diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 8a2cc75b3948590c7d71bb457a7c5fec618851cb..2ae7d3cb8df4b0b02b1d3c217c465dbacc6c4bb4 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -672,6 +672,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc return SECCLASS_NETLINK_IP6FW_SOCKET; case NETLINK_DNRTMSG: return SECCLASS_NETLINK_DNRT_SOCKET; + case NETLINK_KOBJECT_UEVENT: + return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET; default: return SECCLASS_NETLINK_SOCKET; } diff --git a/security/selinux/include/av_inherit.h b/security/selinux/include/av_inherit.h index 9facb27822a1f537cffa828139cc8a75a6ca33fa..b0e6b12931c98c760727e34d50d0b600004510a0 100644 --- a/security/selinux/include/av_inherit.h +++ b/security/selinux/include/av_inherit.h @@ -28,3 +28,4 @@ S_(SECCLASS_NETLINK_AUDIT_SOCKET, socket, 0x00400000UL) S_(SECCLASS_NETLINK_IP6FW_SOCKET, socket, 0x00400000UL) S_(SECCLASS_NETLINK_DNRT_SOCKET, socket, 0x00400000UL) + S_(SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET, socket, 0x00400000UL) diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 903e8b3cc2e9db221a28b11d156d7d0a9d32e34f..eb340b45bc6f240d5d0a25c3d1f5f0e4c8d1db4f 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -118,6 +118,8 @@ S_(SECCLASS_CAPABILITY, CAPABILITY__SYS_TTY_CONFIG, "sys_tty_config") S_(SECCLASS_CAPABILITY, CAPABILITY__MKNOD, "mknod") S_(SECCLASS_CAPABILITY, CAPABILITY__LEASE, "lease") + S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_WRITE, "audit_write") + S_(SECCLASS_CAPABILITY, CAPABILITY__AUDIT_CONTROL, "audit_control") S_(SECCLASS_PASSWD, PASSWD__PASSWD, "passwd") S_(SECCLASS_PASSWD, PASSWD__CHFN, "chfn") S_(SECCLASS_PASSWD, PASSWD__CHSH, "chsh") @@ -230,3 +232,5 @@ S_(SECCLASS_NSCD, NSCD__SHMEMPWD, "shmempwd") S_(SECCLASS_NSCD, NSCD__SHMEMGRP, "shmemgrp") S_(SECCLASS_NSCD, NSCD__SHMEMHOST, "shmemhost") + S_(SECCLASS_ASSOCIATION, ASSOCIATION__SENDTO, "sendto") + S_(SECCLASS_ASSOCIATION, ASSOCIATION__RECVFROM, "recvfrom") diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index b0a12ac8f7eeb190f89275770697b908eec4827f..f9de0f966559cb0cbb658c6b66f82edf2329b37f 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -559,6 +559,8 @@ #define CAPABILITY__SYS_TTY_CONFIG 0x04000000UL #define CAPABILITY__MKNOD 0x08000000UL #define CAPABILITY__LEASE 0x10000000UL +#define CAPABILITY__AUDIT_WRITE 0x20000000UL +#define CAPABILITY__AUDIT_CONTROL 0x40000000UL #define PASSWD__PASSWD 0x00000001UL #define PASSWD__CHFN 0x00000002UL @@ -900,3 +902,29 @@ #define NSCD__SHMEMGRP 0x00000040UL #define NSCD__SHMEMHOST 0x00000080UL +#define ASSOCIATION__SENDTO 0x00000001UL +#define ASSOCIATION__RECVFROM 0x00000002UL + +#define NETLINK_KOBJECT_UEVENT_SOCKET__IOCTL 0x00000001UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__READ 0x00000002UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__WRITE 0x00000004UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__CREATE 0x00000008UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__GETATTR 0x00000010UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__SETATTR 0x00000020UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__LOCK 0x00000040UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELFROM 0x00000080UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__RELABELTO 0x00000100UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__APPEND 0x00000200UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__BIND 0x00000400UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__CONNECT 0x00000800UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__LISTEN 0x00001000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__ACCEPT 0x00002000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__GETOPT 0x00004000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__SETOPT 0x00008000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__SHUTDOWN 0x00010000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__RECVFROM 0x00020000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__SENDTO 0x00040000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__RECV_MSG 0x00080000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__SEND_MSG 0x00100000UL +#define NETLINK_KOBJECT_UEVENT_SOCKET__NAME_BIND 0x00200000UL + diff --git a/security/selinux/include/class_to_string.h b/security/selinux/include/class_to_string.h index 519a77d7394a4e4c798ad8d955630f9a739bb558..77b2c5996f355add1b9a4d7698cb7728daa60879 100644 --- a/security/selinux/include/class_to_string.h +++ b/security/selinux/include/class_to_string.h @@ -56,3 +56,5 @@ S_("netlink_dnrt_socket") S_("dbus") S_("nscd") + S_("association") + S_("netlink_kobject_uevent_socket") diff --git a/security/selinux/include/flask.h b/security/selinux/include/flask.h index 4eef1b654e922778bb50689ce66f4c0ffae70dae..eb9f50823f6e132c78557f16cc20963bb247226f 100644 --- a/security/selinux/include/flask.h +++ b/security/selinux/include/flask.h @@ -58,6 +58,8 @@ #define SECCLASS_NETLINK_DNRT_SOCKET 51 #define SECCLASS_DBUS 52 #define SECCLASS_NSCD 53 +#define SECCLASS_ASSOCIATION 54 +#define SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET 55 /* * Security identifier indices for initial entities