Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/security/selinux/nlmsgtab.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * Netlink message type permission tables, for user generated messages.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * Author: James Morris <jmorris@redhat.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9) #include <linux/types.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) #include <linux/kernel.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) #include <linux/netlink.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) #include <linux/rtnetlink.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) #include <linux/if.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) #include <linux/inet_diag.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #include <linux/xfrm.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) #include <linux/audit.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) #include <linux/sock_diag.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) #include "flask.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) #include "av_permissions.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) #include "security.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) struct nlmsg_perm {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 	u16	nlmsg_type;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) 	u32	perm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) static struct nlmsg_perm nlmsg_route_perms[] =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) 	{ RTM_NEWLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) 	{ RTM_DELLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) 	{ RTM_GETLINK,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) 	{ RTM_SETLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 	{ RTM_NEWADDR,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 	{ RTM_DELADDR,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 	{ RTM_GETADDR,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 	{ RTM_NEWROUTE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 	{ RTM_DELROUTE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 	{ RTM_GETROUTE,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 	{ RTM_NEWNEIGH,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 	{ RTM_DELNEIGH,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 	{ RTM_GETNEIGH,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) 	{ RTM_NEWRULE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) 	{ RTM_DELRULE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 	{ RTM_GETRULE,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 	{ RTM_NEWQDISC,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 	{ RTM_DELQDISC,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 	{ RTM_GETQDISC,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 	{ RTM_NEWTCLASS,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 	{ RTM_DELTCLASS,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 	{ RTM_GETTCLASS,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 	{ RTM_NEWTFILTER,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 	{ RTM_DELTFILTER,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 	{ RTM_GETTFILTER,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 	{ RTM_NEWACTION,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 	{ RTM_DELACTION,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 	{ RTM_GETACTION,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	{ RTM_NEWPREFIX,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 	{ RTM_GETMULTICAST,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 	{ RTM_GETANYCAST,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 	{ RTM_GETNEIGHTBL,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 	{ RTM_SETNEIGHTBL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 	{ RTM_NEWADDRLABEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	{ RTM_DELADDRLABEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 	{ RTM_GETADDRLABEL,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) 	{ RTM_GETDCB,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) 	{ RTM_SETDCB,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) 	{ RTM_NEWNETCONF,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 	{ RTM_DELNETCONF,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) 	{ RTM_GETNETCONF,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) 	{ RTM_NEWMDB,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) 	{ RTM_DELMDB,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 	{ RTM_GETMDB,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 	{ RTM_NEWNSID,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	{ RTM_DELNSID,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 	{ RTM_GETNSID,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 	{ RTM_NEWSTATS,		NETLINK_ROUTE_SOCKET__NLMSG_READ },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) 	{ RTM_GETSTATS,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 	{ RTM_NEWCACHEREPORT,	NETLINK_ROUTE_SOCKET__NLMSG_READ },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 	{ RTM_NEWCHAIN,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 	{ RTM_DELCHAIN,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 	{ RTM_GETCHAIN,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 	{ RTM_NEWNEXTHOP,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 	{ RTM_DELNEXTHOP,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 	{ RTM_GETNEXTHOP,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 	{ RTM_NEWLINKPROP,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 	{ RTM_DELLINKPROP,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 	{ RTM_NEWVLAN,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 	{ RTM_DELVLAN,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 	{ RTM_GETVLAN,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 	{ TCPDIAG_GETSOCK,	NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 	{ DCCPDIAG_GETSOCK,	NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 	{ SOCK_DIAG_BY_FAMILY,	NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 	{ SOCK_DESTROY,		NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) static const struct nlmsg_perm nlmsg_xfrm_perms[] =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 	{ XFRM_MSG_NEWSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 	{ XFRM_MSG_DELSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) 	{ XFRM_MSG_GETSA,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 	{ XFRM_MSG_NEWPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) 	{ XFRM_MSG_DELPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 	{ XFRM_MSG_GETPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 	{ XFRM_MSG_ALLOCSPI,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) 	{ XFRM_MSG_ACQUIRE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 	{ XFRM_MSG_EXPIRE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 	{ XFRM_MSG_UPDPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) 	{ XFRM_MSG_UPDSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 	{ XFRM_MSG_POLEXPIRE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 	{ XFRM_MSG_FLUSHSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 	{ XFRM_MSG_FLUSHPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 	{ XFRM_MSG_NEWAE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 	{ XFRM_MSG_GETAE,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 	{ XFRM_MSG_REPORT,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 	{ XFRM_MSG_MIGRATE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 	{ XFRM_MSG_NEWSADINFO,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 	{ XFRM_MSG_GETSADINFO,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 	{ XFRM_MSG_NEWSPDINFO,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 	{ XFRM_MSG_GETSPDINFO,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	{ XFRM_MSG_MAPPING,	NETLINK_XFRM_SOCKET__NLMSG_READ  },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) static const struct nlmsg_perm nlmsg_audit_perms[] =
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 	{ AUDIT_GET,		NETLINK_AUDIT_SOCKET__NLMSG_READ     },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 	{ AUDIT_SET,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) 	{ AUDIT_LIST,		NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 	{ AUDIT_ADD,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) 	{ AUDIT_DEL,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 	{ AUDIT_LIST_RULES,	NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) 	{ AUDIT_ADD_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	{ AUDIT_DEL_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	{ AUDIT_USER,		NETLINK_AUDIT_SOCKET__NLMSG_RELAY    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 	{ AUDIT_SIGNAL_INFO,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 	{ AUDIT_TRIM,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 	{ AUDIT_MAKE_EQUIV,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 	{ AUDIT_TTY_GET,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) 	{ AUDIT_TTY_SET,	NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT	},
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 	{ AUDIT_GET_FEATURE,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) 	{ AUDIT_SET_FEATURE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	int i, err = -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 	for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 		if (nlmsg_type == tab[i].nlmsg_type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 			*perm = tab[i].perm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 			err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) 	int err = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) 	switch (sclass) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) 	case SECCLASS_NETLINK_ROUTE_SOCKET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) 		/* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 		 * If the BUILD_BUG_ON() below fails you must update the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) 		 * structures at the top of this file with the new mappings
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) 		 * before updating the BUILD_BUG_ON() macro!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 		BUILD_BUG_ON(RTM_MAX != (RTM_NEWVLAN + 3));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 		err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 				 sizeof(nlmsg_route_perms));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 	case SECCLASS_NETLINK_TCPDIAG_SOCKET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 		err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) 				 sizeof(nlmsg_tcpdiag_perms));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 	case SECCLASS_NETLINK_XFRM_SOCKET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 		/* If the BUILD_BUG_ON() below fails you must update the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 		 * structures at the top of this file with the new mappings
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 		 * before updating the BUILD_BUG_ON() macro!
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 		 */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) 		BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_MAPPING);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 		err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) 				 sizeof(nlmsg_xfrm_perms));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) 	case SECCLASS_NETLINK_AUDIT_SOCKET:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 		if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) 		     nlmsg_type <= AUDIT_LAST_USER_MSG) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 		    (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) 		     nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 			*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 		} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) 			err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 					 sizeof(nlmsg_audit_perms));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 	/* No messaging from userspace, or class unknown/unhandled */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 	default:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 		err = -ENOENT;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 		break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 	return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) static void nlmsg_set_perm_for_type(u32 perm, u16 type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 	int i;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 	for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 		if (nlmsg_route_perms[i].nlmsg_type == type) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 			nlmsg_route_perms[i].perm = perm;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 			break;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228)  * Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229)  * netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230)  * Similarly, use nlmsg_getneigh for RTM_GETNEIGH and RTM_GETNEIGHTBL if the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)  * netlink_route_getneigh policy capability is set. Otherwise use nlmsg_read.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) void selinux_nlmsg_init(void)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 	if (selinux_android_nlroute_getlink())
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 					RTM_GETLINK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 					RTM_GETLINK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 	if (selinux_android_nlroute_getneigh()) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) 					RTM_GETNEIGH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_GETNEIGH,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) 					RTM_GETNEIGHTBL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 	} else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) 		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 					RTM_GETNEIGH);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 		nlmsg_set_perm_for_type(NETLINK_ROUTE_SOCKET__NLMSG_READ,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 					RTM_GETNEIGHTBL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) }
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.