_FILE 5
-#define SECINITSID_FILE_LABELS 6
-#define SECINITSID_INIT 7
-#define SECINITSID_ANY_SOCKET 8
-#define SECINITSID_PORT 9
-#define SECINITSID_NETIF 10
-#define SECINITSID_NETMSG 11
-#define SECINITSID_NODE 12
-#define SECINITSID_IGMP_PACKET 13
-#define SECINITSID_ICMP_SOCKET 14
-#define SECINITSID_TCP_SOCKET 15
-#define SECINITSID_SYSCTL_MODPROBE 16
-#define SECINITSID_SYSCTL 17
-#define SECINITSID_SYSCTL_FS 18
-#define SECINITSID_SYSCTL_KERNEL 19
-#define SECINITSID_SYSCTL_NET 20
-#define SECINITSID_SYSCTL_NET_UNIX 21
-#define SECINITSID_SYSCTL_VM 22
-#define SECINITSID_SYSCTL_DEV 23
-#define SECINITSID_KMOD 24
-#define SECINITSID_POLICY 25
-#define SECINITSID_SCMP_PACKET 26
-#define SECINITSID_DEVNULL 27
-
-#define SECINITSID_NUM 27
-
-#endif
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ca835795a8b3..2553266ad793 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -97,11 +97,18 @@ struct av_decision {
#define AVD_FLAGS_PERMISSIVE 0x0001
int security_compute_av(u32 ssid, u32 tsid,
- u16 tclass, u32 requested,
- struct av_decision *avd);
+ u16 tclass, u32 requested,
+ struct av_decision *avd);
+
+int security_compute_av_user(u32 ssid, u32 tsid,
+ u16 tclass, u32 requested,
+ struct av_decision *avd);
int security_transition_sid(u32 ssid, u32 tsid,
- u16 tclass, u32 *out_sid);
+ u16 tclass, u32 *out_sid);
+
+int security_transition_sid_user(u32 ssid, u32 tsid,
+ u16 tclass, u32 *out_sid);
int security_member_sid(u32 ssid, u32 tsid,
u16 tclass, u32 *out_sid);
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b4fc506e7a87..fab36fdf2769 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -522,7 +522,7 @@ static ssize_t sel_write_access(struct file *file, char *buf, size_t size)
if (length < 0)
goto out2;
- length = security_compute_av(ssid, tsid, tclass, req, &avd);
+ length = security_compute_av_user(ssid, tsid, tclass, req, &avd);
if (length < 0)
goto out2;
@@ -571,7 +571,7 @@ static ssize_t sel_write_create(struct file *file, char *buf, size_t size)
if (length < 0)
goto out2;
- length = security_transition_sid(ssid, tsid, tclass, &newsid);
+ length = security_transition_sid_user(ssid, tsid, tclass, &newsid);
if (length < 0)
goto out2;
diff --git a/security/selinux/ss/Makefile b/security/selinux/ss/Makefile
index bad78779b9b0..15d4e62917de 100644
--- a/security/selinux/ss/Makefile
+++ b/security/selinux/ss/Makefile
@@ -2,7 +2,7 @@
# Makefile for building the SELinux security server as part of the kernel tree.
#
-EXTRA_CFLAGS += -Isecurity/selinux/include
+EXTRA_CFLAGS += -Isecurity/selinux -Isecurity/selinux/include
obj-y := ss.o
ss-y := ebitmap.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o conditional.o mls.o
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index b5407f16c2a4..3f2b2706b5bb 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -532,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
}
/* Fallthrough */
case AVTAB_CHANGE:
- if (tclass == SECCLASS_PROCESS)
+ if (tclass == policydb.process_class)
/* Use the process MLS attributes. */
return mls_context_cpy(newcontext, scontext);
else
diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c
index 72e4a54973aa..f03667213ea8 100644
--- a/security/selinux/ss/policydb.c
+++ b/security/selinux/ss/policydb.c
@@ -713,7 +713,6 @@ void policydb_destroy(struct policydb *p)
ebitmap_destroy(&p->type_attr_map[i]);
}
kfree(p->type_attr_map);
- kfree(p->undefined_perms);
ebitmap_destroy(&p->policycaps);
ebitmap_destroy(&p->permissive_map);
@@ -1640,6 +1639,40 @@ static int policydb_bounds_sanity_check(struct policydb *p)
extern int ss_initialized;
+u16 string_to_security_class(struct policydb *p, const char *name)
+{
+ struct class_datum *cladatum;
+
+ cladatum = hashtab_search(p->p_classes.table, name);
+ if (!cladatum)
+ return 0;
+
+ return cladatum->value;
+}
+
+u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name)
+{
+ struct class_datum *cladatum;
+ struct perm_datum *perdatum = NULL;
+ struct common_datum *comdatum;
+
+ if (!tclass || tclass > p->p_classes.nprim)
+ return 0;
+
+ cladatum = p->class_val_to_struct[tclass-1];
+ comdatum = cladatum->comdatum;
+ if (comdatum)
+ perdatum = hashtab_search(comdatum->permissions.table,
+ name);
+ if (!perdatum)
+ perdatum = hashtab_search(cladatum->permissions.table,
+ name);
+ if (!perdatum)
+ return 0;
+
+ return 1U << (perdatum->value-1);
+}
+
/*
* Read the configuration data from a policy database binary
* representation file into a policy database structure.
@@ -1861,6 +1894,16 @@ int policydb_read(struct policydb *p, void *fp)
if (rc)
goto bad;
+ p->process_class = string_to_security_class(p, "process");
+ if (!p->process_class)
+ goto bad;
+ p->process_trans_perms = string_to_av_perm(p, p->process_class,
+ "transition");
+ p->process_trans_perms |= string_to_av_perm(p, p->process_class,
+ "dyntransition");
+ if (!p->process_trans_perms)
+ goto bad;
+
for (i = 0; i < info->ocon_num; i++) {
rc = next_entry(buf, fp, sizeof(u32));
if (rc < 0)
@@ -2101,7 +2144,7 @@ int policydb_read(struct policydb *p, void *fp)
goto bad;
rt->target_class = le32_to_cpu(buf[0]);
} else
- rt->target_class = SECCLASS_PROCESS;
+ rt->target_class = p->process_class;
if (!policydb_type_isvalid(p, rt->source_type) ||
!policydb_type_isvalid(p, rt->target_type) ||
!policydb_class_isvalid(p, rt->target_class)) {
diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h
index 55152d498b53..cdcc5700946f 100644
--- a/security/selinux/ss/policydb.h
+++ b/security/selinux/ss/policydb.h
@@ -254,7 +254,9 @@ struct policydb {
unsigned int reject_unknown : 1;
unsigned int allow_unknown : 1;
- u32 *undefined_perms;
+
+ u16 process_class;
+ u32 process_trans_perms;
};
extern void policydb_destroy(struct policydb *p);
@@ -295,5 +297,8 @@ static inline int next_entry(void *buf, struct policy_file *fp, size_t bytes)
return 0;
}
+extern u16 string_to_security_class(struct policydb *p, const char *name);
+extern u32 string_to_av_perm(struct policydb *p, u16 tclass, const char *name);
+
#endif /* _SS_POLICYDB_H_ */
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index ff17820d35ec..d6bb20cbad62 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -65,16 +65,10 @@
#include "audit.h"
extern void selnl_notify_policyload(u32 seqno);
-unsigned int policydb_loaded_version;
int selinux_policycap_netpeer;
int selinux_policycap_openperm;
-/*
- * This is declared in avc.c
- */
-extern const struct selinux_class_perm selinux_class_perm;
-
static DEFINE_RWLOCK(policy_rwlock);
static struct sidtab sidtab;
@@ -98,6 +92,165 @@ static int context_struct_compute_av(struct context *scontext,
u16 tclass,
u32 requested,
struct av_decision *avd);
+
+struct selinux_mapping {
+ u16 value; /* policy value */
+ unsigned num_perms;
+ u32 perms[sizeof(u32) * 8];
+};
+
+static struct selinux_mapping *current_mapping;
+static u16 current_mapping_size;
+
+static int selinux_set_mapping(struct policydb *pol,
+ struct security_class_mapping *map,
+ struct selinux_mapping **out_map_p,
+ u16 *out_map_size)
+{
+ struct selinux_mapping *out_map = NULL;
+ size_t size = sizeof(struct selinux_mapping);
+ u16 i, j;
+ unsigned k;
+ bool print_unknown_handle = false;
+
+ /* Find number of classes in the input mapping */
+ if (!map)
+ return -EINVAL;
+ i = 0;
+ while (map[i].name)
+ i++;
+
+ /* Allocate space for the class records, plus one for class zero */
+ out_map = kcalloc(++i, size, GFP_ATOMIC);
+ if (!out_map)
+ return -ENOMEM;
+
+ /* Store the raw class and permission values */
+ j = 0;
+ while (map[j].name) {
+ struct security_class_mapping *p_in = map + (j++);
+ struct selinux_mapping *p_out = out_map + j;
+
+ /* An empty class string skips ahead */
+ if (!strcmp(p_in->name, "")) {
+ p_out->num_perms = 0;
+ continue;
+ }
+
+ p_out->value = string_to_security_class(pol, p_in->name);
+ if (!p_out->value) {
+ printk(KERN_INFO
+ "SELinux: Class %s not defined in policy.\n",
+ p_in->name);
+ if (pol->reject_unknown)
+ goto err;
+ p_out->num_perms = 0;
+ print_unknown_handle = true;
+ continue;
+ }
+
+ k = 0;
+ while (p_in->perms && p_in->perms[k]) {
+ /* An empty permission string skips ahead */
+ if (!*p_in->perms[k]) {
+ k++;
+ continue;
+ }
+ p_out->perms[k] = string_to_av_perm(pol, p_out->value,
+ p_in->perms[k]);
+ if (!p_out->perms[k]) {
+ printk(KERN_INFO
+ "SELinux: Permission %s in class %s not defined in policy.\n",
+ p_in->perms[k], p_in->name);
+ if (pol->reject_unknown)
+ goto err;
+ print_unknown_handle = true;
+ }
+
+ k++;
+ }
+ p_out->num_perms = k;
+ }
+
+ if (print_unknown_handle)
+ printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+ pol->allow_unknown ? "allowed" : "denied");
+
+ *out_map_p = out_map;
+ *out_map_size = i;
+ return 0;
+err:
+ kfree(out_map);
+ return -EINVAL;
+}
+
+/*
+ * Get real, policy values from mapped values
+ */
+
+static u16 unmap_class(u16 tclass)
+{
+ if (tclass < current_mapping_size)
+ return current_mapping[tclass].value;
+
+ return tclass;
+}
+
+static u32 unmap_perm(u16 tclass, u32 tperm)
+{
+ if (tclass < current_mapping_size) {
+ unsigned i;
+ u32 kperm = 0;
+
+ for (i = 0; i < current_mapping[tclass].num_perms; i++)
+ if (tperm & (1<<i)) {
+ kperm |= current_mapping[tclass].perms[i];
+ tperm &= ~(1<<i);
+ }
+ return kperm;
+ }
+
+ return tperm;
+}
+
+static void map_decision(u16 tclass, struct av_decision *avd,
+ int allow_unknown)
+{
+ if (tclass < current_mapping_size) {
+ unsigned i, n = current_mapping[tclass].num_perms;
+ u32 result;
+
+ for (i = 0, result = 0; i < n; i++) {
+ if (avd->allowed & current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ if (allow_unknown && !current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ }
+ avd->allowed = result;
+
+ for (i = 0, result = 0; i < n; i++)
+ if (avd->auditallow & current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ avd->auditallow = result;
+
+ for (i = 0, result = 0; i < n; i++) {
+ if (avd->auditdeny & current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ if (!allow_unknown && !current_mapping[tclass].perms[i])
+ result |= 1<<i;
+ }
+ /*
+ * In case the kernel has a bug and requests a permission
+ * between num_perms and the maximum permission number, we
+ * should audit that denial
+ */
+ for (; i < (sizeof(u32)*8); i++)
+ result |= 1<<i;
+ avd->auditdeny = result;
+ }
+}
+
+
/*
* Return the boolean value of a constraint expression
* when it is applied to the specified source and target
@@ -467,21 +620,9 @@ static int context_struct_compute_av(struct context *scontext,
struct class_datum *tclass_datum;
struct ebitmap *sattr, *tattr;
struct ebitmap_node *snode, *tnode;
- const struct selinux_class_perm *kdefs = &selinux_class_perm;
unsigned int i, j;
/*
- * Remap extended Netlink classes for old policy versions.
- * Do this here rather than socket_type_to_security_class()
- * in case a newer policy version is loaded, allowing sockets
- * to remain in the correct class.
- */
- if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
- if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
- tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
- tclass = SECCLASS_NETLINK_SOCKET;
-
- /*
* Initialize the access vectors to the default values.
*/
avd->allowed = 0;
@@ -490,33 +631,11 @@ static int context_struct_compute_av(struct context *scontext,
avd->seqno = latest_granting;
avd->flags = 0;
- /*
- * Check for all the invalid cases.
- * - tclass 0
- * - tclass > policy and > kernel
- * - tclass > policy but is a userspace class
- * - tclass > policy but we do not allow unknowns
- */
- if (unlikely(!tclass))
- goto inval_class;
- if (unlikely(tclass > policydb.p_classes.nprim))
- if (tclass > kdefs->cts_len ||
- !kdefs->class_to_string[tclass] ||
- !policydb.allow_unknown)
- goto inval_class;
-
- /*
- * Kernel class and we allow unknown so pad the allow decision
- * the pad will be all 1 for unknown classes.
- */
- if (tclass <= kdefs->cts_len && policydb.allow_unknown)
- avd->allowed = policydb.undefined_perms[tclass - 1];
-
- /*
- * Not in policy. Since decision is completed (all 1 or all 0) return.
- */
- if (unlikely(tclass > policydb.p_classes.nprim))
- return 0;
+ if (unlikely(!tclass || tclass > policydb.p_classes.nprim)) {
+ if (printk_ratelimit())
+ printk(KERN_WARNING "SELinux: Invalid class %hu\n", tclass);
+ return -EINVAL;
+ }
tclass_datum = policydb.class_val_to_struct[tclass - 1];
@@ -568,8 +687,8 @@ static int context_struct_compute_av(struct context *scontext,
* role is changing, then check the (current_role, new_role)
* pair.
*/
- if (tclass == SECCLASS_PROCESS &&
- (avd->allowed & (PROCESS__TRANSITION | PROCESS__DYNTRANSITION)) &&
+ if (tclass == policydb.process_class &&
+ (avd->allowed & policydb.process_trans_perms) &&
scontext->role != tcontext->role) {
for (ra = policydb.role_allow; ra; ra = ra->next) {
if (scontext->role == ra->role &&
@@ -577,8 +696,7 @@ static int context_struct_compute_av(struct context *scontext,
break;
}
if (!ra)
- avd->allowed &= ~(PROCESS__TRANSITION |
- PROCESS__DYNTRANSITION);
+ avd->allowed &= ~policydb.process_trans_perms;
}
/*
@@ -590,21 +708,6 @@ static int context_struct_compute_av(struct context *scontext,
tclass, requested, avd);
return 0;
-
-inval_class:
- if (!tclass || tclass > kdefs->cts_len ||
- !kdefs->class_to_string[tclass]) {
- if (printk_ratelimit())
- printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
- __func__, tclass);
- return -EINVAL;
- }
-
- /*
- * Known to the kernel, but not to the policy.
- * Handle as a denial (allowed is 0).
- */
- return 0;
}
static int security_validtrans_handle_fail(struct context *ocontext,
@@ -636,13 +739,14 @@ out:
}
int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
- u16 tclass)
+ u16 orig_tclass)
{
struct context *ocontext;
struct context *ncontext;
struct context *tcontext;
struct class_datum *tclass_datum;
struct constraint_node *constraint;
+ u16 tclass;
int rc = 0;
if (!ss_initialized)
@@ -650,16 +754,7 @@ int security_validate_transition(u32 oldsid, u32 newsid, u32 tasksid,
read_lock(&policy_rwlock);
- /*
- * Remap extended Netlink classes for old policy versions.
- * Do this here rather than socket_type_to_security_class()
- * in case a newer policy version is loaded, allowing sockets
- * to remain in the correct class.
- */
- if (policydb_loaded_version < POLICYDB_VERSION_NLCLASS)
- if (tclass >= SECCLASS_NETLINK_ROUTE_SOCKET &&
- tclass <= SECCLASS_NETLINK_DNRT_SOCKET)
- tclass = SECCLASS_NETLINK_SOCKET;
+ tclass = unmap_class(orig_tclass);
if (!tclass || tclass > policydb.p_classes.nprim) {
printk(KERN_ERR "SELinux: %s: unrecognized class %d\n",
@@ -792,6 +887,38 @@ out:
}
+static int security_compute_av_core(u32 ssid,
+ u32 tsid,
+ u16 tclass,
+ u32 requested,
+ struct av_decision *avd)
+{
+ struct context *scontext = NULL, *tcontext = NULL;
+ int rc = 0;
+
+ scontext = sidtab_search(&sidtab, ssid);
+ if (!scontext) {
+ printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
+ __func__, ssid);
+ return -EINVAL;
+ }
+ tcontext = sidtab_search(&sidtab, tsid);
+ if (!tcontext) {
+ printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
+ __func__, tsid);
+ return -EINVAL;
+ }
+
+ rc = context_struct_compute_av(scontext, tcontext, tclass,
+ requested, avd);
+
+ /* permissive domain? */
+ if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
+ avd->flags |= AVD_FLAGS_PERMISSIVE;
+
+ return rc;
+}
+
/**
* security_compute_av - Compute access vector decisions.
* @ssid: source security identifier
@@ -807,12 +934,49 @@ out:
*/
int security_compute_av(u32 ssid,
u32 tsid,
- u16 tclass,
- u32 requested,
+ u16 orig_tclass,
+ u32 orig_requested,
struct av_decision *avd)
{
- struct context *scontext = NULL, *tcontext = NULL;
- int rc = 0;
+ u16 tclass;
+ u32 requested;
+ int rc;
+
+ read_lock(&policy_rwlock);
+
+ if (!ss_initialized)
+ goto allow;
+
+ requested = unmap_perm(orig_tclass, orig_requested);
+ tclass = unmap_class(orig_tclass);
+ if (unlikely(orig_tclass && !tclass)) {
+ if (policydb.allow_unknown)
+ goto allow;
+ rc = -EINVAL;
+ goto out;
+ }
+ rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
+ map_decision(orig_tclass, avd, policydb.allow_unknown);
+out:
+ read_unlock(&policy_rwlock);
+ return rc;
+allow:
+ avd->allowed = 0xffffffff;
+ avd->auditallow = 0;
+ avd->auditdeny = 0xffffffff;
+ avd->seqno = latest_granting;
+ avd->flags = 0;
+ rc = 0;
+ goto out;
+}
+
+int security_compute_av_user(u32 ssid,
+ u32 tsid,
+ u16 tclass,
+ u32 requested,
+ struct av_decision *avd)
+{
+ int rc;
if (!ss_initialized) {
avd->allowed = 0xffffffff;
@@ -823,29 +987,7 @@ int security_compute_av(u32 ssid,
}
read_lock(&policy_rwlock);
-
- scontext = sidtab_search(&sidtab, ssid);
- if (!scontext) {
- printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
- __func__, ssid);
- rc = -EINVAL;
- goto out;
- }
- tcontext = sidtab_search(&sidtab, tsid);
- if (!tcontext) {
- printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
- __func__, tsid);
- rc = -EINVAL;
- goto out;
- }
-
- rc = context_struct_compute_av(scontext, tcontext, tclass,
- requested, avd);
-
- /* permissive domain? */
- if (ebitmap_get_bit(&policydb.permissive_map, scontext->type))
- avd->flags |= AVD_FLAGS_PERMISSIVE;
-out:
+ rc = security_compute_av_core(ssid, tsid, tclass, requested, avd);
read_unlock(&policy_rwlock);
return rc;
}
@@ -1204,20 +1346,22 @@ out:
static int security_compute_sid(u32 ssid,
u32 tsid,
- u16 tclass,
+ u16 orig_tclass,
u32 specified,
- u32 *out_sid)
+ u32 *out_sid,
+ bool kern)
{
struct context *scontext = NULL, *tcontext = NULL, newcontext;
struct role_trans *roletr = NULL;
struct avtab_key avkey;
struct avtab_datum *avdatum;
struct avtab_node *node;
+ u16 tclass;
int rc = 0;
if (!ss_initialized) {
- switch (tclass) {
- case SECCLASS_PROCESS:
+ switch (orig_tclass) {
+ case SECCLASS_PROCESS: /* kernel value */
*out_sid = ssid;
break;
default:
@@ -1231,6 +1375,11 @@ static int security_compute_sid(u32 ssid,
read_lock(&policy_rwlock);
+ if (kern)
+ tclass = unmap_class(orig_tclass);
+ else
+ tclass = orig_tclass;
+
scontext = sidtab_search(&sidtab, ssid);
if (!scontext) {
printk(KERN_ERR "SELinux: %s: unrecognized SID %d\n",
@@ -1260,13 +1409,11 @@ static int security_compute_sid(u32 ssid,
}
/* Set the role and type to default values. */
- switch (tclass) {
- case SECCLASS_PROCESS:
+ if (tclass == policydb.process_class) {
/* Use the current role and type of process. */
newcontext.role = scontext->role;
newcontext.type = scontext->type;
- break;
- default:
+ } else {
/* Use the well-defined object role. */
newcontext.role = OBJECT_R_VAL;
/* Use the type of the related object. */
@@ -1297,8 +1444,7 @@ static int security_compute_sid(u32 ssid,
}
/* Check for class-specific changes. */
- switch (tclass) {
- case SECCLASS_PROCESS:
+ if (tclass == policydb.process_class) {
if (specified & AVTAB_TRANSITION) {
/* Look for a role transition rule. */
for (roletr = policydb.role_tr; roletr;
@@ -1311,9 +1457,6 @@ static int security_compute_sid(u32 ssid,
}
}
}
- break;
- default:
- break;
}
/* Set the MLS attributes.
@@ -1358,7 +1501,17 @@ int security_transition_sid(u32 ssid,
u16 tclass,
u32 *out_sid)
{
- return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION, out_sid);
+ return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+ out_sid, true);
+}
+
+int security_transition_sid_user(u32 ssid,
+ u32 tsid,
+ u16 tclass,
+ u32 *out_sid)
+{
+ return security_compute_sid(ssid, tsid, tclass, AVTAB_TRANSITION,
+ out_sid, false);
}
/**
@@ -1379,7 +1532,8 @@ int security_member_sid(u32 ssid,
u16 tclass,
u32 *out_sid)
{
- return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid);
+ return security_compute_sid(ssid, tsid, tclass, AVTAB_MEMBER, out_sid,
+ false);
}
/**
@@ -1400,144 +1554,8 @@ int security_change_sid(u32 ssid,
u16 tclass,
u32 *out_sid)
{
- return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid);
-}
-
-/*
- * Verify that each kernel class that is defined in the
- * policy is correct
- */
-static int validate_classes(struct policydb *p)
-{
- int i, j;
- struct class_datum *cladatum;
- struct perm_datum *perdatum;
- u32 nprim, tmp, common_pts_len, perm_val, pol_val;
- u16 class_val;
- const struct selinux_class_perm *kdefs = &selinux_class_perm;
- const char *def_class, *def_perm, *pol_class;
- struct symtab *perms;
- bool print_unknown_handle = 0;
-
- if (p->allow_unknown) {
- u32 num_classes = kdefs->cts_len;
- p->undefined_perms = kcalloc(num_classes, sizeof(u32), GFP_KERNEL);
- if (!p->undefined_perms)
- return -ENOMEM;
- }
-
- for (i = 1; i < kdefs->cts_len; i++) {
- def_class = kdefs->class_to_string[i];
- if (!def_class)
- continue;
- if (i > p->p_classes.nprim) {
- printk(KERN_INFO
- "SELinux: class %s not defined in policy\n",
- def_class);
- if (p->reject_unknown)
- return -EINVAL;
- if (p->allow_unknown)
- p->undefined_perms[i-1] = ~0U;
- print_unknown_handle = 1;
- continue;
- }
- pol_class = p->p_class_val_to_name[i-1];
- if (strcmp(pol_class, def_class)) {
- printk(KERN_ERR
- "SELinux: class %d is incorrect, found %s but should be %s\n",
- i, pol_class, def_class);
- return -EINVAL;
- }
- }
- for (i = 0; i < kdefs->av_pts_len; i++) {
- class_val = kdefs->av_perm_to_string[i].tclass;
- perm_val = kdefs->av_perm_to_string[i].value;
- def_perm = kdefs->av_perm_to_string[i].name;
- if (class_val > p->p_classes.nprim)
- continue;
- pol_class = p->p_class_val_to_name[class_val-1];
- cladatum = hashtab_search(p->p_classes.table, pol_class);
- BUG_ON(!cladatum);
- perms = &cladatum->permissions;
- nprim = 1 << (perms->nprim - 1);
- if (perm_val > nprim) {
- printk(KERN_INFO
- "SELinux: permission %s in class %s not defined in policy\n",
- def_perm, pol_class);
- if (p->reject_unknown)
- return -EINVAL;
- if (p->allow_unknown)
- p->undefined_perms[class_val-1] |= perm_val;
- print_unknown_handle = 1;
- continue;
- }
- perdatum = hashtab_search(perms->table, def_perm);
- if (perdatum == NULL) {
- printk(KERN_ERR
- "SELinux: permission %s in class %s not found in policy, bad policy\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- pol_val = 1 << (perdatum->value - 1);
- if (pol_val != perm_val) {
- printk(KERN_ERR
- "SELinux: permission %s in class %s has incorrect value\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- }
- for (i = 0; i < kdefs->av_inherit_len; i++) {
- class_val = kdefs->av_inherit[i].tclass;
- if (class_val > p->p_classes.nprim)
- continue;
- pol_class = p->p_class_val_to_name[class_val-1];
- cladatum = hashtab_search(p->p_classes.table, pol_class);
- BUG_ON(!cladatum);
- if (!cladatum->comdatum) {
- printk(KERN_ERR
- "SELinux: class %s should have an inherits clause but does not\n",
- pol_class);
- return -EINVAL;
- }
- tmp = kdefs->av_inherit[i].common_base;
- common_pts_len = 0;
- while (!(tmp & 0x01)) {
- common_pts_len++;
- tmp >>= 1;
- }
- perms = &cladatum->comdatum->permissions;
- for (j = 0; j < common_pts_len; j++) {
- def_perm = kdefs->av_inherit[i].common_pts[j];
- if (j >= perms->nprim) {
- printk(KERN_INFO
- "SELinux: permission %s in class %s not defined in policy\n",
- def_perm, pol_class);
- if (p->reject_unknown)
- return -EINVAL;
- if (p->allow_unknown)
- p->undefined_perms[class_val-1] |= (1 << j);
- print_unknown_handle = 1;
- continue;
- }
- perdatum = hashtab_search(perms->table, def_perm);
- if (perdatum == NULL) {
- printk(KERN_ERR
- "SELinux: permission %s in class %s not found in policy, bad policy\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- if (perdatum->value != j + 1) {
- printk(KERN_ERR
- "SELinux: permission %s in class %s has incorrect value\n",
- def_perm, pol_class);
- return -EINVAL;
- }
- }
- }
- if (print_unknown_handle)
- printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
- (security_get_allow_unknown() ? "allowed" : "denied"));
- return 0;
+ return security_compute_sid(ssid, tsid, tclass, AVTAB_CHANGE, out_sid,
+ false);
}
/* Clone the SID into the new SID table. */
@@ -1710,8 +1728,10 @@ int security_load_policy(void *data, size_t len)
{
struct policydb oldpolicydb, newpolicydb;
struct sidtab oldsidtab, newsidtab;
+ struct selinux_mapping *oldmap, *map = NULL;
struct convert_context_args args;
u32 seqno;
+ u16 map_size;
int rc = 0;
struct policy_file file = { data, len }, *fp = &file;
@@ -1721,22 +1741,19 @@ int security_load_policy(void *data, size_t len)
avtab_cache_destroy();
return -EINVAL;
}
- if (policydb_load_isids(&policydb, &sidtab)) {
+ if (selinux_set_mapping(&policydb, secclass_map,
+ &current_mapping,
+ &current_mapping_size)) {
policydb_destroy(&policydb);
avtab_cache_destroy();
return -EINVAL;
}
- /* Verify that the kernel defined classes are correct. */
- if (validate_classes(&policydb)) {
- printk(KERN_ERR
- "SELinux: the definition of a class is incorrect\n");
- sidtab_destroy(&sidtab);
+ if (policydb_load_isids(&policydb, &sidtab)) {
policydb_destroy(&policydb);
avtab_cache_destroy();
return -EINVAL;
}
security_load_policycaps();
- policydb_loaded_version = policydb.policyvers;
ss_initialized = 1;
seqno = ++latest_granting;
selinux_complete_init();
@@ -1759,13 +1776,9 @@ int security_load_policy(void *data, size_t len)
return -ENOMEM;
}
- /* Verify that the kernel defined classes are correct. */
- if (validate_classes(&newpolicydb)) {
- printk(KERN_ERR
- "SELinux: the definition of a class is incorrect\n");
- rc = -EINVAL;
+ if (selinux_set_mapping(&newpolicydb, secclass_map,
+ &map, &map_size))
goto err;
- }
rc = security_preserve_bools(&newpolicydb);
if (rc) {
@@ -1799,13 +1812,16 @@ int security_load_policy(void *data, size_t len)
memcpy(&policydb, &newpolicydb, sizeof policydb);
sidtab_set(&sidtab, &newsidtab);
security_load_policycaps();
+ oldmap = current_mapping;
+ current_mapping = map;
+ current_mapping_size = map_size;
seqno = ++latest_granting;
- policydb_loaded_version = policydb.policyvers;
write_unlock_irq(&policy_rwlock);
/* Free the old policydb and SID table. */
policydb_destroy(&oldpolicydb);
sidtab_destroy(&oldsidtab);
+ kfree(oldmap);
avc_ss_reset(seqno);
selnl_notify_policyload(seqno);
@@ -1815,6 +1831,7 @@ int security_load_policy(void *data, size_t len)
return 0;
err:
+ kfree(map);
sidtab_destroy(&newsidtab);
policydb_destroy(&newpolicydb);
return rc;
@@ -2091,7 +2108,7 @@ out_unlock:
}
for (i = 0, j = 0; i < mynel; i++) {
rc = avc_has_perm_noaudit(fromsid, mysids[i],
- SECCLASS_PROCESS,
+ SECCLASS_PROCESS, /* kernel value */
PROCESS__TRANSITION, AVC_STRICT,
NULL);
if (!rc)
@@ -2119,10 +2136,11 @@ out:
*/
int security_genfs_sid(const char *fstype,
char *path,
- u16 sclass,
+ u16 orig_sclass,
u32 *sid)
{
int len;
+ u16 sclass;
struct genfs *genfs;
struct ocontext *c;
int rc = 0, cmp = 0;
@@ -2132,6 +2150,8 @@ int security_genfs_sid(const char *fstype,
read_lock(&policy_rwlock);
+ sclass = unmap_class(orig_sclass);
+
for (genfs = policydb.genfs; genfs; genfs = genfs->next) {
cmp = strcmp(fstype, genfs->fstype);
if (cmp <= 0)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index c33b6bb9b6dd..529c9ca65878 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2602,7 +2602,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
ad.a.u.net.family = sk->sk_family;
- ad.a.u.net.netif = skb->iif;
+ ad.a.u.net.netif = skb->skb_iif;
ipv4_skb_to_auditdata(skb, &ad.a, NULL);
#endif
/*
@@ -2757,7 +2757,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
#ifdef CONFIG_AUDIT
smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NET);
ad.a.u.net.family = family;
- ad.a.u.net.netif = skb->iif;
+ ad.a.u.net.netif = skb->skb_iif;
ipv4_skb_to_auditdata(skb, &ad.a, NULL);
#endif
/*
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 3c8bd8ee0b95..e0d0354008b7 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -187,6 +187,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
const s8 pattern_type, const s8 end_type,
const char *function)
{
+ const char *const start = filename;
+ bool in_repetition = false;
bool contains_pattern = false;
unsigned char c;
unsigned char d;
@@ -212,9 +214,13 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
if (c == '/')
goto out;
}
- while ((c = *filename++) != '\0') {
+ while (1) {
+ c = *filename++;
+ if (!c)
+ break;
if (c == '\\') {
- switch ((c = *filename++)) {
+ c = *filename++;
+ switch (c) {
case '\\': /* "\\" */
continue;
case '$': /* "\$" */
@@ -231,6 +237,22 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
break; /* Must not contain pattern */
contains_pattern = true;
continue;
+ case '{': /* "/\{" */
+ if (filename - 3 < start ||
+ *(filename - 3) != '/')
+ break;
+ if (pattern_type == -1)
+ break; /* Must not contain pattern */
+ contains_pattern = true;
+ in_repetition = true;
+ continue;
+ case '}': /* "\}/" */
+ if (*filename != '/')
+ break;
+ if (!in_repetition)
+ break;
+ in_repetition = false;
+ continue;
case '0': /* "\ooo" */
case '1':
case '2':
@@ -246,6 +268,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
continue; /* pattern is not \000 */
}
goto out;
+ } else if (in_repetition && c == '/') {
+ goto out;
} else if (tomoyo_is_invalid(c)) {
goto out;
}
@@ -254,6 +278,8 @@ bool tomoyo_is_correct_path(const char *filename, const s8 start_type,
if (!contains_pattern)
goto out;
}
+ if (in_repetition)
+ goto out;
return true;
out:
printk(KERN_DEBUG "%s: Invalid pathname '%s'\n", function,
@@ -360,33 +386,6 @@ struct tomoyo_domain_info *tomoyo_find_domain(const char *domainname)
}
/**
- * tomoyo_path_depth - Evaluate the number of '/' in a string.
- *
- * @pathname: The string to evaluate.
- *
- * Returns path depth of the string.
- *
- * I score 2 for each of the '/' in the @pathname
- * and score 1 if the @pathname ends with '/'.
- */
-static int tomoyo_path_depth(const char *pathname)
-{
- int i = 0;
-
- if (pathname) {
- const char *ep = pathname + strlen(pathname);
- if (pathname < ep--) {
- if (*ep != '/')
- i++;
- while (pathname <= ep)
- if (*ep-- == '/')
- i += 2;
- }
- }
- return i;
-}
-
-/**
* tomoyo_const_part_length - Evaluate the initial length without a pattern in a token.
*
* @filename: The string to evaluate.
@@ -444,11 +443,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
ptr->is_dir = len && (name[len - 1] == '/');
ptr->is_patterned = (ptr->const_len < len);
ptr->hash = full_name_hash(name, len);
- ptr->depth = tomoyo_path_depth(name);
}
/**
- * tomoyo_file_matches_to_pattern2 - Pattern matching without '/' character
+ * tomoyo_file_matches_pattern2 - Pattern matching without '/' character
* and "\-" pattern.
*
* @filename: The start of string to check.
@@ -458,10 +456,10 @@ void tomoyo_fill_path_info(struct tomoyo_path_info *ptr)
*
* Returns true if @filename matches @pattern, false otherwise.
*/
-static bool tomoyo_file_matches_to_pattern2(const char *filename,
- const char *filename_end,
- const char *pattern,
- const char *pattern_end)
+static bool tomoyo_file_matches_pattern2(const char *filename,
+ const char *filename_end,
+ const char *pattern,
+ const char *pattern_end)
{
while (filename < filename_end && pattern < pattern_end) {
char c;
@@ -519,7 +517,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
case '*':
case '@':
for (i = 0; i <= filename_end - filename; i++) {
- if (tomoyo_file_matches_to_pattern2(
+ if (tomoyo_file_matches_pattern2(
filename + i, filename_end,
pattern + 1, pattern_end))
return true;
@@ -550,7 +548,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
j++;
}
for (i = 1; i <= j; i++) {
- if (tomoyo_file_matches_to_pattern2(
+ if (tomoyo_file_matches_pattern2(
filename + i, filename_end,
pattern + 1, pattern_end))
return true;
@@ -567,7 +565,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
}
/**
- * tomoyo_file_matches_to_pattern - Pattern matching without without '/' character.
+ * tomoyo_file_matches_pattern - Pattern matching without without '/' character.
*
* @filename: The start of string to check.
* @filename_end: The end of string to check.
@@ -576,7 +574,7 @@ static bool tomoyo_file_matches_to_pattern2(const char *filename,
*
* Returns true if @filename matches @pattern, false otherwise.
*/
-static bool tomoyo_file_matches_to_pattern(const char *filename,
+static bool tomoyo_file_matches_pattern(const char *filename,
const char *filename_end,
const char *pattern,
const char *pattern_end)
@@ -589,10 +587,10 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
/* Split at "\-" pattern. */
if (*pattern++ != '\\' || *pattern++ != '-')
continue;
- result = tomoyo_file_matches_to_pattern2(filename,
- filename_end,
- pattern_start,
- pattern - 2);
+ result = tomoyo_file_matches_pattern2(filename,
+ filename_end,
+ pattern_start,
+ pattern - 2);
if (first)
result = !result;
if (result)
@@ -600,13 +598,79 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
first = false;
pattern_start = pattern;
}
- result = tomoyo_file_matches_to_pattern2(filename, filename_end,
- pattern_start, pattern_end);
+ result = tomoyo_file_matches_pattern2(filename, filename_end,
+ pattern_start, pattern_end);
return first ? result : !result;
}
/**
+ * tomoyo_path_matches_pattern2 - Do pathname pattern matching.
+ *
+ * @f: The start of string to check.
+ * @p: The start of pattern to compare.
+ *
+ * Returns true if @f matches @p, false otherwise.
+ */
+static bool tomoyo_path_matches_pattern2(const char *f, const char *p)
+{
+ const char *f_delimiter;
+ const char *p_delimiter;
+
+ while (*f && *p) {
+ f_delimiter = strchr(f, '/');
+ if (!f_delimiter)
+ f_delimiter = f + strlen(f);
+ p_delimiter = strchr(p, '/');
+ if (!p_delimiter)
+ p_delimiter = p + strlen(p);
+ if (*p == '\\' && *(p + 1) == '{')
+ goto recursive;
+ if (!tomoyo_file_matches_pattern(f, f_delimiter, p,
+ p_delimiter))
+ return false;
+ f = f_delimiter;
+ if (*f)
+ f++;
+ p = p_delimiter;
+ if (*p)
+ p++;
+ }
+ /* Ignore trailing "\*" and "\@" in @pattern. */
+ while (*p == '\\' &&
+ (*(p + 1) == '*' || *(p + 1) == '@'))
+ p += 2;
+ return !*f && !*p;
+ recursive:
+ /*
+ * The "\{" pattern is permitted only after '/' character.
+ * This guarantees that below "*(p - 1)" is safe.
+ * Also, the "\}" pattern is permitted only before '/' character
+ * so that "\{" + "\}" pair will not break the "\-" operator.
+ */
+ if (*(p - 1) != '/' || p_delimiter <= p + 3 || *p_delimiter != '/' ||
+ *(p_delimiter - 1) != '}' || *(p_delimiter - 2) != '\\')
+ return false; /* Bad pattern. */
+ do {
+ /* Compare current component with pattern. */
+ if (!tomoyo_file_matches_pattern(f, f_delimiter, p + 2,
+ p_delimiter - 2))
+ break;
+ /* Proceed to next component. */
+ f = f_delimiter;
+ if (!*f)
+ break;
+ f++;
+ /* Continue comparison. */
+ if (tomoyo_path_matches_pattern2(f, p_delimiter + 1))
+ return true;
+ f_delimiter = strchr(f, '/');
+ } while (f_delimiter);
+ return false; /* Not matched. */
+}
+
+/**
* tomoyo_path_matches_pattern - Check whether the given filename matches the given pattern.
+ *
* @filename: The filename to check.
* @pattern: The pattern to compare.
*
@@ -615,24 +679,24 @@ static bool tomoyo_file_matches_to_pattern(const char *filename,
* The following patterns are available.
* \\ \ itself.
* \ooo Octal representation of a byte.
- * \* More than or equals to 0 character other than '/'.
- * \@ More than or equals to 0 character other than '/' or '.'.
+ * \* Zero or more repetitions of characters other than '/'.
+ * \@ Zero or more repetitions of characters other than '/' or '.'.
* \? 1 byte character other than '/'.
- * \$ More than or equals to 1 decimal digit.
+ * \$ One or more repetitions of decimal digits.
* \+ 1 decimal digit.
- * \X More than or equals to 1 hexadecimal digit.
+ * \X One or more repetitions of hexadecimal digits.
* \x 1 hexadecimal digit.
- * \A More than or equals to 1 alphabet character.
+ * \A One or more repetitions of alphabet characters.
* \a 1 alphabet character.
+ *
* \- Subtraction operator.
+ *
+ * /\{dir\}/ '/' + 'One or more repetitions of dir/' (e.g. /dir/ /dir/dir/
+ * /dir/dir/dir/ ).
*/
bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
const struct tomoyo_path_info *pattern)
{
- /*
- if (!filename || !pattern)
- return false;
- */
const char *f = filename->name;
const char *p = pattern->name;
const int len = pattern->const_len;
@@ -640,37 +704,15 @@ bool tomoyo_path_matches_pattern(const struct tomoyo_path_info *filename,
/* If @pattern doesn't contain pattern, I can use strcmp(). */
if (!pattern->is_patterned)
return !tomoyo_pathcmp(filename, pattern);
- /* Dont compare if the number of '/' differs. */
- if (filename->depth != pattern->depth)
+ /* Don't compare directory and non-directory. */
+ if (filename->is_dir != pattern->is_dir)
return false;
/* Compare the initial length without patterns. */
if (strncmp(f, p, len))
return false;
f += len;
p += len;
- /* Main loop. Compare each directory component. */
- while (*f && *p) {
- const char *f_delimiter = strchr(f, '/');
- const char *p_delimiter = strchr(p, '/');
- if (!f_delimiter)
- f_delimiter = f + strlen(f);
- if (!p_delimiter)
- p_delimiter = p + strlen(p);
- if (!tomoyo_file_matches_to_pattern(f, f_delimiter,
- p, p_delimiter))
- return false;
- f = f_delimiter;
- if (*f)
- f++;
- p = p_delimiter;
- if (*p)
- p++;
- }
- /* Ignore trailing "\*" and "\@" in @pattern. */
- while (*p == '\\' &&
- (*(p + 1) == '*' || *(p + 1) == '@'))
- p += 2;
- return !*f && !*p;
+ return tomoyo_path_matches_pattern2(f, p);
}
/**
diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h
index 31df541911f7..92169d29b2db 100644
--- a/security/tomoyo/common.h
+++ b/security/tomoyo/common.h
@@ -56,9 +56,6 @@ struct tomoyo_page_buffer {
* (5) "is_patterned" is a bool which is true if "name" contains wildcard
* characters, false otherwise. This allows TOMOYO to use "hash" and
* strcmp() for string comparison if "is_patterned" is false.
- * (6) "depth" is calculated using the number of "/" characters in "name".
- * This allows TOMOYO to avoid comparing two pathnames which never match
- * (e.g. whether "/var/www/html/index.html" matches "/tmp/sh-thd-\$").
*/
struct tomoyo_path_info {
const char *name;
@@ -66,7 +63,6 @@ struct tomoyo_path_info {
u16 const_len; /* = tomoyo_const_part_length(name) */
bool is_dir; /* = tomoyo_strendswith(name, "/") */
bool is_patterned; /* = tomoyo_path_contains_pattern(name) */
- u16 depth; /* = tomoyo_path_depth(name) */
};
/*
diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c
index 5ae3a571559f..8346938809b1 100644
--- a/security/tomoyo/file.c
+++ b/security/tomoyo/file.c
@@ -1096,27 +1096,6 @@ static int tomoyo_check_single_path_permission2(struct tomoyo_domain_info *
}
/**
- * tomoyo_check_file_perm - Check permission for sysctl()'s "read" and "write".
- *
- * @domain: Pointer to "struct tomoyo_domain_info".
- * @filename: Filename to check.
- * @perm: Mode ("read" or "write" or "read/write").
- * Returns 0 on success, negative value otherwise.
- */
-int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
- const char *filename, const u8 perm)
-{
- struct tomoyo_path_info name;
- const u8 mode = tomoyo_check_flags(domain, TOMOYO_MAC_FOR_FILE);
-
- if (!mode)
- return 0;
- name.name = filename;
- tomoyo_fill_path_info(&name);
- return tomoyo_check_file_perm2(domain, &name, perm, "sysctl", mode);
-}
-
-/**
* tomoyo_check_exec_perm - Check permission for "execute".
*
* @domain: Pointer to "struct tomoyo_domain_info".
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index 5f2e33263371..18369d497eb8 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -13,6 +13,8 @@
#include <linux/mount.h>
#include <linux/mnt_namespace.h>
#include <linux/fs_struct.h>
+#include <linux/hash.h>
+
#include "common.h"
#include "realpath.h"
@@ -108,6 +110,15 @@ int tomoyo_realpath_from_path2(struct path *path, char *newname,
spin_unlock(&dcache_lock);
path_put(&root);
path_put(&ns_root);
+ /* Prepend "/proc" prefix if using internal proc vfs mount. */
+ if (!IS_ERR(sp) && (path->mnt->mnt_parent == path->mnt) &&
+ (strcmp(path->mnt->mnt_sb->s_type->name, "proc") == 0)) {
+ sp -= 5;
+ if (sp >= newname)
+ memcpy(sp, "/proc", 5);
+ else
+ sp = ERR_PTR(-ENOMEM);
+ }
}
if (IS_ERR(sp))
error = PTR_ERR(sp);
@@ -263,7 +274,8 @@ static unsigned int tomoyo_quota_for_savename;
* table. Frequency of appending strings is very low. So we don't need
* large (e.g. 64k) hash size. 256 will be sufficient.
*/
-#define TOMOYO_MAX_HASH 256
+#define TOMOYO_HASH_BITS 8
+#define TOMOYO_MAX_HASH (1u<<TOMOYO_HASH_BITS)
/*
* tomoyo_name_entry is a structure which is used for linking
@@ -315,6 +327,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
struct tomoyo_free_memory_block_list *fmb;
int len;
char *cp;
+ struct list_head *head;
if (!name)
return NULL;
@@ -325,9 +338,10 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
return NULL;
}
hash = full_name_hash((const unsigned char *) name, len - 1);
+ head = &tomoyo_name_list[hash_long(hash, TOMOYO_HASH_BITS)];
+
mutex_lock(&lock);
- list_for_each_entry(ptr, &tomoyo_name_list[hash % TOMOYO_MAX_HASH],
- list) {
+ list_for_each_entry(ptr, head, list) {
if (hash == ptr->entry.hash && !strcmp(name, ptr->entry.name))
goto out;
}
@@ -365,7 +379,7 @@ const struct tomoyo_path_info *tomoyo_save_name(const char *name)
tomoyo_fill_path_info(&ptr->entry);
fmb->ptr += len;
fmb->len -= len;
- list_add_tail(&ptr->list, &tomoyo_name_list[hash % TOMOYO_MAX_HASH]);
+ list_add_tail(&ptr->list, head);
if (fmb->len == 0) {
list_del(&fmb->list);
kfree(fmb);
diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c
index 9548a0984cc4..8a00ade85166 100644
--- a/security/tomoyo/tomoyo.c
+++ b/security/tomoyo/tomoyo.c
@@ -85,83 +85,6 @@ static int tomoyo_bprm_check_security(struct linux_binprm *bprm)
return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1);
}
-#ifdef CONFIG_SYSCTL
-
-static int tomoyo_prepend(char **buffer, int *buflen, const char *str)
-{
- int namelen = strlen(str);
-
- if (*buflen < namelen)
- return -ENOMEM;
- *buflen -= namelen;
- *buffer -= namelen;
- memcpy(*buffer, str, namelen);
- return 0;
-}
-
-/**
- * tomoyo_sysctl_path - return the realpath of a ctl_table.
- * @table: pointer to "struct ctl_table".
- *
- * Returns realpath(3) of the @table on success.
- * Returns NULL on failure.
- *
- * This function uses tomoyo_alloc(), so the caller must call tomoyo_free()
- * if this function didn't return NULL.
- */
-static char *tomoyo_sysctl_path(struct ctl_table *table)
-{
- int buflen = TOMOYO_MAX_PATHNAME_LEN;
- char *buf = tomoyo_alloc(buflen);
- char *end = buf + buflen;
- int error = -ENOMEM;
-
- if (!buf)
- return NULL;
-
- *--end = '\0';
- buflen--;
- while (table) {
- char num[32];
- const char *sp = table->procname;
-
- if (!sp) {
- memset(num, 0, sizeof(num));
- snprintf(num, sizeof(num) - 1, "=%d=", table->ctl_name);
- sp = num;
- }
- if (tomoyo_prepend(&end, &buflen, sp) ||
- tomoyo_prepend(&end, &buflen, "/"))
- goto out;
- table = table->parent;
- }
- if (tomoyo_prepend(&end, &buflen, "/proc/sys"))
- goto out;
- error = tomoyo_encode(buf, end - buf, end);
- out:
- if (!error)
- return buf;
- tomoyo_free(buf);
- return NULL;
-}
-
-static int tomoyo_sysctl(struct ctl_table *table, int op)
-{
- int error;
- char *name;
-
- op &= MAY_READ | MAY_WRITE;
- if (!op)
- return 0;
- name = tomoyo_sysctl_path(table);
- if (!name)
- return -ENOMEM;
- error = tomoyo_check_file_perm(tomoyo_domain(), name, op);
- tomoyo_free(name);
- return error;
-}
-#endif
-
static int tomoyo_path_truncate(struct path *path, loff_t length,
unsigned int time_attrs)
{
@@ -282,9 +205,6 @@ static struct security_operations tomoyo_security_ops = {
.cred_transfer = tomoyo_cred_transfer,
.bprm_set_creds = tomoyo_bprm_set_creds,
.bprm_check_security = tomoyo_bprm_check_security,
-#ifdef CONFIG_SYSCTL
- .sysctl = tomoyo_sysctl,
-#endif
.file_fcntl = tomoyo_file_fcntl,
.dentry_open = tomoyo_dentry_open,
.path_truncate = tomoyo_path_truncate,
diff --git a/security/tomoyo/tomoyo.h b/security/tomoyo/tomoyo.h
index cd6ba0bf7069..ed758325b1ae 100644
--- a/security/tomoyo/tomoyo.h
+++ b/security/tomoyo/tomoyo.h
@@ -18,8 +18,6 @@ struct inode;
struct linux_binprm;
struct pt_regs;
-int tomoyo_check_file_perm(struct tomoyo_domain_info *domain,
- const char *filename, const u8 perm);
int tomoyo_check_exec_perm(struct tomoyo_domain_info *domain,
const struct tomoyo_path_info *filename);
int tomoyo_check_open_permission(struct tomoyo_domain_info *domain,