1bfc5e3a6SPaul Moore #include <linux/capability.h> 2bfc5e3a6SPaul Moore 3c6d3aaa4SStephen Smalley #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ 43ba4bf5fSStephen Smalley "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map" 5c6d3aaa4SStephen Smalley 6c6d3aaa4SStephen Smalley #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ 742a9699aSStephen Smalley "rename", "execute", "quotaon", "mounton", "audit_access", \ 8b424485aSEric Paris "open", "execmod" 9c6d3aaa4SStephen Smalley 10c6d3aaa4SStephen Smalley #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ 11c6d3aaa4SStephen Smalley "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ 1242a9699aSStephen Smalley "sendto", "name_bind" 13c6d3aaa4SStephen Smalley 14c6d3aaa4SStephen Smalley #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 15c6d3aaa4SStephen Smalley "write", "associate", "unix_read", "unix_write" 16c6d3aaa4SStephen Smalley 178e4ff6f2SStephen Smalley #define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ 188e4ff6f2SStephen Smalley "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ 198e4ff6f2SStephen Smalley "linux_immutable", "net_bind_service", "net_broadcast", \ 208e4ff6f2SStephen Smalley "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ 218e4ff6f2SStephen Smalley "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ 228e4ff6f2SStephen Smalley "sys_boot", "sys_nice", "sys_resource", "sys_time", \ 238e4ff6f2SStephen Smalley "sys_tty_config", "mknod", "lease", "audit_write", \ 248e4ff6f2SStephen Smalley "audit_control", "setfcap" 258e4ff6f2SStephen Smalley 268e4ff6f2SStephen Smalley #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ 278e4ff6f2SStephen Smalley "wake_alarm", "block_suspend", "audit_read" 288e4ff6f2SStephen Smalley 293322d0d6SStephen Smalley #if CAP_LAST_CAP > CAP_AUDIT_READ 303322d0d6SStephen Smalley #error New capability defined, please update COMMON_CAP2_PERMS. 313322d0d6SStephen Smalley #endif 323322d0d6SStephen Smalley 334bc6c2d5SHarry Ciao /* 344bc6c2d5SHarry Ciao * Note: The name for any socket class should be suffixed by "socket", 354bc6c2d5SHarry Ciao * and doesn't contain more than one substr of "socket". 364bc6c2d5SHarry Ciao */ 37c6d3aaa4SStephen Smalley struct security_class_mapping secclass_map[] = { 38c6d3aaa4SStephen Smalley { "security", 39c6d3aaa4SStephen Smalley { "compute_av", "compute_create", "compute_member", 40c6d3aaa4SStephen Smalley "check_context", "load_policy", "compute_relabel", 41c6d3aaa4SStephen Smalley "compute_user", "setenforce", "setbool", "setsecparam", 42f9df6458SAndrew Perepechko "setcheckreqprot", "read_policy", "validate_trans", NULL } }, 43c6d3aaa4SStephen Smalley { "process", 44c6d3aaa4SStephen Smalley { "fork", "transition", "sigchld", "sigkill", 45c6d3aaa4SStephen Smalley "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", 46c6d3aaa4SStephen Smalley "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", 47c6d3aaa4SStephen Smalley "getattr", "setexec", "setfscreate", "noatsecure", "siginh", 48c6d3aaa4SStephen Smalley "setrlimit", "rlimitinh", "dyntransition", "setcurrent", 49c6d3aaa4SStephen Smalley "execmem", "execstack", "execheap", "setkeycreate", 50791ec491SStephen Smalley "setsockcreate", "getrlimit", NULL } }, 51c6d3aaa4SStephen Smalley { "system", 52c6d3aaa4SStephen Smalley { "ipc_info", "syslog_read", "syslog_mod", 5361d612eaSJeff Vander Stoep "syslog_console", "module_request", "module_load", NULL } }, 54c6d3aaa4SStephen Smalley { "capability", 558e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 56c6d3aaa4SStephen Smalley { "filesystem", 57c6d3aaa4SStephen Smalley { "mount", "remount", "unmount", "getattr", 5842a9699aSStephen Smalley "relabelfrom", "relabelto", "associate", "quotamod", 59c6d3aaa4SStephen Smalley "quotaget", NULL } }, 60c6d3aaa4SStephen Smalley { "file", 61c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, 62b424485aSEric Paris "execute_no_trans", "entrypoint", NULL } }, 63c6d3aaa4SStephen Smalley { "dir", 64c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, "add_name", "remove_name", 6549b7b8deSEric Paris "reparent", "search", "rmdir", NULL } }, 66c6d3aaa4SStephen Smalley { "fd", { "use", NULL } }, 67c6d3aaa4SStephen Smalley { "lnk_file", 68c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, NULL } }, 69c6d3aaa4SStephen Smalley { "chr_file", 70b424485aSEric Paris { COMMON_FILE_PERMS, NULL } }, 71c6d3aaa4SStephen Smalley { "blk_file", 7249b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 73c6d3aaa4SStephen Smalley { "sock_file", 7449b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 75c6d3aaa4SStephen Smalley { "fifo_file", 7649b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 77c6d3aaa4SStephen Smalley { "socket", 78c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 79c6d3aaa4SStephen Smalley { "tcp_socket", 80c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 8142a9699aSStephen Smalley "node_bind", "name_connect", 82c6d3aaa4SStephen Smalley NULL } }, 83c6d3aaa4SStephen Smalley { "udp_socket", 84c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 85c6d3aaa4SStephen Smalley "node_bind", NULL } }, 86c6d3aaa4SStephen Smalley { "rawip_socket", 87c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 88c6d3aaa4SStephen Smalley "node_bind", NULL } }, 89c6d3aaa4SStephen Smalley { "node", 9042a9699aSStephen Smalley { "recvfrom", "sendto", NULL } }, 91c6d3aaa4SStephen Smalley { "netif", 9242a9699aSStephen Smalley { "ingress", "egress", NULL } }, 93c6d3aaa4SStephen Smalley { "netlink_socket", 94c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 95c6d3aaa4SStephen Smalley { "packet_socket", 96c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 97c6d3aaa4SStephen Smalley { "key_socket", 98c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 99c6d3aaa4SStephen Smalley { "unix_stream_socket", 10042a9699aSStephen Smalley { COMMON_SOCK_PERMS, "connectto", NULL } }, 101c6d3aaa4SStephen Smalley { "unix_dgram_socket", 10242a9699aSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 103c6d3aaa4SStephen Smalley { "sem", 104c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 105c6d3aaa4SStephen Smalley { "msg", { "send", "receive", NULL } }, 106c6d3aaa4SStephen Smalley { "msgq", 107c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "enqueue", NULL } }, 108c6d3aaa4SStephen Smalley { "shm", 109c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "lock", NULL } }, 110c6d3aaa4SStephen Smalley { "ipc", 111c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 112c6d3aaa4SStephen Smalley { "netlink_route_socket", 113c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 114c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 115c6d3aaa4SStephen Smalley { "netlink_tcpdiag_socket", 116c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 117c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 118c6d3aaa4SStephen Smalley { "netlink_nflog_socket", 119c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 120c6d3aaa4SStephen Smalley { "netlink_xfrm_socket", 121c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 122c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 123c6d3aaa4SStephen Smalley { "netlink_selinux_socket", 124c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1256c6d2e9bSStephen Smalley { "netlink_iscsi_socket", 1266c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 127c6d3aaa4SStephen Smalley { "netlink_audit_socket", 128c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 129c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", 130c6d3aaa4SStephen Smalley "nlmsg_tty_audit", NULL } }, 1316c6d2e9bSStephen Smalley { "netlink_fib_lookup_socket", 1326c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1336c6d2e9bSStephen Smalley { "netlink_connector_socket", 1346c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1356c6d2e9bSStephen Smalley { "netlink_netfilter_socket", 1366c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 137c6d3aaa4SStephen Smalley { "netlink_dnrt_socket", 138c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 139c6d3aaa4SStephen Smalley { "association", 140c6d3aaa4SStephen Smalley { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, 141c6d3aaa4SStephen Smalley { "netlink_kobject_uevent_socket", 142c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1436c6d2e9bSStephen Smalley { "netlink_generic_socket", 1446c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1456c6d2e9bSStephen Smalley { "netlink_scsitransport_socket", 1466c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1476c6d2e9bSStephen Smalley { "netlink_rdma_socket", 1486c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1496c6d2e9bSStephen Smalley { "netlink_crypto_socket", 1506c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 151c6d3aaa4SStephen Smalley { "appletalk_socket", 152c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 153c6d3aaa4SStephen Smalley { "packet", 15447ac19eaSEric Paris { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, 155c6d3aaa4SStephen Smalley { "key", 156c6d3aaa4SStephen Smalley { "view", "read", "write", "search", "link", "setattr", "create", 157c6d3aaa4SStephen Smalley NULL } }, 158c6d3aaa4SStephen Smalley { "dccp_socket", 159c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 160c6d3aaa4SStephen Smalley "node_bind", "name_connect", NULL } }, 161c6d3aaa4SStephen Smalley { "memprotect", { "mmap_zero", NULL } }, 162c6d3aaa4SStephen Smalley { "peer", { "recv", NULL } }, 16364919e60SEric Paris { "capability2", 1648e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 165c6d3aaa4SStephen Smalley { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 166c6d3aaa4SStephen Smalley { "tun_socket", 1676f96c142SPaul Moore { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 16879af7307SStephen Smalley { "binder", { "impersonate", "call", "set_context_mgr", "transfer", 16979af7307SStephen Smalley NULL } }, 1708e4ff6f2SStephen Smalley { "cap_userns", 1718e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 1728e4ff6f2SStephen Smalley { "cap2_userns", 1738e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 174da69a530SStephen Smalley { "sctp_socket", 175da69a530SStephen Smalley { COMMON_SOCK_PERMS, 176da69a530SStephen Smalley "node_bind", NULL } }, 177da69a530SStephen Smalley { "icmp_socket", 178da69a530SStephen Smalley { COMMON_SOCK_PERMS, 179da69a530SStephen Smalley "node_bind", NULL } }, 180da69a530SStephen Smalley { "ax25_socket", 181da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 182da69a530SStephen Smalley { "ipx_socket", 183da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 184da69a530SStephen Smalley { "netrom_socket", 185da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 186da69a530SStephen Smalley { "atmpvc_socket", 187da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 188da69a530SStephen Smalley { "x25_socket", 189da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 190da69a530SStephen Smalley { "rose_socket", 191da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 192da69a530SStephen Smalley { "decnet_socket", 193da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 194da69a530SStephen Smalley { "atmsvc_socket", 195da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 196da69a530SStephen Smalley { "rds_socket", 197da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 198da69a530SStephen Smalley { "irda_socket", 199da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 200da69a530SStephen Smalley { "pppox_socket", 201da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 202da69a530SStephen Smalley { "llc_socket", 203da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 204da69a530SStephen Smalley { "can_socket", 205da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 206da69a530SStephen Smalley { "tipc_socket", 207da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 208da69a530SStephen Smalley { "bluetooth_socket", 209da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 210da69a530SStephen Smalley { "iucv_socket", 211da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 212da69a530SStephen Smalley { "rxrpc_socket", 213da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 214da69a530SStephen Smalley { "isdn_socket", 215da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 216da69a530SStephen Smalley { "phonet_socket", 217da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 218da69a530SStephen Smalley { "ieee802154_socket", 219da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 220da69a530SStephen Smalley { "caif_socket", 221da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 222da69a530SStephen Smalley { "alg_socket", 223da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 224da69a530SStephen Smalley { "nfc_socket", 225da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 226da69a530SStephen Smalley { "vsock_socket", 227da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 228da69a530SStephen Smalley { "kcm_socket", 229da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 230da69a530SStephen Smalley { "qipcrtr_socket", 231da69a530SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 2323051bf36SLinus Torvalds { "smc_socket", 2333051bf36SLinus Torvalds { COMMON_SOCK_PERMS, NULL } }, 234c6d3aaa4SStephen Smalley { NULL } 235c6d3aaa4SStephen Smalley }; 236da69a530SStephen Smalley 2373051bf36SLinus Torvalds #if PF_MAX > 44 238da69a530SStephen Smalley #error New address family defined, please update secclass_map. 239da69a530SStephen Smalley #endif 240