Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/security/selinux/nlmsgtab.c
10814 views
1
/*

2
 * Netlink message type permission tables, for user generated messages.

3
 *

4
 * Author: James Morris <[email protected]>

5
 *

6
 * Copyright (C) 2004 Red Hat, Inc., James Morris <[email protected]>

7
 *

8
 * This program is free software; you can redistribute it and/or modify

9
 * it under the terms of the GNU General Public License version 2,

10
 * as published by the Free Software Foundation.

11
 */

12
#include <linux/types.h>

13
#include <linux/kernel.h>

14
#include <linux/netlink.h>

15
#include <linux/rtnetlink.h>

16
#include <linux/if.h>

17
#include <linux/netfilter_ipv4/ip_queue.h>

18
#include <linux/inet_diag.h>

19
#include <linux/xfrm.h>

20
#include <linux/audit.h>

21


22
#include "flask.h"

23
#include "av_permissions.h"

24


25
struct nlmsg_perm {

26
	u16	nlmsg_type;

27
	u32	perm;

28
};

29


30
static struct nlmsg_perm nlmsg_route_perms[] =

31
{

32
	{ RTM_NEWLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

33
	{ RTM_DELLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

34
	{ RTM_GETLINK,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },

35
	{ RTM_SETLINK,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

36
	{ RTM_NEWADDR,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

37
	{ RTM_DELADDR,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

38
	{ RTM_GETADDR,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },

39
	{ RTM_NEWROUTE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

40
	{ RTM_DELROUTE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

41
	{ RTM_GETROUTE,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },

42
	{ RTM_NEWNEIGH,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

43
	{ RTM_DELNEIGH,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

44
	{ RTM_GETNEIGH,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },

45
	{ RTM_NEWRULE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

46
	{ RTM_DELRULE,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

47
	{ RTM_GETRULE,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },

48
	{ RTM_NEWQDISC,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

49
	{ RTM_DELQDISC,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

50
	{ RTM_GETQDISC,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },

51
	{ RTM_NEWTCLASS,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

52
	{ RTM_DELTCLASS,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

53
	{ RTM_GETTCLASS,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },

54
	{ RTM_NEWTFILTER,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

55
	{ RTM_DELTFILTER,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

56
	{ RTM_GETTFILTER,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },

57
	{ RTM_NEWACTION,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

58
	{ RTM_DELACTION,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

59
	{ RTM_GETACTION,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },

60
	{ RTM_NEWPREFIX,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

61
	{ RTM_GETMULTICAST,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },

62
	{ RTM_GETANYCAST,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },

63
	{ RTM_GETNEIGHTBL,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },

64
	{ RTM_SETNEIGHTBL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

65
	{ RTM_NEWADDRLABEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

66
	{ RTM_DELADDRLABEL,	NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

67
	{ RTM_GETADDRLABEL,	NETLINK_ROUTE_SOCKET__NLMSG_READ  },

68
	{ RTM_GETDCB,		NETLINK_ROUTE_SOCKET__NLMSG_READ  },

69
	{ RTM_SETDCB,		NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

70
};

71


72
static struct nlmsg_perm nlmsg_firewall_perms[] =

73
{

74
	{ IPQM_MODE,		NETLINK_FIREWALL_SOCKET__NLMSG_WRITE },

75
	{ IPQM_VERDICT,		NETLINK_FIREWALL_SOCKET__NLMSG_WRITE },

76
};

77


78
static struct nlmsg_perm nlmsg_tcpdiag_perms[] =

79
{

80
	{ TCPDIAG_GETSOCK,	NETLINK_TCPDIAG_SOCKET__NLMSG_READ },

81
	{ DCCPDIAG_GETSOCK,	NETLINK_TCPDIAG_SOCKET__NLMSG_READ },

82
};

83


84
static struct nlmsg_perm nlmsg_xfrm_perms[] =

85
{

86
	{ XFRM_MSG_NEWSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

87
	{ XFRM_MSG_DELSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

88
	{ XFRM_MSG_GETSA,	NETLINK_XFRM_SOCKET__NLMSG_READ  },

89
	{ XFRM_MSG_NEWPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

90
	{ XFRM_MSG_DELPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

91
	{ XFRM_MSG_GETPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_READ  },

92
	{ XFRM_MSG_ALLOCSPI,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

93
	{ XFRM_MSG_ACQUIRE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

94
	{ XFRM_MSG_EXPIRE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

95
	{ XFRM_MSG_UPDPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

96
	{ XFRM_MSG_UPDSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

97
	{ XFRM_MSG_POLEXPIRE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

98
	{ XFRM_MSG_FLUSHSA,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

99
	{ XFRM_MSG_FLUSHPOLICY,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

100
	{ XFRM_MSG_NEWAE,	NETLINK_XFRM_SOCKET__NLMSG_WRITE },

101
	{ XFRM_MSG_GETAE,	NETLINK_XFRM_SOCKET__NLMSG_READ  },

102
};

103


104
static struct nlmsg_perm nlmsg_audit_perms[] =

105
{

106
	{ AUDIT_GET,		NETLINK_AUDIT_SOCKET__NLMSG_READ     },

107
	{ AUDIT_SET,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },

108
	{ AUDIT_LIST,		NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },

109
	{ AUDIT_ADD,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },

110
	{ AUDIT_DEL,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },

111
	{ AUDIT_LIST_RULES,	NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },

112
	{ AUDIT_ADD_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },

113
	{ AUDIT_DEL_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },

114
	{ AUDIT_USER,		NETLINK_AUDIT_SOCKET__NLMSG_RELAY    },

115
	{ AUDIT_SIGNAL_INFO,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },

116
	{ AUDIT_TRIM,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },

117
	{ AUDIT_MAKE_EQUIV,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },

118
	{ AUDIT_TTY_GET,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },

119
	{ AUDIT_TTY_SET,	NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT	},

120
};

121


122


123
static int nlmsg_perm(u16 nlmsg_type, u32 *perm, struct nlmsg_perm *tab, size_t tabsize)

124
{

125
	int i, err = -EINVAL;

126


127
	for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++)

128
		if (nlmsg_type == tab[i].nlmsg_type) {

129
			*perm = tab[i].perm;

130
			err = 0;

131
			break;

132
		}

133


134
	return err;

135
}

136


137
int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)

138
{

139
	int err = 0;

140


141
	switch (sclass) {

142
	case SECCLASS_NETLINK_ROUTE_SOCKET:

143
		err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,

144
				 sizeof(nlmsg_route_perms));

145
		break;

146


147
	case SECCLASS_NETLINK_FIREWALL_SOCKET:

148
	case SECCLASS_NETLINK_IP6FW_SOCKET:

149
		err = nlmsg_perm(nlmsg_type, perm, nlmsg_firewall_perms,

150
				 sizeof(nlmsg_firewall_perms));

151
		break;

152


153
	case SECCLASS_NETLINK_TCPDIAG_SOCKET:

154
		err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,

155
				 sizeof(nlmsg_tcpdiag_perms));

156
		break;

157


158
	case SECCLASS_NETLINK_XFRM_SOCKET:

159
		err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,

160
				 sizeof(nlmsg_xfrm_perms));

161
		break;

162


163
	case SECCLASS_NETLINK_AUDIT_SOCKET:

164
		if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&

165
		     nlmsg_type <= AUDIT_LAST_USER_MSG) ||

166
		    (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&

167
		     nlmsg_type <= AUDIT_LAST_USER_MSG2)) {

168
			*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;

169
		} else {

170
			err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,

171
					 sizeof(nlmsg_audit_perms));

172
		}

173
		break;

174


175
	/* No messaging from userspace, or class unknown/unhandled */

176
	default:

177
		err = -ENOENT;

178
		break;

179
	}

180


181
	return err;

182
}

183


184