Back to home page

OSCL-LXR
 
 

     

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * Netlink message type permission tables, for user generated messages.
0004  *
0005  * Author: James Morris <jmorris@redhat.com>
0006  *
0007  * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
0008  */
0009 #include <linux/types.h>
0010 #include <linux/kernel.h>
0011 #include <linux/netlink.h>
0012 #include <linux/rtnetlink.h>
0013 #include <linux/if.h>
0014 #include <linux/inet_diag.h>
0015 #include <linux/xfrm.h>
0016 #include <linux/audit.h>
0017 #include <linux/sock_diag.h>
0018 
0019 #include "flask.h"
0020 #include "av_permissions.h"
0021 #include "security.h"
0022 
0023 struct nlmsg_perm {
0024     u16 nlmsg_type;
0025     u32 perm;
0026 };
0027 
0028 static const struct nlmsg_perm nlmsg_route_perms[] = {
0029     { RTM_NEWLINK,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0030     { RTM_DELLINK,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0031     { RTM_GETLINK,      NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0032     { RTM_SETLINK,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0033     { RTM_NEWADDR,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0034     { RTM_DELADDR,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0035     { RTM_GETADDR,      NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0036     { RTM_NEWROUTE,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0037     { RTM_DELROUTE,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0038     { RTM_GETROUTE,     NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0039     { RTM_NEWNEIGH,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0040     { RTM_DELNEIGH,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0041     { RTM_GETNEIGH,     NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0042     { RTM_NEWRULE,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0043     { RTM_DELRULE,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0044     { RTM_GETRULE,      NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0045     { RTM_NEWQDISC,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0046     { RTM_DELQDISC,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0047     { RTM_GETQDISC,     NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0048     { RTM_NEWTCLASS,    NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0049     { RTM_DELTCLASS,    NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0050     { RTM_GETTCLASS,    NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0051     { RTM_NEWTFILTER,   NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0052     { RTM_DELTFILTER,   NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0053     { RTM_GETTFILTER,   NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0054     { RTM_NEWACTION,    NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0055     { RTM_DELACTION,    NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0056     { RTM_GETACTION,    NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0057     { RTM_NEWPREFIX,    NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0058     { RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0059     { RTM_GETANYCAST,   NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0060     { RTM_GETNEIGHTBL,  NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0061     { RTM_SETNEIGHTBL,  NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0062     { RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0063     { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0064     { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0065     { RTM_GETDCB,       NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0066     { RTM_SETDCB,       NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0067     { RTM_NEWNETCONF,   NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0068     { RTM_DELNETCONF,   NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0069     { RTM_GETNETCONF,   NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0070     { RTM_NEWMDB,       NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0071     { RTM_DELMDB,       NETLINK_ROUTE_SOCKET__NLMSG_WRITE  },
0072     { RTM_GETMDB,       NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0073     { RTM_NEWNSID,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0074     { RTM_DELNSID,      NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0075     { RTM_GETNSID,      NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0076     { RTM_NEWSTATS,     NETLINK_ROUTE_SOCKET__NLMSG_READ },
0077     { RTM_GETSTATS,     NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0078     { RTM_SETSTATS,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0079     { RTM_NEWCACHEREPORT,   NETLINK_ROUTE_SOCKET__NLMSG_READ },
0080     { RTM_NEWCHAIN,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0081     { RTM_DELCHAIN,     NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0082     { RTM_GETCHAIN,     NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0083     { RTM_NEWNEXTHOP,   NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0084     { RTM_DELNEXTHOP,   NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0085     { RTM_GETNEXTHOP,   NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0086     { RTM_NEWLINKPROP,  NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0087     { RTM_DELLINKPROP,  NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0088     { RTM_NEWVLAN,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0089     { RTM_DELVLAN,      NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0090     { RTM_GETVLAN,      NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0091     { RTM_NEWNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0092     { RTM_DELNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0093     { RTM_GETNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0094     { RTM_NEWTUNNEL,    NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0095     { RTM_DELTUNNEL,    NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
0096     { RTM_GETTUNNEL,    NETLINK_ROUTE_SOCKET__NLMSG_READ  },
0097 };
0098 
0099 static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = {
0100     { TCPDIAG_GETSOCK,  NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
0101     { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
0102     { SOCK_DIAG_BY_FAMILY,  NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
0103     { SOCK_DESTROY,     NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
0104 };
0105 
0106 static const struct nlmsg_perm nlmsg_xfrm_perms[] = {
0107     { XFRM_MSG_NEWSA,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0108     { XFRM_MSG_DELSA,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0109     { XFRM_MSG_GETSA,   NETLINK_XFRM_SOCKET__NLMSG_READ  },
0110     { XFRM_MSG_NEWPOLICY,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0111     { XFRM_MSG_DELPOLICY,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0112     { XFRM_MSG_GETPOLICY,   NETLINK_XFRM_SOCKET__NLMSG_READ  },
0113     { XFRM_MSG_ALLOCSPI,    NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0114     { XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0115     { XFRM_MSG_EXPIRE,  NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0116     { XFRM_MSG_UPDPOLICY,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0117     { XFRM_MSG_UPDSA,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0118     { XFRM_MSG_POLEXPIRE,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0119     { XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0120     { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0121     { XFRM_MSG_NEWAE,   NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0122     { XFRM_MSG_GETAE,   NETLINK_XFRM_SOCKET__NLMSG_READ  },
0123     { XFRM_MSG_REPORT,  NETLINK_XFRM_SOCKET__NLMSG_READ  },
0124     { XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0125     { XFRM_MSG_NEWSADINFO,  NETLINK_XFRM_SOCKET__NLMSG_READ  },
0126     { XFRM_MSG_GETSADINFO,  NETLINK_XFRM_SOCKET__NLMSG_READ  },
0127     { XFRM_MSG_NEWSPDINFO,  NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0128     { XFRM_MSG_GETSPDINFO,  NETLINK_XFRM_SOCKET__NLMSG_READ  },
0129     { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ  },
0130     { XFRM_MSG_SETDEFAULT,  NETLINK_XFRM_SOCKET__NLMSG_WRITE },
0131     { XFRM_MSG_GETDEFAULT,  NETLINK_XFRM_SOCKET__NLMSG_READ  },
0132 };
0133 
0134 static const struct nlmsg_perm nlmsg_audit_perms[] = {
0135     { AUDIT_GET,        NETLINK_AUDIT_SOCKET__NLMSG_READ     },
0136     { AUDIT_SET,        NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0137     { AUDIT_LIST,       NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
0138     { AUDIT_ADD,        NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0139     { AUDIT_DEL,        NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0140     { AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
0141     { AUDIT_ADD_RULE,   NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0142     { AUDIT_DEL_RULE,   NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0143     { AUDIT_USER,       NETLINK_AUDIT_SOCKET__NLMSG_RELAY    },
0144     { AUDIT_SIGNAL_INFO,    NETLINK_AUDIT_SOCKET__NLMSG_READ     },
0145     { AUDIT_TRIM,       NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0146     { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0147     { AUDIT_TTY_GET,    NETLINK_AUDIT_SOCKET__NLMSG_READ     },
0148     { AUDIT_TTY_SET,    NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT   },
0149     { AUDIT_GET_FEATURE,    NETLINK_AUDIT_SOCKET__NLMSG_READ     },
0150     { AUDIT_SET_FEATURE,    NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
0151 };
0152 
0153 
0154 static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
0155 {
0156     int i, err = -EINVAL;
0157 
0158     for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++)
0159         if (nlmsg_type == tab[i].nlmsg_type) {
0160             *perm = tab[i].perm;
0161             err = 0;
0162             break;
0163         }
0164 
0165     return err;
0166 }
0167 
0168 int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
0169 {
0170     int err = 0;
0171 
0172     switch (sclass) {
0173     case SECCLASS_NETLINK_ROUTE_SOCKET:
0174         /* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3.
0175          * If the BUILD_BUG_ON() below fails you must update the
0176          * structures at the top of this file with the new mappings
0177          * before updating the BUILD_BUG_ON() macro!
0178          */
0179         BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3));
0180         err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
0181                  sizeof(nlmsg_route_perms));
0182         break;
0183 
0184     case SECCLASS_NETLINK_TCPDIAG_SOCKET:
0185         err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,
0186                  sizeof(nlmsg_tcpdiag_perms));
0187         break;
0188 
0189     case SECCLASS_NETLINK_XFRM_SOCKET:
0190         /* If the BUILD_BUG_ON() below fails you must update the
0191          * structures at the top of this file with the new mappings
0192          * before updating the BUILD_BUG_ON() macro!
0193          */
0194         BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT);
0195         err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
0196                  sizeof(nlmsg_xfrm_perms));
0197         break;
0198 
0199     case SECCLASS_NETLINK_AUDIT_SOCKET:
0200         if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
0201              nlmsg_type <= AUDIT_LAST_USER_MSG) ||
0202             (nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
0203              nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
0204             *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
0205         } else {
0206             err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
0207                      sizeof(nlmsg_audit_perms));
0208         }
0209         break;
0210 
0211     /* No messaging from userspace, or class unknown/unhandled */
0212     default:
0213         err = -ENOENT;
0214         break;
0215     }
0216 
0217     return err;
0218 }
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!