Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/selinux/nlmsgtab.c
26378 views
1
// SPDX-License-Identifier: GPL-2.0-only

2
/*

3
 * Netlink message type permission tables, for user generated messages.

4
 *

5
 * Author: James Morris <[email protected]>

6
 *

7
 * Copyright (C) 2004 Red Hat, Inc., James Morris <[email protected]>

8
 */

9
#include <linux/types.h>

10
#include <linux/kernel.h>

11
#include <linux/netlink.h>

12
#include <linux/rtnetlink.h>

13
#include <linux/if.h>

14
#include <linux/inet_diag.h>

15
#include <linux/xfrm.h>

16
#include <linux/audit.h>

17
#include <linux/sock_diag.h>

18


19
#include "flask.h"

20
#include "av_permissions.h"

21
#include "security.h"

22


23
struct nlmsg_perm {

24
	u16 nlmsg_type;

25
	u32 perm;

26
};

27


28
static const struct nlmsg_perm nlmsg_route_perms[] = {

29
	{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

30
	{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

31
	{ RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ },

32
	{ RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

33
	{ RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

34
	{ RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

35
	{ RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ },

36
	{ RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

37
	{ RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

38
	{ RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ },

39
	{ RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

40
	{ RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

41
	{ RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ },

42
	{ RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

43
	{ RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

44
	{ RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },

45
	{ RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

46
	{ RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

47
	{ RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ },

48
	{ RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

49
	{ RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

50
	{ RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ },

51
	{ RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

52
	{ RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

53
	{ RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ },

54
	{ RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

55
	{ RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

56
	{ RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ },

57
	{ RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

58
	{ RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },

59
	{ RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },

60
	{ RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ },

61
	{ RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

62
	{ RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

63
	{ RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

64
	{ RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },

65
	{ RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ },

66
	{ RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

67
	{ RTM_NEWNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

68
	{ RTM_DELNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

69
	{ RTM_GETNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_READ },

70
	{ RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

71
	{ RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

72
	{ RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },

73
	{ RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

74
	{ RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },

75
	{ RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },

76
	{ RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },

77
	{ RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },

78
	{ RTM_SETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

79
	{ RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ },

80
	{ RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

81
	{ RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

82
	{ RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ },

83
	{ RTM_NEWNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

84
	{ RTM_DELNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

85
	{ RTM_GETNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_READ },

86
	{ RTM_NEWLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

87
	{ RTM_DELLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

88
	{ RTM_NEWVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

89
	{ RTM_DELVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

90
	{ RTM_GETVLAN, NETLINK_ROUTE_SOCKET__NLMSG_READ },

91
	{ RTM_NEWNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

92
	{ RTM_DELNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

93
	{ RTM_GETNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ },

94
	{ RTM_NEWTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

95
	{ RTM_DELTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },

96
	{ RTM_GETTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },

97
};

98


99
static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = {

100
	{ TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },

101
	{ SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },

102
	{ SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },

103
};

104


105
static const struct nlmsg_perm nlmsg_xfrm_perms[] = {

106
	{ XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

107
	{ XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

108
	{ XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ },

109
	{ XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

110
	{ XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

111
	{ XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ },

112
	{ XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

113
	{ XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

114
	{ XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

115
	{ XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

116
	{ XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

117
	{ XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

118
	{ XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

119
	{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

120
	{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

121
	{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },

122
	{ XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },

123
	{ XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

124
	{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },

125
	{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },

126
	{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

127
	{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },

128
	{ XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },

129
	{ XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE },

130
	{ XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ },

131
};

132


133
static const struct nlmsg_perm nlmsg_audit_perms[] = {

134
	{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },

135
	{ AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

136
	{ AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },

137
	{ AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

138
	{ AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

139
	{ AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },

140
	{ AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

141
	{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

142
	{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },

143
	{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },

144
	{ AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

145
	{ AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

146
	{ AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },

147
	{ AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },

148
	{ AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ },

149
	{ AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },

150
};

151


152
static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab,

153
		      size_t tabsize)

154
{

155
	unsigned int i;

156
	int err = -EINVAL;

157


158
	for (i = 0; i < tabsize / sizeof(struct nlmsg_perm); i++)

159
		if (nlmsg_type == tab[i].nlmsg_type) {

160
			*perm = tab[i].perm;

161
			err = 0;

162
			break;

163
		}

164


165
	return err;

166
}

167


168
int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)

169
{

170
	/* While it is possible to add a similar permission to other netlink

171
	 * classes, note that the extended permission value is matched against

172
	 * the nlmsg_type field. Notably, SECCLASS_NETLINK_GENERIC_SOCKET uses

173
	 * dynamic values for this field, which means that it cannot be added

174
	 * as-is.

175
	 */

176


177
	switch (sclass) {

178
	case SECCLASS_NETLINK_ROUTE_SOCKET:

179
		/* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3.

180
		 * If the BUILD_BUG_ON() below fails you must update the

181
		 * structures at the top of this file with the new mappings

182
		 * before updating the BUILD_BUG_ON() macro!

183
		 */

184
		BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3));

185


186
		if (selinux_policycap_netlink_xperm()) {

187
			*perm = NETLINK_ROUTE_SOCKET__NLMSG;

188
			return 0;

189
		}

190
		return nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,

191
				  sizeof(nlmsg_route_perms));

192
		break;

193
	case SECCLASS_NETLINK_TCPDIAG_SOCKET:

194
		if (selinux_policycap_netlink_xperm()) {

195
			*perm = NETLINK_TCPDIAG_SOCKET__NLMSG;

196
			return 0;

197
		}

198
		return nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,

199
				  sizeof(nlmsg_tcpdiag_perms));

200
		break;

201
	case SECCLASS_NETLINK_XFRM_SOCKET:

202
		/* If the BUILD_BUG_ON() below fails you must update the

203
		 * structures at the top of this file with the new mappings

204
		 * before updating the BUILD_BUG_ON() macro!

205
		 */

206
		BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT);

207


208
		if (selinux_policycap_netlink_xperm()) {

209
			*perm = NETLINK_XFRM_SOCKET__NLMSG;

210
			return 0;

211
		}

212
		return nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,

213
				  sizeof(nlmsg_xfrm_perms));

214
		break;

215
	case SECCLASS_NETLINK_AUDIT_SOCKET:

216
		if (selinux_policycap_netlink_xperm()) {

217
			*perm = NETLINK_AUDIT_SOCKET__NLMSG;

218
			return 0;

219
		} else if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&

220
			    nlmsg_type <= AUDIT_LAST_USER_MSG) ||

221
			   (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&

222
			    nlmsg_type <= AUDIT_LAST_USER_MSG2)) {

223
			*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;

224
			return 0;

225
		}

226
		return nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,

227
				  sizeof(nlmsg_audit_perms));

228
		break;

229
	}

230


231
	/* No messaging from userspace, or class unknown/unhandled */

232
	return -ENOENT;

233
}

234


235