summaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/av_inherit.h34
-rw-r--r--security/selinux/include/av_perm_to_string.h183
-rw-r--r--security/selinux/include/av_permissions.h44
-rw-r--r--security/selinux/include/avc_ss.h21
-rw-r--r--security/selinux/include/class_to_string.h80
-rw-r--r--security/selinux/include/classmap.h150
-rw-r--r--security/selinux/include/common_perm_to_string.h58
-rw-r--r--security/selinux/include/flask.h40
-rw-r--r--security/selinux/include/security.h13
9 files changed, 206 insertions, 417 deletions
diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h
deleted file mode 100644
index abedcd704da..00000000000
--- a/security/selinux/include/av_inherit.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* This file is automatically generated. Do not edit. */
- S_(SECCLASS_DIR, file, 0x00020000UL)
- S_(SECCLASS_FILE, file, 0x00020000UL)
- S_(SECCLASS_LNK_FILE, file, 0x00020000UL)
- S_(SECCLASS_CHR_FILE, file, 0x00020000UL)
- S_(SECCLASS_BLK_FILE, file, 0x00020000UL)
- S_(SECCLASS_SOCK_FILE, file, 0x00020000UL)
- S_(SECCLASS_FIFO_FILE, file, 0x00020000UL)
- S_(SECCLASS_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_TCP_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_UDP_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_RAWIP_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_PACKET_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_KEY_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_UNIX_STREAM_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_UNIX_DGRAM_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_TUN_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_IPC, ipc, 0x00000200UL)
- S_(SECCLASS_SEM, ipc, 0x00000200UL)
- S_(SECCLASS_MSGQ, ipc, 0x00000200UL)
- S_(SECCLASS_SHM, ipc, 0x00000200UL)
- S_(SECCLASS_NETLINK_ROUTE_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_FIREWALL_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_NFLOG_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_XFRM_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_SELINUX_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_APPLETALK_SOCKET, socket, 0x00400000UL)
- S_(SECCLASS_DCCP_SOCKET, socket, 0x00400000UL)
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
deleted file mode 100644
index 2b683ad83d2..00000000000
--- a/security/selinux/include/av_perm_to_string.h
+++ /dev/null
@@ -1,183 +0,0 @@
-/* This file is automatically generated. Do not edit. */
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
- S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
- S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
- S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
- S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
- S_(SECCLASS_DIR, DIR__SEARCH, "search")
- S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
- S_(SECCLASS_DIR, DIR__OPEN, "open")
- S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
- S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
- S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
- S_(SECCLASS_FILE, FILE__OPEN, "open")
- S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
- S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
- S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
- S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
- S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
- S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
- S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
- S_(SECCLASS_FD, FD__USE, "use")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
- S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
- S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
- S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
- S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
- S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
- S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
- S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
- S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
- S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
- S_(SECCLASS_NODE, NODE__RECVFROM, "recvfrom")
- S_(SECCLASS_NODE, NODE__SENDTO, "sendto")
- S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
- S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
- S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
- S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
- S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
- S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
- S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
- S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
- S_(SECCLASS_NETIF, NETIF__INGRESS, "ingress")
- S_(SECCLASS_NETIF, NETIF__EGRESS, "egress")
- S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
- S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
- S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
- S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
- S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
- S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
- S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
- S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
- S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
- S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
- S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
- S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
- S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
- S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
- S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
- S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
- S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
- S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
- S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
- S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
- S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
- S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
- S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
- S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
- S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
- S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
- S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
- S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
- S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
- S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
- S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
- S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
- S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
- S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
- S_(SECCLASS_MSG, MSG__SEND, "send")
- S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
- S_(SECCLASS_SHM, SHM__LOCK, "lock")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
- S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
- S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
- S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
- S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
- S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
- S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
- S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
- S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
- S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
- S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
- S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
- S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
- S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
- S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
- S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
- S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
- S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
- S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
- S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
- S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
- S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
- S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
- S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
- S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
- S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
- S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
- S_(SECCLASS_CAPABILITY, CAPABILITY__SETFCAP, "setfcap")
- S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_OVERRIDE, "mac_override")
- S_(SECCLASS_CAPABILITY2, CAPABILITY2__MAC_ADMIN, "mac_admin")
- S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
- S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT, "nlmsg_tty_audit")
- S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
- S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
- S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
- S_(SECCLASS_PACKET, PACKET__SEND, "send")
- S_(SECCLASS_PACKET, PACKET__RECV, "recv")
- S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
- S_(SECCLASS_PACKET, PACKET__FLOW_IN, "flow_in")
- S_(SECCLASS_PACKET, PACKET__FLOW_OUT, "flow_out")
- S_(SECCLASS_PACKET, PACKET__FORWARD_IN, "forward_in")
- S_(SECCLASS_PACKET, PACKET__FORWARD_OUT, "forward_out")
- S_(SECCLASS_KEY, KEY__VIEW, "view")
- S_(SECCLASS_KEY, KEY__READ, "read")
- S_(SECCLASS_KEY, KEY__WRITE, "write")
- S_(SECCLASS_KEY, KEY__SEARCH, "search")
- S_(SECCLASS_KEY, KEY__LINK, "link")
- S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
- S_(SECCLASS_KEY, KEY__CREATE, "create")
- S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
- S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
- S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")
- S_(SECCLASS_PEER, PEER__RECV, "recv")
- S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__USE_AS_OVERRIDE, "use_as_override")
- S_(SECCLASS_KERNEL_SERVICE, KERNEL_SERVICE__CREATE_FILES_AS, "create_files_as")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 0546d616cca..fef2582b734 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -423,28 +423,6 @@
#define UNIX_DGRAM_SOCKET__RECV_MSG 0x00080000UL
#define UNIX_DGRAM_SOCKET__SEND_MSG 0x00100000UL
#define UNIX_DGRAM_SOCKET__NAME_BIND 0x00200000UL
-#define TUN_SOCKET__IOCTL 0x00000001UL
-#define TUN_SOCKET__READ 0x00000002UL
-#define TUN_SOCKET__WRITE 0x00000004UL
-#define TUN_SOCKET__CREATE 0x00000008UL
-#define TUN_SOCKET__GETATTR 0x00000010UL
-#define TUN_SOCKET__SETATTR 0x00000020UL
-#define TUN_SOCKET__LOCK 0x00000040UL
-#define TUN_SOCKET__RELABELFROM 0x00000080UL
-#define TUN_SOCKET__RELABELTO 0x00000100UL
-#define TUN_SOCKET__APPEND 0x00000200UL
-#define TUN_SOCKET__BIND 0x00000400UL
-#define TUN_SOCKET__CONNECT 0x00000800UL
-#define TUN_SOCKET__LISTEN 0x00001000UL
-#define TUN_SOCKET__ACCEPT 0x00002000UL
-#define TUN_SOCKET__GETOPT 0x00004000UL
-#define TUN_SOCKET__SETOPT 0x00008000UL
-#define TUN_SOCKET__SHUTDOWN 0x00010000UL
-#define TUN_SOCKET__RECVFROM 0x00020000UL
-#define TUN_SOCKET__SENDTO 0x00040000UL
-#define TUN_SOCKET__RECV_MSG 0x00080000UL
-#define TUN_SOCKET__SEND_MSG 0x00100000UL
-#define TUN_SOCKET__NAME_BIND 0x00200000UL
#define PROCESS__FORK 0x00000001UL
#define PROCESS__TRANSITION 0x00000002UL
#define PROCESS__SIGCHLD 0x00000004UL
@@ -868,3 +846,25 @@
#define PEER__RECV 0x00000001UL
#define KERNEL_SERVICE__USE_AS_OVERRIDE 0x00000001UL
#define KERNEL_SERVICE__CREATE_FILES_AS 0x00000002UL
+#define TUN_SOCKET__IOCTL 0x00000001UL
+#define TUN_SOCKET__READ 0x00000002UL
+#define TUN_SOCKET__WRITE 0x00000004UL
+#define TUN_SOCKET__CREATE 0x00000008UL
+#define TUN_SOCKET__GETATTR 0x00000010UL
+#define TUN_SOCKET__SETATTR 0x00000020UL
+#define TUN_SOCKET__LOCK 0x00000040UL
+#define TUN_SOCKET__RELABELFROM 0x00000080UL
+#define TUN_SOCKET__RELABELTO 0x00000100UL
+#define TUN_SOCKET__APPEND 0x00000200UL
+#define TUN_SOCKET__BIND 0x00000400UL
+#define TUN_SOCKET__CONNECT 0x00000800UL
+#define TUN_SOCKET__LISTEN 0x00001000UL
+#define TUN_SOCKET__ACCEPT 0x00002000UL
+#define TUN_SOCKET__GETOPT 0x00004000UL
+#define TUN_SOCKET__SETOPT 0x00008000UL
+#define TUN_SOCKET__SHUTDOWN 0x00010000UL
+#define TUN_SOCKET__RECVFROM 0x00020000UL
+#define TUN_SOCKET__SENDTO 0x00040000UL
+#define TUN_SOCKET__RECV_MSG 0x00080000UL
+#define TUN_SOCKET__SEND_MSG 0x00100000UL
+#define TUN_SOCKET__NAME_BIND 0x00200000UL
diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h
index bb1ec801bdf..4677aa519b0 100644
--- a/security/selinux/include/avc_ss.h
+++ b/security/selinux/include/avc_ss.h
@@ -10,26 +10,13 @@
int avc_ss_reset(u32 seqno);
-struct av_perm_to_string {
- u16 tclass;
- u32 value;
+/* Class/perm mapping support */
+struct security_class_mapping {
const char *name;
+ const char *perms[sizeof(u32) * 8 + 1];
};
-struct av_inherit {
- const char **common_pts;
- u32 common_base;
- u16 tclass;
-};
-
-struct selinux_class_perm {
- const struct av_perm_to_string *av_perm_to_string;
- u32 av_pts_len;
- u32 cts_len;
- const char **class_to_string;
- const struct av_inherit *av_inherit;
- u32 av_inherit_len;
-};
+extern struct security_class_mapping secclass_map[];
#endif /* _SELINUX_AVC_SS_H_ */
diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h
deleted file mode 100644
index 7ab9299bfb6..00000000000
--- a/security/selinux/include/class_to_string.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-/*
- * Security object class definitions
- */
- S_(NULL)
- S_("security")
- S_("process")
- S_("system")
- S_("capability")
- S_("filesystem")
- S_("file")
- S_("dir")
- S_("fd")
- S_("lnk_file")
- S_("chr_file")
- S_("blk_file")
- S_("sock_file")
- S_("fifo_file")
- S_("socket")
- S_("tcp_socket")
- S_("udp_socket")
- S_("rawip_socket")
- S_("node")
- S_("netif")
- S_("netlink_socket")
- S_("packet_socket")
- S_("key_socket")
- S_("unix_stream_socket")
- S_("unix_dgram_socket")
- S_("sem")
- S_("msg")
- S_("msgq")
- S_("shm")
- S_("ipc")
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_("netlink_route_socket")
- S_("netlink_firewall_socket")
- S_("netlink_tcpdiag_socket")
- S_("netlink_nflog_socket")
- S_("netlink_xfrm_socket")
- S_("netlink_selinux_socket")
- S_("netlink_audit_socket")
- S_("netlink_ip6fw_socket")
- S_("netlink_dnrt_socket")
- S_(NULL)
- S_(NULL)
- S_("association")
- S_("netlink_kobject_uevent_socket")
- S_("appletalk_socket")
- S_("packet")
- S_("key")
- S_(NULL)
- S_("dccp_socket")
- S_("memprotect")
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_("peer")
- S_("capability2")
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_(NULL)
- S_("kernel_service")
- S_("tun_socket")
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
new file mode 100644
index 00000000000..8b32e959bb2
--- /dev/null
+++ b/security/selinux/include/classmap.h
@@ -0,0 +1,150 @@
+#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
+ "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
+
+#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
+ "rename", "execute", "swapon", "quotaon", "mounton"
+
+#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
+ "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
+ "sendto", "recv_msg", "send_msg", "name_bind"
+
+#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
+ "write", "associate", "unix_read", "unix_write"
+
+struct security_class_mapping secclass_map[] = {
+ { "security",
+ { "compute_av", "compute_create", "compute_member",
+ "check_context", "load_policy", "compute_relabel",
+ "compute_user", "setenforce", "setbool", "setsecparam",
+ "setcheckreqprot", NULL } },
+ { "process",
+ { "fork", "transition", "sigchld", "sigkill",
+ "sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
+ "getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
+ "getattr", "setexec", "setfscreate", "noatsecure", "siginh",
+ "setrlimit", "rlimitinh", "dyntransition", "setcurrent",
+ "execmem", "execstack", "execheap", "setkeycreate",
+ "setsockcreate", NULL } },
+ { "system",
+ { "ipc_info", "syslog_read", "syslog_mod",
+ "syslog_console", "module_request", NULL } },
+ { "capability",
+ { "chown", "dac_override", "dac_read_search",
+ "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
+ "linux_immutable", "net_bind_service", "net_broadcast",
+ "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
+ "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
+ "sys_boot", "sys_nice", "sys_resource", "sys_time",
+ "sys_tty_config", "mknod", "lease", "audit_write",
+ "audit_control", "setfcap", NULL } },
+ { "filesystem",
+ { "mount", "remount", "unmount", "getattr",
+ "relabelfrom", "relabelto", "transition", "associate", "quotamod",
+ "quotaget", NULL } },
+ { "file",
+ { COMMON_FILE_PERMS,
+ "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+ { "dir",
+ { COMMON_FILE_PERMS, "add_name", "remove_name",
+ "reparent", "search", "rmdir", "open", NULL } },
+ { "fd", { "use", NULL } },
+ { "lnk_file",
+ { COMMON_FILE_PERMS, NULL } },
+ { "chr_file",
+ { COMMON_FILE_PERMS,
+ "execute_no_trans", "entrypoint", "execmod", "open", NULL } },
+ { "blk_file",
+ { COMMON_FILE_PERMS, "open", NULL } },
+ { "sock_file",
+ { COMMON_FILE_PERMS, "open", NULL } },
+ { "fifo_file",
+ { COMMON_FILE_PERMS, "open", NULL } },
+ { "socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "tcp_socket",
+ { COMMON_SOCK_PERMS,
+ "connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
+ NULL } },
+ { "udp_socket",
+ { COMMON_SOCK_PERMS,
+ "node_bind", NULL } },
+ { "rawip_socket",
+ { COMMON_SOCK_PERMS,
+ "node_bind", NULL } },
+ { "node",
+ { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+ "rawip_recv", "rawip_send", "enforce_dest",
+ "dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
+ { "netif",
+ { "tcp_recv", "tcp_send", "udp_recv", "udp_send",
+ "rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
+ "ingress", "egress", NULL } },
+ { "netlink_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "packet_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "key_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "unix_stream_socket",
+ { COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
+ } },
+ { "unix_dgram_socket",
+ { COMMON_SOCK_PERMS, NULL
+ } },
+ { "sem",
+ { COMMON_IPC_PERMS, NULL } },
+ { "msg", { "send", "receive", NULL } },
+ { "msgq",
+ { COMMON_IPC_PERMS, "enqueue", NULL } },
+ { "shm",
+ { COMMON_IPC_PERMS, "lock", NULL } },
+ { "ipc",
+ { COMMON_IPC_PERMS, NULL } },
+ { "netlink_route_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_firewall_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_tcpdiag_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_nflog_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_xfrm_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_selinux_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_audit_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
+ "nlmsg_tty_audit", NULL } },
+ { "netlink_ip6fw_socket",
+ { COMMON_SOCK_PERMS,
+ "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_dnrt_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "association",
+ { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
+ { "netlink_kobject_uevent_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "appletalk_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "packet",
+ { "send", "recv", "relabelto", "flow_in", "flow_out",
+ "forward_in", "forward_out", NULL } },
+ { "key",
+ { "view", "read", "write", "search", "link", "setattr", "create",
+ NULL } },
+ { "dccp_socket",
+ { COMMON_SOCK_PERMS,
+ "node_bind", "name_connect", NULL } },
+ { "memprotect", { "mmap_zero", NULL } },
+ { "peer", { "recv", NULL } },
+ { "capability2", { "mac_override", "mac_admin", NULL } },
+ { "kernel_service", { "use_as_override", "create_files_as", NULL } },
+ { "tun_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { NULL }
+ };
diff --git a/security/selinux/include/common_perm_to_string.h b/security/selinux/include/common_perm_to_string.h
deleted file mode 100644
index ce5b6e2fe9d..00000000000
--- a/security/selinux/include/common_perm_to_string.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* This file is automatically generated. Do not edit. */
-TB_(common_file_perm_to_string)
- S_("ioctl")
- S_("read")
- S_("write")
- S_("create")
- S_("getattr")
- S_("setattr")
- S_("lock")
- S_("relabelfrom")
- S_("relabelto")
- S_("append")
- S_("unlink")
- S_("link")
- S_("rename")
- S_("execute")
- S_("swapon")
- S_("quotaon")
- S_("mounton")
-TE_(common_file_perm_to_string)
-
-TB_(common_socket_perm_to_string)
- S_("ioctl")
- S_("read")
- S_("write")
- S_("create")
- S_("getattr")
- S_("setattr")
- S_("lock")
- S_("relabelfrom")
- S_("relabelto")
- S_("append")
- S_("bind")
- S_("connect")
- S_("listen")
- S_("accept")
- S_("getopt")
- S_("setopt")
- S_("shutdown")
- S_("recvfrom")
- S_("sendto")
- S_("recv_msg")
- S_("send_msg")
- S_("name_bind")
-TE_(common_socket_perm_to_string)
-
-TB_(common_ipc_perm_to_string)
- S_("create")
- S_("destroy")
- S_("getattr")
- S_("setattr")
- S_("read")
- S_("write")
- S_("associate")
- S_("unix_read")
- S_("unix_write")
-TE_(common_ipc_perm_to_string)
-
diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h
index f248500a1e3..5359ca2abf2 100644
--- a/security/selinux/include/flask.h
+++ b/security/selinux/include/flask.h
@@ -34,26 +34,26 @@
#define SECCLASS_MSGQ 27
#define SECCLASS_SHM 28
#define SECCLASS_IPC 29
-#define SECCLASS_NETLINK_ROUTE_SOCKET 43
-#define SECCLASS_NETLINK_FIREWALL_SOCKET 44
-#define SECCLASS_NETLINK_TCPDIAG_SOCKET 45
-#define SECCLASS_NETLINK_NFLOG_SOCKET 46
-#define SECCLASS_NETLINK_XFRM_SOCKET 47
-#define SECCLASS_NETLINK_SELINUX_SOCKET 48
-#define SECCLASS_NETLINK_AUDIT_SOCKET 49
-#define SECCLASS_NETLINK_IP6FW_SOCKET 50
-#define SECCLASS_NETLINK_DNRT_SOCKET 51
-#define SECCLASS_ASSOCIATION 54
-#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55
-#define SECCLASS_APPLETALK_SOCKET 56
-#define SECCLASS_PACKET 57
-#define SECCLASS_KEY 58
-#define SECCLASS_DCCP_SOCKET 60
-#define SECCLASS_MEMPROTECT 61
-#define SECCLASS_PEER 68
-#define SECCLASS_CAPABILITY2 69
-#define SECCLASS_KERNEL_SERVICE 74
-#define SECCLASS_TUN_SOCKET 75
+#define SECCLASS_NETLINK_ROUTE_SOCKET 30
+#define SECCLASS_NETLINK_FIREWALL_SOCKET 31
+#define SECCLASS_NETLINK_TCPDIAG_SOCKET 32
+#define SECCLASS_NETLINK_NFLOG_SOCKET 33
+#define SECCLASS_NETLINK_XFRM_SOCKET 34
+#define SECCLASS_NETLINK_SELINUX_SOCKET 35
+#define SECCLASS_NETLINK_AUDIT_SOCKET 36
+#define SECCLASS_NETLINK_IP6FW_SOCKET 37
+#define SECCLASS_NETLINK_DNRT_SOCKET 38
+#define SECCLASS_ASSOCIATION 39
+#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 40
+#define SECCLASS_APPLETALK_SOCKET 41
+#define SECCLASS_PACKET 42
+#define SECCLASS_KEY 43
+#define SECCLASS_DCCP_SOCKET 44
+#define SECCLASS_MEMPROTECT 45
+#define SECCLASS_PEER 46
+#define SECCLASS_CAPABILITY2 47
+#define SECCLASS_KERNEL_SERVICE 48
+#define SECCLASS_TUN_SOCKET 49
/*
* Security identifier indices for initial entities
diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index ca835795a8b..2553266ad79 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -97,11 +97,18 @@ struct av_decision {
#define AVD_FLAGS_PERMISSIVE 0x0001
int security_compute_av(u32 ssid, u32 tsid,
- u16 tclass, u32 requested,
- struct av_decision *avd);
+ u16 tclass, u32 requested,
+ struct av_decision *avd);
+
+int security_compute_av_user(u32 ssid, u32 tsid,
+ u16 tclass, u32 requested,
+ struct av_decision *avd);
int security_transition_sid(u32 ssid, u32 tsid,
- u16 tclass, u32 *out_sid);
+ u16 tclass, u32 *out_sid);
+
+int security_transition_sid_user(u32 ssid, u32 tsid,
+ u16 tclass, u32 *out_sid);
int security_member_sid(u32 ssid, u32 tsid,
u16 tclass, u32 *out_sid);