1c6d3aaa4SStephen Smalley #define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ 2c6d3aaa4SStephen Smalley "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append" 3c6d3aaa4SStephen Smalley 4c6d3aaa4SStephen Smalley #define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ 542a9699aSStephen Smalley "rename", "execute", "quotaon", "mounton", "audit_access", \ 6b424485aSEric Paris "open", "execmod" 7c6d3aaa4SStephen Smalley 8c6d3aaa4SStephen Smalley #define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ 9c6d3aaa4SStephen Smalley "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ 1042a9699aSStephen Smalley "sendto", "name_bind" 11c6d3aaa4SStephen Smalley 12c6d3aaa4SStephen Smalley #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 13c6d3aaa4SStephen Smalley "write", "associate", "unix_read", "unix_write" 14c6d3aaa4SStephen Smalley 158e4ff6f2SStephen Smalley #define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ 168e4ff6f2SStephen Smalley "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ 178e4ff6f2SStephen Smalley "linux_immutable", "net_bind_service", "net_broadcast", \ 188e4ff6f2SStephen Smalley "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ 198e4ff6f2SStephen Smalley "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ 208e4ff6f2SStephen Smalley "sys_boot", "sys_nice", "sys_resource", "sys_time", \ 218e4ff6f2SStephen Smalley "sys_tty_config", "mknod", "lease", "audit_write", \ 228e4ff6f2SStephen Smalley "audit_control", "setfcap" 238e4ff6f2SStephen Smalley 248e4ff6f2SStephen Smalley #define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ 258e4ff6f2SStephen Smalley "wake_alarm", "block_suspend", "audit_read" 268e4ff6f2SStephen Smalley 274bc6c2d5SHarry Ciao /* 284bc6c2d5SHarry Ciao * Note: The name for any socket class should be suffixed by "socket", 294bc6c2d5SHarry Ciao * and doesn't contain more than one substr of "socket". 304bc6c2d5SHarry Ciao */ 31c6d3aaa4SStephen Smalley struct security_class_mapping secclass_map[] = { 32c6d3aaa4SStephen Smalley { "security", 33c6d3aaa4SStephen Smalley { "compute_av", "compute_create", "compute_member", 34c6d3aaa4SStephen Smalley "check_context", "load_policy", "compute_relabel", 35c6d3aaa4SStephen Smalley "compute_user", "setenforce", "setbool", "setsecparam", 36f9df6458SAndrew Perepechko "setcheckreqprot", "read_policy", "validate_trans", NULL } }, 37c6d3aaa4SStephen Smalley { "process", 38c6d3aaa4SStephen Smalley { "fork", "transition", "sigchld", "sigkill", 39c6d3aaa4SStephen Smalley "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", 40c6d3aaa4SStephen Smalley "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", 41c6d3aaa4SStephen Smalley "getattr", "setexec", "setfscreate", "noatsecure", "siginh", 42c6d3aaa4SStephen Smalley "setrlimit", "rlimitinh", "dyntransition", "setcurrent", 43c6d3aaa4SStephen Smalley "execmem", "execstack", "execheap", "setkeycreate", 44c6d3aaa4SStephen Smalley "setsockcreate", NULL } }, 45c6d3aaa4SStephen Smalley { "system", 46c6d3aaa4SStephen Smalley { "ipc_info", "syslog_read", "syslog_mod", 4761d612eaSJeff Vander Stoep "syslog_console", "module_request", "module_load", NULL } }, 48c6d3aaa4SStephen Smalley { "capability", 498e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 50c6d3aaa4SStephen Smalley { "filesystem", 51c6d3aaa4SStephen Smalley { "mount", "remount", "unmount", "getattr", 5242a9699aSStephen Smalley "relabelfrom", "relabelto", "associate", "quotamod", 53c6d3aaa4SStephen Smalley "quotaget", NULL } }, 54c6d3aaa4SStephen Smalley { "file", 55c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, 56b424485aSEric Paris "execute_no_trans", "entrypoint", NULL } }, 57c6d3aaa4SStephen Smalley { "dir", 58c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, "add_name", "remove_name", 5949b7b8deSEric Paris "reparent", "search", "rmdir", NULL } }, 60c6d3aaa4SStephen Smalley { "fd", { "use", NULL } }, 61c6d3aaa4SStephen Smalley { "lnk_file", 62c6d3aaa4SStephen Smalley { COMMON_FILE_PERMS, NULL } }, 63c6d3aaa4SStephen Smalley { "chr_file", 64b424485aSEric Paris { COMMON_FILE_PERMS, NULL } }, 65c6d3aaa4SStephen Smalley { "blk_file", 6649b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 67c6d3aaa4SStephen Smalley { "sock_file", 6849b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 69c6d3aaa4SStephen Smalley { "fifo_file", 7049b7b8deSEric Paris { COMMON_FILE_PERMS, NULL } }, 71c6d3aaa4SStephen Smalley { "socket", 72c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 73c6d3aaa4SStephen Smalley { "tcp_socket", 74c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 7542a9699aSStephen Smalley "node_bind", "name_connect", 76c6d3aaa4SStephen Smalley NULL } }, 77c6d3aaa4SStephen Smalley { "udp_socket", 78c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 79c6d3aaa4SStephen Smalley "node_bind", NULL } }, 80c6d3aaa4SStephen Smalley { "rawip_socket", 81c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 82c6d3aaa4SStephen Smalley "node_bind", NULL } }, 83c6d3aaa4SStephen Smalley { "node", 8442a9699aSStephen Smalley { "recvfrom", "sendto", NULL } }, 85c6d3aaa4SStephen Smalley { "netif", 8642a9699aSStephen Smalley { "ingress", "egress", NULL } }, 87c6d3aaa4SStephen Smalley { "netlink_socket", 88c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 89c6d3aaa4SStephen Smalley { "packet_socket", 90c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 91c6d3aaa4SStephen Smalley { "key_socket", 92c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 93c6d3aaa4SStephen Smalley { "unix_stream_socket", 9442a9699aSStephen Smalley { COMMON_SOCK_PERMS, "connectto", NULL } }, 95c6d3aaa4SStephen Smalley { "unix_dgram_socket", 9642a9699aSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 97c6d3aaa4SStephen Smalley { "sem", 98c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 99c6d3aaa4SStephen Smalley { "msg", { "send", "receive", NULL } }, 100c6d3aaa4SStephen Smalley { "msgq", 101c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "enqueue", NULL } }, 102c6d3aaa4SStephen Smalley { "shm", 103c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, "lock", NULL } }, 104c6d3aaa4SStephen Smalley { "ipc", 105c6d3aaa4SStephen Smalley { COMMON_IPC_PERMS, NULL } }, 106c6d3aaa4SStephen Smalley { "netlink_route_socket", 107c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 108c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 109c6d3aaa4SStephen Smalley { "netlink_tcpdiag_socket", 110c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 111c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 112c6d3aaa4SStephen Smalley { "netlink_nflog_socket", 113c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 114c6d3aaa4SStephen Smalley { "netlink_xfrm_socket", 115c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 116c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", NULL } }, 117c6d3aaa4SStephen Smalley { "netlink_selinux_socket", 118c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1196c6d2e9bSStephen Smalley { "netlink_iscsi_socket", 1206c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 121c6d3aaa4SStephen Smalley { "netlink_audit_socket", 122c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 123c6d3aaa4SStephen Smalley "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", 124c6d3aaa4SStephen Smalley "nlmsg_tty_audit", NULL } }, 1256c6d2e9bSStephen Smalley { "netlink_fib_lookup_socket", 1266c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1276c6d2e9bSStephen Smalley { "netlink_connector_socket", 1286c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1296c6d2e9bSStephen Smalley { "netlink_netfilter_socket", 1306c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 131c6d3aaa4SStephen Smalley { "netlink_dnrt_socket", 132c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 133c6d3aaa4SStephen Smalley { "association", 134c6d3aaa4SStephen Smalley { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, 135c6d3aaa4SStephen Smalley { "netlink_kobject_uevent_socket", 136c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1376c6d2e9bSStephen Smalley { "netlink_generic_socket", 1386c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1396c6d2e9bSStephen Smalley { "netlink_scsitransport_socket", 1406c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1416c6d2e9bSStephen Smalley { "netlink_rdma_socket", 1426c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 1436c6d2e9bSStephen Smalley { "netlink_crypto_socket", 1446c6d2e9bSStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 145c6d3aaa4SStephen Smalley { "appletalk_socket", 146c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, NULL } }, 147c6d3aaa4SStephen Smalley { "packet", 14847ac19eaSEric Paris { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, 149c6d3aaa4SStephen Smalley { "key", 150c6d3aaa4SStephen Smalley { "view", "read", "write", "search", "link", "setattr", "create", 151c6d3aaa4SStephen Smalley NULL } }, 152c6d3aaa4SStephen Smalley { "dccp_socket", 153c6d3aaa4SStephen Smalley { COMMON_SOCK_PERMS, 154c6d3aaa4SStephen Smalley "node_bind", "name_connect", NULL } }, 155c6d3aaa4SStephen Smalley { "memprotect", { "mmap_zero", NULL } }, 156c6d3aaa4SStephen Smalley { "peer", { "recv", NULL } }, 15764919e60SEric Paris { "capability2", 1588e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 159c6d3aaa4SStephen Smalley { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 160c6d3aaa4SStephen Smalley { "tun_socket", 1616f96c142SPaul Moore { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 16279af7307SStephen Smalley { "binder", { "impersonate", "call", "set_context_mgr", "transfer", 16379af7307SStephen Smalley NULL } }, 1648e4ff6f2SStephen Smalley { "cap_userns", 1658e4ff6f2SStephen Smalley { COMMON_CAP_PERMS, NULL } }, 1668e4ff6f2SStephen Smalley { "cap2_userns", 1678e4ff6f2SStephen Smalley { COMMON_CAP2_PERMS, NULL } }, 168c6d3aaa4SStephen Smalley { NULL } 169c6d3aaa4SStephen Smalley }; 170