1c6d3aaa4SStephen Smalley #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ 2c6d3aaa4SStephen Smalley "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" 3c6d3aaa4SStephen Smalley 4c6d3aaa4SStephen Smalley #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ 542a9699aSStephen Smalley "rename", "execute", "quotaon", "mounton", "audit_access", \ 6b424485aSEric Paris "open", "execmod" 7c6d3aaa4SStephen Smalley 8c6d3aaa4SStephen Smalley #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ 9c6d3aaa4SStephen Smalley "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ 1042a9699aSStephen Smalley "sendto", "name_bind" 11c6d3aaa4SStephen Smalley 12c6d3aaa4SStephen Smalley #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 13c6d3aaa4SStephen Smalley "write", "associate", "unix_read", "unix_write" 14c6d3aaa4SStephen Smalley 158e4ff6f2SStephen Smalley #define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ 168e4ff6f2SStephen Smalley "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ 178e4ff6f2SStephen Smalley "linux_immutable", "net_bind_service", "net_broadcast", \ 188e4ff6f2SStephen Smalley "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ 198e4ff6f2SStephen Smalley "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ 208e4ff6f2SStephen Smalley "sys_boot", "sys_nice", "sys_resource", "sys_time", \ 218e4ff6f2SStephen Smalley "sys_tty_config", "mknod", "lease", "audit_write", \ 228e4ff6f2SStephen Smalley "audit_control", "setfcap" 238e4ff6f2SStephen Smalley 248e4ff6f2SStephen Smalley #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ 258e4ff6f2SStephen Smalley "wake_alarm", "block_suspend", "audit_read" 268e4ff6f2SStephen Smalley 273322d0d6SStephen Smalley #if CAP_LAST_CAP > CAP_AUDIT_READ 283322d0d6SStephen Smalley #error New capability defined, please update COMMON_CAP2_PERMS. 293322d0d6SStephen Smalley #endif 303322d0d6SStephen Smalley 314bc6c2d5SHarry Ciao /* 324bc6c2d5SHarry Ciao * Note: The name for any socket class should be suffixed by "socket", 334bc6c2d5SHarry Ciao * and doesn't contain more than one substr of "socket". 344bc6c2d5SHarry Ciao */ 35c6d3aaa4SStephen Smalley struct security_class_mapping secclass_map[] = { 36c6d3aaa4SStephen Smalley { "security", 37c6d3aaa4SStephen Smalley { "compute_av", "compute_create", "compute_member", 38c6d3aaa4SStephen Smalley "check_context", "load_policy", "compute_relabel", 39c6d3aaa4SStephen Smalley "compute_user", "setenforce", "setbool", "setsecparam", 40f9df6458SAndrew Perepechko "setcheckreqprot", "read_policy", "validate_trans", NULL } }, 41c6d3aaa4SStephen Smalley { "process", 42c6d3aaa4SStephen Smalley { "fork", "transition", "sigchld", "sigkill", 43c6d3aaa4SStephen Smalley "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", 44c6d3aaa4SStephen Smalley "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", 45c6d3aaa4SStephen Smalley "getattr", "setexec", "setfscreate", "noatsecure", "siginh", 46c6d3aaa4SStephen Smalley "setrlimit", "rlimitinh", "dyntransition", "setcurrent", 47c6d3aaa4SStephen Smalley "execmem", "execstack", "execheap", "setkeycreate", 48c6d3aaa4SStephen Smalley "setsockcreate", NULL } }, 49c6d3aaa4SStephen Smalley { "system", 50c6d3aaa4SStephen Smalley { "ipc_info", "syslog_read", "syslog_mod", 5161d612eaSJeff Vander Stoep "syslog_console", "module_request", "module_load", NULL } }, 52c6d3aaa4SStephen Smalley { "capability", 538e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 54c6d3aaa4SStephen Smalley { "filesystem", 55c6d3aaa4SStephen Smalley { "mount", "remount", "unmount", "getattr", 5642a9699aSStephen Smalley "relabelfrom", "relabelto", "associate", "quotamod", 57c6d3aaa4SStephen Smalley "quotaget", NULL } }, 58c6d3aaa4SStephen Smalley { "file", 59c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, 60b424485aSEric Paris "execute_no_trans", "entrypoint", NULL } }, 61c6d3aaa4SStephen Smalley { "dir", 62c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, "add_name", "remove_name", 6349b7b8deSEric Paris "reparent", "search", "rmdir", NULL } }, 64c6d3aaa4SStephen Smalley { "fd", { "use", NULL } }, 65c6d3aaa4SStephen Smalley { "lnk_file", 66c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, NULL } }, 67c6d3aaa4SStephen Smalley { "chr_file", 68b424485aSEric Paris { COMMON_FILE_PERMS, NULL } }, 69c6d3aaa4SStephen Smalley { "blk_file", 7049b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 71c6d3aaa4SStephen Smalley { "sock_file", 7249b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 73c6d3aaa4SStephen Smalley { "fifo_file", 7449b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 75c6d3aaa4SStephen Smalley { "socket", 76c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 77c6d3aaa4SStephen Smalley { "tcp_socket", 78c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 7942a9699aSStephen Smalley "node_bind", "name_connect", 80c6d3aaa4SStephen Smalley NULL } }, 81c6d3aaa4SStephen Smalley { "udp_socket", 82c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 83c6d3aaa4SStephen Smalley "node_bind", NULL } }, 84c6d3aaa4SStephen Smalley { "rawip_socket", 85c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 86c6d3aaa4SStephen Smalley "node_bind", NULL } }, 87c6d3aaa4SStephen Smalley { "node", 8842a9699aSStephen Smalley { "recvfrom", "sendto", NULL } }, 89c6d3aaa4SStephen Smalley { "netif", 9042a9699aSStephen Smalley { "ingress", "egress", NULL } }, 91c6d3aaa4SStephen Smalley { "netlink_socket", 92c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 93c6d3aaa4SStephen Smalley { "packet_socket", 94c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 95c6d3aaa4SStephen Smalley { "key_socket", 96c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 97c6d3aaa4SStephen Smalley { "unix_stream_socket", 9842a9699aSStephen Smalley { COMMON_SOCK_PERMS, "connectto", NULL } }, 99c6d3aaa4SStephen Smalley { "unix_dgram_socket", 10042a9699aSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 101c6d3aaa4SStephen Smalley { "sem", 102c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 103c6d3aaa4SStephen Smalley { "msg", { "send", "receive", NULL } }, 104c6d3aaa4SStephen Smalley { "msgq", 105c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "enqueue", NULL } }, 106c6d3aaa4SStephen Smalley { "shm", 107c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "lock", NULL } }, 108c6d3aaa4SStephen Smalley { "ipc", 109c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 110c6d3aaa4SStephen Smalley { "netlink_route_socket", 111c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 112c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 113c6d3aaa4SStephen Smalley { "netlink_tcpdiag_socket", 114c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 115c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 116c6d3aaa4SStephen Smalley { "netlink_nflog_socket", 117c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 118c6d3aaa4SStephen Smalley { "netlink_xfrm_socket", 119c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 120c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 121c6d3aaa4SStephen Smalley { "netlink_selinux_socket", 122c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1236c6d2e9bSStephen Smalley { "netlink_iscsi_socket", 1246c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 125c6d3aaa4SStephen Smalley { "netlink_audit_socket", 126c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 127c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", 128c6d3aaa4SStephen Smalley "nlmsg_tty_audit", NULL } }, 1296c6d2e9bSStephen Smalley { "netlink_fib_lookup_socket", 1306c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1316c6d2e9bSStephen Smalley { "netlink_connector_socket", 1326c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1336c6d2e9bSStephen Smalley { "netlink_netfilter_socket", 1346c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 135c6d3aaa4SStephen Smalley { "netlink_dnrt_socket", 136c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 137c6d3aaa4SStephen Smalley { "association", 138c6d3aaa4SStephen Smalley { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, 139c6d3aaa4SStephen Smalley { "netlink_kobject_uevent_socket", 140c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1416c6d2e9bSStephen Smalley { "netlink_generic_socket", 1426c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1436c6d2e9bSStephen Smalley { "netlink_scsitransport_socket", 1446c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1456c6d2e9bSStephen Smalley { "netlink_rdma_socket", 1466c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1476c6d2e9bSStephen Smalley { "netlink_crypto_socket", 1486c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 149c6d3aaa4SStephen Smalley { "appletalk_socket", 150c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 151c6d3aaa4SStephen Smalley { "packet", 15247ac19eaSEric Paris { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, 153c6d3aaa4SStephen Smalley { "key", 154c6d3aaa4SStephen Smalley { "view", "read", "write", "search", "link", "setattr", "create", 155c6d3aaa4SStephen Smalley NULL } }, 156c6d3aaa4SStephen Smalley { "dccp_socket", 157c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 158c6d3aaa4SStephen Smalley "node_bind", "name_connect", NULL } }, 159c6d3aaa4SStephen Smalley { "memprotect", { "mmap_zero", NULL } }, 160c6d3aaa4SStephen Smalley { "peer", { "recv", NULL } }, 16164919e60SEric Paris { "capability2", 1628e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 163c6d3aaa4SStephen Smalley { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 164c6d3aaa4SStephen Smalley { "tun_socket", 1656f96c142SPaul Moore { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 16679af7307SStephen Smalley { "binder", { "impersonate", "call", "set_context_mgr", "transfer", 16779af7307SStephen Smalley NULL } }, 1688e4ff6f2SStephen Smalley { "cap_userns", 1698e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 1708e4ff6f2SStephen Smalley { "cap2_userns", 1718e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 172c6d3aaa4SStephen Smalley { NULL } 173c6d3aaa4SStephen Smalley }; 174