1 /* SPDX-License-Identifier: GPL-2.0 */
3 #include <linux/capability.h>
4 #include <linux/socket.h>
6 #define COMMON_FILE_SOCK_PERMS \
7 "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \
8 "relabelfrom", "relabelto", "append", "map"
10 #define COMMON_FILE_PERMS \
11 COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute", \
12 "quotaon", "mounton", "audit_access", "open", "execmod", \
13 "watch", "watch_mount", "watch_sb", "watch_with_perm", \
16 #define COMMON_SOCK_PERMS \
17 COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \
18 "getopt", "setopt", "shutdown", "recvfrom", "sendto", \
21 #define COMMON_IPC_PERMS \
22 "create", "destroy", "getattr", "setattr", "read", "write", \
23 "associate", "unix_read", "unix_write"
25 #define COMMON_CAP_PERMS \
26 "chown", "dac_override", "dac_read_search", "fowner", "fsetid", \
27 "kill", "setgid", "setuid", "setpcap", "linux_immutable", \
28 "net_bind_service", "net_broadcast", "net_admin", "net_raw", \
29 "ipc_lock", "ipc_owner", "sys_module", "sys_rawio", \
30 "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \
31 "sys_boot", "sys_nice", "sys_resource", "sys_time", \
32 "sys_tty_config", "mknod", "lease", "audit_write", \
33 "audit_control", "setfcap"
35 #define COMMON_CAP2_PERMS \
36 "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \
37 "audit_read", "perfmon", "bpf", "checkpoint_restore"
39 #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE
40 #error New capability defined, please update COMMON_CAP2_PERMS.
44 * Note: The name for any socket class should be suffixed by "socket",
45 * and doesn't contain more than one substr of "socket".
47 const struct security_class_mapping secclass_map[] = {
49 { "compute_av", "compute_create", "compute_member", "check_context",
50 "load_policy", "compute_relabel", "compute_user", "setenforce",
51 "setbool", "setsecparam", "setcheckreqprot", "read_policy",
52 "validate_trans", NULL } },
54 { "fork", "transition", "sigchld", "sigkill",
55 "sigstop", "signull", "signal", "ptrace",
56 "getsched", "setsched", "getsession", "getpgid",
57 "setpgid", "getcap", "setcap", "share",
58 "getattr", "setexec", "setfscreate", "noatsecure",
59 "siginh", "setrlimit", "rlimitinh", "dyntransition",
60 "setcurrent", "execmem", "execstack", "execheap",
61 "setkeycreate", "setsockcreate", "getrlimit", NULL } },
62 { "process2", { "nnp_transition", "nosuid_transition", NULL } },
64 { "ipc_info", "syslog_read", "syslog_mod", "syslog_console",
65 "module_request", "module_load", NULL } },
66 { "capability", { COMMON_CAP_PERMS, NULL } },
68 { "mount", "remount", "unmount", "getattr", "relabelfrom",
69 "relabelto", "associate", "quotamod", "quotaget", "watch", NULL } },
71 { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } },
73 { COMMON_FILE_PERMS, "add_name", "remove_name", "reparent", "search",
75 { "fd", { "use", NULL } },
76 { "lnk_file", { COMMON_FILE_PERMS, NULL } },
77 { "chr_file", { COMMON_FILE_PERMS, NULL } },
78 { "blk_file", { COMMON_FILE_PERMS, NULL } },
79 { "sock_file", { COMMON_FILE_PERMS, NULL } },
80 { "fifo_file", { COMMON_FILE_PERMS, NULL } },
81 { "socket", { COMMON_SOCK_PERMS, NULL } },
83 { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } },
84 { "udp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } },
85 { "rawip_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } },
86 { "node", { "recvfrom", "sendto", NULL } },
87 { "netif", { "ingress", "egress", NULL } },
88 { "netlink_socket", { COMMON_SOCK_PERMS, NULL } },
89 { "packet_socket", { COMMON_SOCK_PERMS, NULL } },
90 { "key_socket", { COMMON_SOCK_PERMS, NULL } },
91 { "unix_stream_socket", { COMMON_SOCK_PERMS, "connectto", NULL } },
92 { "unix_dgram_socket", { COMMON_SOCK_PERMS, NULL } },
93 { "sem", { COMMON_IPC_PERMS, NULL } },
94 { "msg", { "send", "receive", NULL } },
95 { "msgq", { COMMON_IPC_PERMS, "enqueue", NULL } },
96 { "shm", { COMMON_IPC_PERMS, "lock", NULL } },
97 { "ipc", { COMMON_IPC_PERMS, NULL } },
98 { "netlink_route_socket",
99 { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
100 { "netlink_tcpdiag_socket",
101 { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
102 { "netlink_nflog_socket", { COMMON_SOCK_PERMS, NULL } },
103 { "netlink_xfrm_socket",
104 { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } },
105 { "netlink_selinux_socket", { COMMON_SOCK_PERMS, NULL } },
106 { "netlink_iscsi_socket", { COMMON_SOCK_PERMS, NULL } },
107 { "netlink_audit_socket",
108 { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", "nlmsg_relay",
109 "nlmsg_readpriv", "nlmsg_tty_audit", NULL } },
110 { "netlink_fib_lookup_socket", { COMMON_SOCK_PERMS, NULL } },
111 { "netlink_connector_socket", { COMMON_SOCK_PERMS, NULL } },
112 { "netlink_netfilter_socket", { COMMON_SOCK_PERMS, NULL } },
113 { "netlink_dnrt_socket", { COMMON_SOCK_PERMS, NULL } },
115 { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
116 { "netlink_kobject_uevent_socket", { COMMON_SOCK_PERMS, NULL } },
117 { "netlink_generic_socket", { COMMON_SOCK_PERMS, NULL } },
118 { "netlink_scsitransport_socket", { COMMON_SOCK_PERMS, NULL } },
119 { "netlink_rdma_socket", { COMMON_SOCK_PERMS, NULL } },
120 { "netlink_crypto_socket", { COMMON_SOCK_PERMS, NULL } },
121 { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } },
123 { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
125 { "view", "read", "write", "search", "link", "setattr", "create",
128 { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } },
129 { "memprotect", { "mmap_zero", NULL } },
130 { "peer", { "recv", NULL } },
131 { "capability2", { COMMON_CAP2_PERMS, NULL } },
132 { "kernel_service", { "use_as_override", "create_files_as", NULL } },
133 { "tun_socket", { COMMON_SOCK_PERMS, "attach_queue", NULL } },
135 { "impersonate", "call", "set_context_mgr", "transfer", NULL } },
136 { "cap_userns", { COMMON_CAP_PERMS, NULL } },
137 { "cap2_userns", { COMMON_CAP2_PERMS, NULL } },
139 { COMMON_SOCK_PERMS, "node_bind", "name_connect", "association",
141 { "icmp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } },
142 { "ax25_socket", { COMMON_SOCK_PERMS, NULL } },
143 { "ipx_socket", { COMMON_SOCK_PERMS, NULL } },
144 { "netrom_socket", { COMMON_SOCK_PERMS, NULL } },
145 { "atmpvc_socket", { COMMON_SOCK_PERMS, NULL } },
146 { "x25_socket", { COMMON_SOCK_PERMS, NULL } },
147 { "rose_socket", { COMMON_SOCK_PERMS, NULL } },
148 { "decnet_socket", { COMMON_SOCK_PERMS, NULL } },
149 { "atmsvc_socket", { COMMON_SOCK_PERMS, NULL } },
150 { "rds_socket", { COMMON_SOCK_PERMS, NULL } },
151 { "irda_socket", { COMMON_SOCK_PERMS, NULL } },
152 { "pppox_socket", { COMMON_SOCK_PERMS, NULL } },
153 { "llc_socket", { COMMON_SOCK_PERMS, NULL } },
154 { "can_socket", { COMMON_SOCK_PERMS, NULL } },
155 { "tipc_socket", { COMMON_SOCK_PERMS, NULL } },
156 { "bluetooth_socket", { COMMON_SOCK_PERMS, NULL } },
157 { "iucv_socket", { COMMON_SOCK_PERMS, NULL } },
158 { "rxrpc_socket", { COMMON_SOCK_PERMS, NULL } },
159 { "isdn_socket", { COMMON_SOCK_PERMS, NULL } },
160 { "phonet_socket", { COMMON_SOCK_PERMS, NULL } },
161 { "ieee802154_socket", { COMMON_SOCK_PERMS, NULL } },
162 { "caif_socket", { COMMON_SOCK_PERMS, NULL } },
163 { "alg_socket", { COMMON_SOCK_PERMS, NULL } },
164 { "nfc_socket", { COMMON_SOCK_PERMS, NULL } },
165 { "vsock_socket", { COMMON_SOCK_PERMS, NULL } },
166 { "kcm_socket", { COMMON_SOCK_PERMS, NULL } },
167 { "qipcrtr_socket", { COMMON_SOCK_PERMS, NULL } },
168 { "smc_socket", { COMMON_SOCK_PERMS, NULL } },
169 { "infiniband_pkey", { "access", NULL } },
170 { "infiniband_endport", { "manage_subnet", NULL } },
172 { "map_create", "map_read", "map_write", "prog_load", "prog_run",
174 { "xdp_socket", { COMMON_SOCK_PERMS, NULL } },
175 { "mctp_socket", { COMMON_SOCK_PERMS, NULL } },
177 { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } },
178 { "anon_inode", { COMMON_FILE_PERMS, NULL } },
179 { "io_uring", { "override_creds", "sqpoll", "cmd", NULL } },
180 { "user_namespace", { "create", NULL } },
185 #error New address family defined, please update secclass_map.
projects / releases.git / blob