linux-stable-rt/security/selinux/include/av_perm_to_string.h

162 lines
9.5 KiB
C
Raw Normal View History

/* This file is automatically generated. Do not edit. */
S_(SECCLASS_FILESYSTEM, FILESYSTEM__MOUNT, "mount")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__REMOUNT, "remount")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__UNMOUNT, "unmount")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__GETATTR, "getattr")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELFROM, "relabelfrom")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__RELABELTO, "relabelto")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__TRANSITION, "transition")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__ASSOCIATE, "associate")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAMOD, "quotamod")
S_(SECCLASS_FILESYSTEM, FILESYSTEM__QUOTAGET, "quotaget")
S_(SECCLASS_DIR, DIR__ADD_NAME, "add_name")
S_(SECCLASS_DIR, DIR__REMOVE_NAME, "remove_name")
S_(SECCLASS_DIR, DIR__REPARENT, "reparent")
S_(SECCLASS_DIR, DIR__SEARCH, "search")
S_(SECCLASS_DIR, DIR__RMDIR, "rmdir")
S_(SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, "execute_no_trans")
S_(SECCLASS_FILE, FILE__ENTRYPOINT, "entrypoint")
S_(SECCLASS_FILE, FILE__EXECMOD, "execmod")
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECUTE_NO_TRANS, "execute_no_trans")
S_(SECCLASS_CHR_FILE, CHR_FILE__ENTRYPOINT, "entrypoint")
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
S_(SECCLASS_FD, FD__USE, "use")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NEWCONN, "newconn")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__ACCEPTFROM, "acceptfrom")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NODE_BIND, "node_bind")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__NAME_CONNECT, "name_connect")
S_(SECCLASS_UDP_SOCKET, UDP_SOCKET__NODE_BIND, "node_bind")
S_(SECCLASS_RAWIP_SOCKET, RAWIP_SOCKET__NODE_BIND, "node_bind")
S_(SECCLASS_NODE, NODE__TCP_RECV, "tcp_recv")
S_(SECCLASS_NODE, NODE__TCP_SEND, "tcp_send")
S_(SECCLASS_NODE, NODE__UDP_RECV, "udp_recv")
S_(SECCLASS_NODE, NODE__UDP_SEND, "udp_send")
S_(SECCLASS_NODE, NODE__RAWIP_RECV, "rawip_recv")
S_(SECCLASS_NODE, NODE__RAWIP_SEND, "rawip_send")
S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
S_(SECCLASS_NETIF, NETIF__UDP_SEND, "udp_send")
S_(SECCLASS_NETIF, NETIF__RAWIP_RECV, "rawip_recv")
S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
S_(SECCLASS_PROCESS, PROCESS__FORK, "fork")
S_(SECCLASS_PROCESS, PROCESS__TRANSITION, "transition")
S_(SECCLASS_PROCESS, PROCESS__SIGCHLD, "sigchld")
S_(SECCLASS_PROCESS, PROCESS__SIGKILL, "sigkill")
S_(SECCLASS_PROCESS, PROCESS__SIGSTOP, "sigstop")
S_(SECCLASS_PROCESS, PROCESS__SIGNULL, "signull")
S_(SECCLASS_PROCESS, PROCESS__SIGNAL, "signal")
S_(SECCLASS_PROCESS, PROCESS__PTRACE, "ptrace")
S_(SECCLASS_PROCESS, PROCESS__GETSCHED, "getsched")
S_(SECCLASS_PROCESS, PROCESS__SETSCHED, "setsched")
S_(SECCLASS_PROCESS, PROCESS__GETSESSION, "getsession")
S_(SECCLASS_PROCESS, PROCESS__GETPGID, "getpgid")
S_(SECCLASS_PROCESS, PROCESS__SETPGID, "setpgid")
S_(SECCLASS_PROCESS, PROCESS__GETCAP, "getcap")
S_(SECCLASS_PROCESS, PROCESS__SETCAP, "setcap")
S_(SECCLASS_PROCESS, PROCESS__SHARE, "share")
S_(SECCLASS_PROCESS, PROCESS__GETATTR, "getattr")
S_(SECCLASS_PROCESS, PROCESS__SETEXEC, "setexec")
S_(SECCLASS_PROCESS, PROCESS__SETFSCREATE, "setfscreate")
S_(SECCLASS_PROCESS, PROCESS__NOATSECURE, "noatsecure")
S_(SECCLASS_PROCESS, PROCESS__SIGINH, "siginh")
S_(SECCLASS_PROCESS, PROCESS__SETRLIMIT, "setrlimit")
S_(SECCLASS_PROCESS, PROCESS__RLIMITINH, "rlimitinh")
S_(SECCLASS_PROCESS, PROCESS__DYNTRANSITION, "dyntransition")
S_(SECCLASS_PROCESS, PROCESS__SETCURRENT, "setcurrent")
S_(SECCLASS_PROCESS, PROCESS__EXECMEM, "execmem")
[PATCH] selinux: add executable stack check This patch adds an execstack permission check that controls the ability to make the main process stack executable so that attempts to make the stack executable can still be prevented even if the process is allowed the existing execmem permission in order to e.g. perform runtime code generation. Note that this does not yet address thread stacks. Note also that unlike the execmem check, the execstack check is only applied on mprotect calls, not mmap calls, as the current security_file_mmap hook is not passed the necessary information presently. The original author of the code that makes the distinction of the stack region, is Ingo Molnar, who wrote it within his patch for /proc/<pid>/maps markers. (http://marc.theaimsgroup.com/?l=linux-kernel&m=110719881508591&w=2) The patches also can be found at: http://pearls.tuxedo-es.org/patches/selinux/policy-execstack.patch http://pearls.tuxedo-es.org/patches/selinux/kernel-execstack.patch policy-execstack.patch is the patch that needs to be applied to the policy in order to support the execstack permission and exclude it from general_domain_access within macros/core_macros.te. kernel-execstack.patch adds such permission to the SELinux code within the kernel and adds the proper permission check to the selinux_file_mprotect() hook. Signed-off-by: Lorenzo Hernandez Garcia-Hierro <lorenzo@gnu.org> Acked-by: James Morris <jmorris@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-06-26 05:54:34 +08:00
S_(SECCLASS_PROCESS, PROCESS__EXECSTACK, "execstack")
S_(SECCLASS_PROCESS, PROCESS__EXECHEAP, "execheap")
S_(SECCLASS_PROCESS, PROCESS__SETKEYCREATE, "setkeycreate")
S_(SECCLASS_PROCESS, PROCESS__SETSOCKCREATE, "setsockcreate")
S_(SECCLASS_MSGQ, MSGQ__ENQUEUE, "enqueue")
S_(SECCLASS_MSG, MSG__SEND, "send")
S_(SECCLASS_MSG, MSG__RECEIVE, "receive")
S_(SECCLASS_SHM, SHM__LOCK, "lock")
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_AV, "compute_av")
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_CREATE, "compute_create")
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_MEMBER, "compute_member")
S_(SECCLASS_SECURITY, SECURITY__CHECK_CONTEXT, "check_context")
S_(SECCLASS_SECURITY, SECURITY__LOAD_POLICY, "load_policy")
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_RELABEL, "compute_relabel")
S_(SECCLASS_SECURITY, SECURITY__COMPUTE_USER, "compute_user")
S_(SECCLASS_SECURITY, SECURITY__SETENFORCE, "setenforce")
S_(SECCLASS_SECURITY, SECURITY__SETBOOL, "setbool")
S_(SECCLASS_SECURITY, SECURITY__SETSECPARAM, "setsecparam")
S_(SECCLASS_SECURITY, SECURITY__SETCHECKREQPROT, "setcheckreqprot")
S_(SECCLASS_SYSTEM, SYSTEM__IPC_INFO, "ipc_info")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")
S_(SECCLASS_CAPABILITY, CAPABILITY__FOWNER, "fowner")
S_(SECCLASS_CAPABILITY, CAPABILITY__FSETID, "fsetid")
S_(SECCLASS_CAPABILITY, CAPABILITY__KILL, "kill")
S_(SECCLASS_CAPABILITY, CAPABILITY__SETGID, "setgid")
S_(SECCLASS_CAPABILITY, CAPABILITY__SETUID, "setuid")
S_(SECCLASS_CAPABILITY, CAPABILITY__SETPCAP, "setpcap")
S_(SECCLASS_CAPABILITY, CAPABILITY__LINUX_IMMUTABLE, "linux_immutable")
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BIND_SERVICE, "net_bind_service")
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_BROADCAST, "net_broadcast")
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_ADMIN, "net_admin")
S_(SECCLASS_CAPABILITY, CAPABILITY__NET_RAW, "net_raw")
S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_LOCK, "ipc_lock")
S_(SECCLASS_CAPABILITY, CAPABILITY__IPC_OWNER, "ipc_owner")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_MODULE, "sys_module")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RAWIO, "sys_rawio")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_CHROOT, "sys_chroot")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PTRACE, "sys_ptrace")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_PACCT, "sys_pacct")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_ADMIN, "sys_admin")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_BOOT, "sys_boot")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_NICE, "sys_nice")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_RESOURCE, "sys_resource")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TIME, "sys_time")
S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config")
S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod")
S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write")
S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_ROUTE_SOCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_FIREWALL_SOCKET, NETLINK_FIREWALL_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_TCPDIAG_SOCKET, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_XFRM_SOCKET, NETLINK_XFRM_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE, "nlmsg_write")
[PATCH] SELinux: add finer grained permissions to Netlink audit processing This patch provides finer grained permissions for the audit family of Netlink sockets under SELinux. 1. We need a way to differentiate between privileged and unprivileged reads of kernel data maintained by the audit subsystem. The AUDIT_GET operation is unprivileged: it returns the current status of the audit subsystem (e.g. whether it's enabled etc.). The AUDIT_LIST operation however returns a list of the current audit ruleset, which is considered privileged by the audit folk. To deal with this, a new SELinux permission has been implemented and applied to the operation: nlmsg_readpriv, which can be allocated to appropriately privileged domains. Unprivileged domains would only be allocated nlmsg_read. 2. There is a requirement for certain domains to generate audit events from userspace. These events need to be collected by the kernel, collated and transmitted sequentially back to the audit daemon. An example is user level login, an auditable event under CAPP, where login-related domains generate AUDIT_USER messages via PAM which are relayed back to auditd via the kernel. To prevent handing out nlmsg_write permissions to such domains, a new permission has been added, nlmsg_relay, which is intended for this type of purpose: data is passed via the kernel back to userspace but no privileged information is written to the kernel. Also, AUDIT_LOGIN messages are now valid only for kernel->user messaging, so this value has been removed from the SELinux nlmsgtab (which is only used to check user->kernel messages). Signed-off-by: James Morris <jmorris@redhat.com> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-05-01 23:58:40 +08:00
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_RELAY, "nlmsg_relay")
S_(SECCLASS_NETLINK_AUDIT_SOCKET, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV, "nlmsg_readpriv")
S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_READ, "nlmsg_read")
S_(SECCLASS_NETLINK_IP6FW_SOCKET, NETLINK_IP6FW_SOCKET__NLMSG_WRITE, "nlmsg_write")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom")
S_(SECCLASS_ASSOCIATION, ASSOCIATION__SETCONTEXT, "setcontext")
[MLSXFRM]: Granular IPSec associations for use in MLS environments The current approach to labeling Security Associations for SELinux purposes uses a one-to-one mapping between xfrm policy rules and security associations. This doesn't address the needs of real world MLS (Multi-level System, traditional Bell-LaPadula) environments where a single xfrm policy rule (pertaining to a range, classified to secret for example) might need to map to multiple Security Associations (one each for classified, secret, top secret and all the compartments applicable to these security levels). This patch set addresses the above problem by allowing for the mapping of a single xfrm policy rule to multiple security associations, with each association used in the security context it is defined for. It also includes the security context to be used in IKE negotiation in the acquire messages sent to the IKE daemon so that a unique SA can be negotiated for each unique security context. A couple of bug fixes are also included; checks to make sure the SAs used by a packet match policy (security context-wise) on the inbound and also that the bundle used for the outbound matches the security context of the flow. This patch set also makes the use of the SELinux sid in flow cache lookups seemless by including the sid in the flow key itself. Also, open requests as well as connection-oriented child sockets are labeled automatically to be at the same level as the peer to allow for use of appropriately labeled IPSec associations. Description of changes: A "sid" member has been added to the flow cache key resulting in the sid being available at all needed locations and the flow cache lookups automatically using the sid. The flow sid is derived from the socket on the outbound and the SAs (unlabeled where an SA was not used) on the inbound. Outbound case: 1. Find policy for the socket. 2. OLD: Find an SA that matches the policy. NEW: Find an SA that matches BOTH the policy and the flow/socket. This is necessary since not every SA that matches the policy can be used for the flow/socket. Consider policy range Secret-TS, and SAs each for Secret and TS. We don't want a TS socket to use the Secret SA. Hence the additional check for the SA Vs. flow/socket. 3. NEW: When looking thru bundles for a policy, make sure the flow/socket can use the bundle. If a bundle is not found, create one, calling for IKE if necessary. If using IKE, include the security context in the acquire message to the IKE daemon. Inbound case: 1. OLD: Find policy for the socket. NEW: Find policy for the incoming packet based on the sid of the SA(s) it used or the unlabeled sid if no SAs were used. (Consider a case where a socket is "authorized" for two policies (unclassified-confidential, secret-top_secret). If the packet has come in using a secret SA, we really ought to be using the latter policy (secret-top_secret).) 2. OLD: BUG: No check to see if the SAs used by the packet agree with the policy sec_ctx-wise. (It was indicated in selinux_xfrm_sock_rcv_skb() that this was being accomplished by (x->id.spi == tmpl->id.spi || !tmpl->id.spi) in xfrm_state_ok, but it turns out tmpl->id.spi would normally be zero (unless xfrm policy rules specify one at the template level, which they usually don't). NEW: The socket is checked for access to the SAs used (based on the sid of the SAs) in selinux_xfrm_sock_rcv_skb(). Forward case: This would be Step 1 from the Inbound case, followed by Steps 2 and 3 from the Outbound case. Outstanding items/issues: - Timewait acknowledgements and such are generated in the current/upstream implementation using a NULL socket resulting in the any_socket sid (SYSTEM_HIGH) to be used. This problem is not addressed by this patch set. This patch: Add new flask definitions to SELinux Adds a new avperm "polmatch" to arbitrate flow/state access to a xfrm policy rule. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-07-25 14:26:30 +08:00
S_(SECCLASS_ASSOCIATION, ASSOCIATION__POLMATCH, "polmatch")
S_(SECCLASS_PACKET, PACKET__SEND, "send")
S_(SECCLASS_PACKET, PACKET__RECV, "recv")
S_(SECCLASS_PACKET, PACKET__RELABELTO, "relabelto")
S_(SECCLASS_KEY, KEY__VIEW, "view")
S_(SECCLASS_KEY, KEY__READ, "read")
S_(SECCLASS_KEY, KEY__WRITE, "write")
S_(SECCLASS_KEY, KEY__SEARCH, "search")
S_(SECCLASS_KEY, KEY__LINK, "link")
S_(SECCLASS_KEY, KEY__SETATTR, "setattr")
S_(SECCLASS_KEY, KEY__CREATE, "create")
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NODE_BIND, "node_bind")
S_(SECCLASS_DCCP_SOCKET, DCCP_SOCKET__NAME_CONNECT, "name_connect")
S_(SECCLASS_MEMPROTECT, MEMPROTECT__MMAP_ZERO, "mmap_zero")