1b2441318SGreg Kroah-Hartman /* SPDX-License-Identifier: GPL-2.0 */ 2bfc5e3a6SPaul Moore #include <linux/capability.h> 3dfbd199aSPaulo Alcantara #include <linux/socket.h> 4bfc5e3a6SPaul Moore 5c6d3aaa4SStephen Smalley #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ 63ba4bf5fSStephen Smalley "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map" 7c6d3aaa4SStephen Smalley 8c6d3aaa4SStephen Smalley #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ 942a9699aSStephen Smalley "rename", "execute", "quotaon", "mounton", "audit_access", \ 10ac5656d8SAaron Goidel "open", "execmod", "watch", "watch_mount", "watch_sb", \ 11ac5656d8SAaron Goidel "watch_with_perm", "watch_reads" 12c6d3aaa4SStephen Smalley 13c6d3aaa4SStephen Smalley #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ 14c6d3aaa4SStephen Smalley "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ 1542a9699aSStephen Smalley "sendto", "name_bind" 16c6d3aaa4SStephen Smalley 17c6d3aaa4SStephen Smalley #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 18c6d3aaa4SStephen Smalley "write", "associate", "unix_read", "unix_write" 19c6d3aaa4SStephen Smalley 208e4ff6f2SStephen Smalley #define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ 218e4ff6f2SStephen Smalley "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ 228e4ff6f2SStephen Smalley "linux_immutable", "net_bind_service", "net_broadcast", \ 238e4ff6f2SStephen Smalley "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ 248e4ff6f2SStephen Smalley "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ 258e4ff6f2SStephen Smalley "sys_boot", "sys_nice", "sys_resource", "sys_time", \ 268e4ff6f2SStephen Smalley "sys_tty_config", "mknod", "lease", "audit_write", \ 278e4ff6f2SStephen Smalley "audit_control", "setfcap" 288e4ff6f2SStephen Smalley 298e4ff6f2SStephen Smalley #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ 30124ea650SAdrian Reber "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \ 31124ea650SAdrian Reber "checkpoint_restore" 328e4ff6f2SStephen Smalley 33124ea650SAdrian Reber #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE 343322d0d6SStephen Smalley #error New capability defined, please update COMMON_CAP2_PERMS. 353322d0d6SStephen Smalley #endif 363322d0d6SStephen Smalley 374bc6c2d5SHarry Ciao /* 384bc6c2d5SHarry Ciao * Note: The name for any socket class should be suffixed by "socket", 394bc6c2d5SHarry Ciao * and doesn't contain more than one substr of "socket". 404bc6c2d5SHarry Ciao */ 41ded34574SChristian Göttsche const struct security_class_mapping secclass_map[] = { 42c6d3aaa4SStephen Smalley { "security", 43c6d3aaa4SStephen Smalley { "compute_av", "compute_create", "compute_member", 44c6d3aaa4SStephen Smalley "check_context", "load_policy", "compute_relabel", 45c6d3aaa4SStephen Smalley "compute_user", "setenforce", "setbool", "setsecparam", 46f9df6458SAndrew Perepechko "setcheckreqprot", "read_policy", "validate_trans", NULL } }, 47c6d3aaa4SStephen Smalley { "process", 48c6d3aaa4SStephen Smalley { "fork", "transition", "sigchld", "sigkill", 49c6d3aaa4SStephen Smalley "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", 50c6d3aaa4SStephen Smalley "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", 51c6d3aaa4SStephen Smalley "getattr", "setexec", "setfscreate", "noatsecure", "siginh", 52c6d3aaa4SStephen Smalley "setrlimit", "rlimitinh", "dyntransition", "setcurrent", 53c6d3aaa4SStephen Smalley "execmem", "execstack", "execheap", "setkeycreate", 54791ec491SStephen Smalley "setsockcreate", "getrlimit", NULL } }, 55af63f419SStephen Smalley { "process2", 56af63f419SStephen Smalley { "nnp_transition", "nosuid_transition", NULL } }, 57c6d3aaa4SStephen Smalley { "system", 58c6d3aaa4SStephen Smalley { "ipc_info", "syslog_read", "syslog_mod", 5961d612eaSJeff Vander Stoep "syslog_console", "module_request", "module_load", NULL } }, 60c6d3aaa4SStephen Smalley { "capability", 618e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 62c6d3aaa4SStephen Smalley { "filesystem", 63c6d3aaa4SStephen Smalley { "mount", "remount", "unmount", "getattr", 6442a9699aSStephen Smalley "relabelfrom", "relabelto", "associate", "quotamod", 65ac5656d8SAaron Goidel "quotaget", "watch", NULL } }, 66c6d3aaa4SStephen Smalley { "file", 67c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, 68b424485aSEric Paris "execute_no_trans", "entrypoint", NULL } }, 69c6d3aaa4SStephen Smalley { "dir", 70c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, "add_name", "remove_name", 7149b7b8deSEric Paris "reparent", "search", "rmdir", NULL } }, 72c6d3aaa4SStephen Smalley { "fd", { "use", NULL } }, 73c6d3aaa4SStephen Smalley { "lnk_file", 74c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, NULL } }, 75c6d3aaa4SStephen Smalley { "chr_file", 76b424485aSEric Paris { COMMON_FILE_PERMS, NULL } }, 77c6d3aaa4SStephen Smalley { "blk_file", 7849b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 79c6d3aaa4SStephen Smalley { "sock_file", 8049b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 81c6d3aaa4SStephen Smalley { "fifo_file", 8249b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 83c6d3aaa4SStephen Smalley { "socket", 84c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 85c6d3aaa4SStephen Smalley { "tcp_socket", 86c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 8742a9699aSStephen Smalley "node_bind", "name_connect", 88c6d3aaa4SStephen Smalley NULL } }, 89c6d3aaa4SStephen Smalley { "udp_socket", 90c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 91c6d3aaa4SStephen Smalley "node_bind", NULL } }, 92c6d3aaa4SStephen Smalley { "rawip_socket", 93c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 94c6d3aaa4SStephen Smalley "node_bind", NULL } }, 95c6d3aaa4SStephen Smalley { "node", 9642a9699aSStephen Smalley { "recvfrom", "sendto", NULL } }, 97c6d3aaa4SStephen Smalley { "netif", 9842a9699aSStephen Smalley { "ingress", "egress", NULL } }, 99c6d3aaa4SStephen Smalley { "netlink_socket", 100c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 101c6d3aaa4SStephen Smalley { "packet_socket", 102c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 103c6d3aaa4SStephen Smalley { "key_socket", 104c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 105c6d3aaa4SStephen Smalley { "unix_stream_socket", 10642a9699aSStephen Smalley { COMMON_SOCK_PERMS, "connectto", NULL } }, 107c6d3aaa4SStephen Smalley { "unix_dgram_socket", 10842a9699aSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 109c6d3aaa4SStephen Smalley { "sem", 110c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 111c6d3aaa4SStephen Smalley { "msg", { "send", "receive", NULL } }, 112c6d3aaa4SStephen Smalley { "msgq", 113c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "enqueue", NULL } }, 114c6d3aaa4SStephen Smalley { "shm", 115c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "lock", NULL } }, 116c6d3aaa4SStephen Smalley { "ipc", 117c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 118c6d3aaa4SStephen Smalley { "netlink_route_socket", 119c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 120c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 121c6d3aaa4SStephen Smalley { "netlink_tcpdiag_socket", 122c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 123c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 124c6d3aaa4SStephen Smalley { "netlink_nflog_socket", 125c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 126c6d3aaa4SStephen Smalley { "netlink_xfrm_socket", 127c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 128c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 129c6d3aaa4SStephen Smalley { "netlink_selinux_socket", 130c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1316c6d2e9bSStephen Smalley { "netlink_iscsi_socket", 1326c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 133c6d3aaa4SStephen Smalley { "netlink_audit_socket", 134c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 135c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", 136c6d3aaa4SStephen Smalley "nlmsg_tty_audit", NULL } }, 1376c6d2e9bSStephen Smalley { "netlink_fib_lookup_socket", 1386c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1396c6d2e9bSStephen Smalley { "netlink_connector_socket", 1406c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1416c6d2e9bSStephen Smalley { "netlink_netfilter_socket", 1426c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 143c6d3aaa4SStephen Smalley { "netlink_dnrt_socket", 144c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 145c6d3aaa4SStephen Smalley { "association", 146c6d3aaa4SStephen Smalley { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, 147c6d3aaa4SStephen Smalley { "netlink_kobject_uevent_socket", 148c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1496c6d2e9bSStephen Smalley { "netlink_generic_socket", 1506c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1516c6d2e9bSStephen Smalley { "netlink_scsitransport_socket", 1526c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1536c6d2e9bSStephen Smalley { "netlink_rdma_socket", 1546c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1556c6d2e9bSStephen Smalley { "netlink_crypto_socket", 1566c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 157c6d3aaa4SStephen Smalley { "appletalk_socket", 158c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 159c6d3aaa4SStephen Smalley { "packet", 16047ac19eaSEric Paris { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, 161c6d3aaa4SStephen Smalley { "key", 162c6d3aaa4SStephen Smalley { "view", "read", "write", "search", "link", "setattr", "create", 163c6d3aaa4SStephen Smalley NULL } }, 164c6d3aaa4SStephen Smalley { "dccp_socket", 165c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 166c6d3aaa4SStephen Smalley "node_bind", "name_connect", NULL } }, 167c6d3aaa4SStephen Smalley { "memprotect", { "mmap_zero", NULL } }, 168c6d3aaa4SStephen Smalley { "peer", { "recv", NULL } }, 16964919e60SEric Paris { "capability2", 1708e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 171c6d3aaa4SStephen Smalley { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 172c6d3aaa4SStephen Smalley { "tun_socket", 1736f96c142SPaul Moore { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 17479af7307SStephen Smalley { "binder", { "impersonate", "call", "set_context_mgr", "transfer", 17579af7307SStephen Smalley NULL } }, 1768e4ff6f2SStephen Smalley { "cap_userns", 1778e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 1788e4ff6f2SStephen Smalley { "cap2_userns", 1798e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 180da69a530SStephen Smalley { "sctp_socket", 181da69a530SStephen Smalley { COMMON_SOCK_PERMS, 182d452930fSRichard Haines "node_bind", "name_connect", "association", NULL } }, 183da69a530SStephen Smalley { "icmp_socket", 184da69a530SStephen Smalley { COMMON_SOCK_PERMS, 185da69a530SStephen Smalley "node_bind", NULL } }, 186da69a530SStephen Smalley { "ax25_socket", 187da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 188da69a530SStephen Smalley { "ipx_socket", 189da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 190da69a530SStephen Smalley { "netrom_socket", 191da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 192da69a530SStephen Smalley { "atmpvc_socket", 193da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 194da69a530SStephen Smalley { "x25_socket", 195da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 196da69a530SStephen Smalley { "rose_socket", 197da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 198da69a530SStephen Smalley { "decnet_socket", 199da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 200da69a530SStephen Smalley { "atmsvc_socket", 201da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 202da69a530SStephen Smalley { "rds_socket", 203da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 204da69a530SStephen Smalley { "irda_socket", 205da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 206da69a530SStephen Smalley { "pppox_socket", 207da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 208da69a530SStephen Smalley { "llc_socket", 209da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 210da69a530SStephen Smalley { "can_socket", 211da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 212da69a530SStephen Smalley { "tipc_socket", 213da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 214da69a530SStephen Smalley { "bluetooth_socket", 215da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 216da69a530SStephen Smalley { "iucv_socket", 217da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 218da69a530SStephen Smalley { "rxrpc_socket", 219da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 220da69a530SStephen Smalley { "isdn_socket", 221da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 222da69a530SStephen Smalley { "phonet_socket", 223da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 224da69a530SStephen Smalley { "ieee802154_socket", 225da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 226da69a530SStephen Smalley { "caif_socket", 227da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 228da69a530SStephen Smalley { "alg_socket", 229da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 230da69a530SStephen Smalley { "nfc_socket", 231da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 232da69a530SStephen Smalley { "vsock_socket", 233da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 234da69a530SStephen Smalley { "kcm_socket", 235da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 236da69a530SStephen Smalley { "qipcrtr_socket", 237da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 2383051bf36SLinus Torvalds { "smc_socket", 2393051bf36SLinus Torvalds { COMMON_SOCK_PERMS, NULL } }, 240cfc4d882SDaniel Jurgens { "infiniband_pkey", 241cfc4d882SDaniel Jurgens { "access", NULL } }, 242ab861dfcSDaniel Jurgens { "infiniband_endport", 243ab861dfcSDaniel Jurgens { "manage_subnet", NULL } }, 244ec27c356SChenbo Feng { "bpf", 245e4c82eafSPaul Moore { "map_create", "map_read", "map_write", "prog_load", "prog_run", 246e4c82eafSPaul Moore NULL } }, 24768e8b849SBjörn Töpel { "xdp_socket", 24868e8b849SBjörn Töpel { COMMON_SOCK_PERMS, NULL } }, 249bc49d816SJeremy Kerr { "mctp_socket", 250bc49d816SJeremy Kerr { COMMON_SOCK_PERMS, NULL } }, 251da97e184SJoel Fernandes (Google) { "perf_event", 252e4c82eafSPaul Moore { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, 25329cd6591SDaniel Colascione { "anon_inode", 25429cd6591SDaniel Colascione { COMMON_FILE_PERMS, NULL } }, 255740b0341SPaul Moore { "io_uring", 256*f4d653dcSPaul Moore { "override_creds", "sqpoll", "cmd", NULL } }, 257c6d3aaa4SStephen Smalley { "user_namespace", 258c6d3aaa4SStephen Smalley { "create", NULL } }, 259da69a530SStephen Smalley { NULL } 260bc49d816SJeremy Kerr }; 261da69a530SStephen Smalley 262da69a530SStephen Smalley #if PF_MAX > 46 263 #error New address family defined, please update secclass_map. 264 #endif 265