summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Morris <jmorris@redhat.com>2005-04-16 15:24:13 -0700
committerLinus Torvalds <torvalds@ppc970.osdl.org>2005-04-16 15:24:13 -0700
commit0c9b79429c83a404a04908be65baa9d97836bbb6 (patch)
tree66cdf9fc4cf40867ed8c9dc060661615941cd95f
parent7e5c6bc0a600c49e5922591ad41ff41987f54eb4 (diff)
[PATCH] SELinux: add support for NETLINK_KOBJECT_UEVENT
This patch adds SELinux support for the KOBJECT_UEVENT Netlink family, so that SELinux can apply finer grained controls to it. For example, security policy for hald can be locked down to the KOBJECT_UEVENT Netlink family only. Currently, this family simply defaults to the default Netlink socket class. Note that some new permission definitions are added to sync with changes in the core userspace policy package, which auto-generates header files. Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/include/av_inherit.h1
-rw-r--r--security/selinux/include/av_perm_to_string.h4
-rw-r--r--security/selinux/include/av_permissions.h28
-rw-r--r--security/selinux/include/class_to_string.h2
-rw-r--r--security/selinux/include/flask.h2
6 files changed, 39 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8a2cc75b394..2ae7d3cb8df 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -672,6 +672,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
return SECCLASS_NETLINK_IP6FW_SOCKET;
case NETLINK_DNRTMSG:
return SECCLASS_NETLINK_DNRT_SOCKET;
+ case NETLINK_KOBJECT_UEVENT:
+ return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
default:
return SECCLASS_NETLINK_SOCKET;
}
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
index 9facb27822a..b0e6b12931c 100644
--- a/security/selinux/include/av_inherit.h
+++ b/security/selinux/include/av_inherit.h
@@ -28,3 +28,4 @@
S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
+ S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 903e8b3cc2e..eb340b45bc6 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -118,6 +118,8 @@
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
+ S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
+ S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd")
S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn")
S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh")
@@ -230,3 +232,5 @@
S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd")
S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp")
S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost")
+ S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
+ S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index b0a12ac8f7e..f9de0f96655 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -559,6 +559,8 @@
#define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL
#define CAPABILITY__MKNOD 0x08000000UL
#define CAPABILITY__LEASE 0x10000000UL
+#define CAPABILITY__AUDIT_WRITE 0x20000000UL
+#define CAPABILITY__AUDIT_CONTROL 0x40000000UL
#define PASSWD__PASSWD 0x00000001UL
#define PASSWD__CHFN 0x00000002UL
@@ -900,3 +902,29 @@
#define NSCD__SHMEMGRP 0x00000040UL
#define NSCD__SHMEMHOST 0x00000080UL
+#define ASSOCIATION__SENDTO 0x00000001UL
+#define ASSOCIATION__RECVFROM 0x00000002UL
+
+#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL
+#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL
+
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
index 519a77d7394..77b2c5996f3 100644
--- a/security/selinux/include/class_to_string.h
+++ b/security/selinux/include/class_to_string.h
@@ -56,3 +56,5 @@
S_("netlink_dnrt_socket")
S_("dbus")
S_("nscd")
+ S_("association")
+ S_("netlink_kobject_uevent_socket")
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index 4eef1b654e9..eb9f50823f6 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -58,6 +58,8 @@
#define SECCLASS_NETLINK_DNRT_SOCKET 51
#define SECCLASS_DBUS 52
#define SECCLASS_NSCD 53
+#define SECCLASS_ASSOCIATION 54
+#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
/*
* Security identifier indices for initial entities