2019-06-04 08:11:33 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* Netlink message type permission tables, for user generated messages.
|
|
|
|
|
*
|
|
|
|
|
* Author: James Morris <jmorris@redhat.com>
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
|
|
|
|
|
*/
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/netlink.h>
|
|
|
|
|
#include <linux/rtnetlink.h>
|
|
|
|
|
#include <linux/if.h>
|
2005-08-16 03:34:48 +00:00
|
|
|
#include <linux/inet_diag.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/xfrm.h>
|
|
|
|
|
#include <linux/audit.h>
|
2014-01-28 19:45:41 +00:00
|
|
|
#include <linux/sock_diag.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
#include "flask.h"
|
|
|
|
|
#include "av_permissions.h"
|
2011-08-30 02:09:15 +00:00
|
|
|
#include "security.h"
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-04-18 21:38:26 +00:00
|
|
|
struct nlmsg_perm {
|
2024-09-25 20:11:08 +00:00
|
|
|
u16 nlmsg_type;
|
|
|
|
|
u32 perm;
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
2022-05-02 13:48:48 +00:00
|
|
|
static const struct nlmsg_perm nlmsg_route_perms[] = {
|
2024-09-25 20:11:08 +00:00
|
|
|
{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_NEWNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_SETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_NEWVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETVLAN, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
|
|
|
|
{ RTM_NEWTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_DELTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ RTM_GETTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
2022-05-02 13:48:48 +00:00
|
|
|
static const struct nlmsg_perm nlmsg_tcpdiag_perms[] = {
|
2024-09-25 20:11:08 +00:00
|
|
|
{ TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
|
|
|
|
{ DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
|
|
|
|
{ SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
|
|
|
|
|
{ SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
2022-05-02 13:48:48 +00:00
|
|
|
static const struct nlmsg_perm nlmsg_xfrm_perms[] = {
|
2024-09-25 20:11:08 +00:00
|
|
|
{ XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
|
|
|
|
{ XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ },
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
2022-05-02 13:48:48 +00:00
|
|
|
static const struct nlmsg_perm nlmsg_audit_perms[] = {
|
2024-09-25 20:11:08 +00:00
|
|
|
{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
|
|
|
|
{ AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
|
|
|
|
|
{ AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
|
|
|
|
|
{ AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
|
|
|
|
|
{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
|
|
|
|
{ AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
|
|
|
|
{ AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
|
|
|
|
{ AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },
|
|
|
|
|
{ AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ },
|
|
|
|
|
{ AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
2024-09-25 20:11:08 +00:00
|
|
|
static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab,
|
|
|
|
|
size_t tabsize)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2023-08-07 17:11:41 +00:00
|
|
|
unsigned int i;
|
|
|
|
|
int err = -EINVAL;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2024-09-25 20:11:08 +00:00
|
|
|
for (i = 0; i < tabsize / sizeof(struct nlmsg_perm); i++)
|
2005-04-16 22:20:36 +00:00
|
|
|
if (nlmsg_type == tab[i].nlmsg_type) {
|
|
|
|
|
*perm = tab[i].perm;
|
|
|
|
|
err = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
|
|
|
|
|
{
|
2024-09-25 20:11:07 +00:00
|
|
|
/* While it is possible to add a similar permission to other netlink
|
|
|
|
|
* classes, note that the extended permission value is matched against
|
|
|
|
|
* the nlmsg_type field. Notably, SECCLASS_NETLINK_GENERIC_SOCKET uses
|
|
|
|
|
* dynamic values for this field, which means that it cannot be added
|
|
|
|
|
* as-is.
|
|
|
|
|
*/
|
selinux: Add netlink xperm support
Reuse the existing extended permissions infrastructure to support
policies based on the netlink message types.
A new policy capability "netlink_xperm" is introduced. When disabled,
the previous behaviour is preserved. That is, netlink_send will rely on
the permission mappings defined in nlmsgtab.c (e.g, nlmsg_read for
RTM_GETADDR on NETLINK_ROUTE). When enabled, the mappings are ignored
and the generic "nlmsg" permission is used instead.
The new "nlmsg" permission is an extended permission. The 16 bits of the
extended permission are mapped to the nlmsg_type field.
Example policy on Android, preventing regular apps from accessing the
device's MAC address and ARP table, but allowing this access to
privileged apps, looks as follows:
allow netdomain self:netlink_route_socket {
create read getattr write setattr lock append connect getopt
setopt shutdown nlmsg
};
allowxperm netdomain self:netlink_route_socket nlmsg ~{
RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
};
allowxperm priv_app self:netlink_route_socket nlmsg {
RTM_GETLINK RTM_GETNEIGH RTM_GETNEIGHTBL
};
The constants in the example above (e.g., RTM_GETLINK) are explicitly
defined in the policy.
It is possible to generate policies to support kernels that may or
may not have the capability enabled by generating a rule for each
scenario. For instance:
allow domain self:netlink_audit_socket nlmsg_read;
allow domain self:netlink_audit_socket nlmsg;
allowxperm domain self:netlink_audit_socket nlmsg { AUDIT_GET };
The approach of defining a new permission ("nlmsg") instead of relying
on the existing permissions (e.g., "nlmsg_read", "nlmsg_readpriv" or
"nlmsg_tty_audit") has been preferred because:
1. This is similar to the other extended permission ("ioctl");
2. With the new extended permission, the coarse-grained mapping is not
necessary anymore. It could eventually be removed, which would be
impossible if the extended permission was defined below these.
3. Having a single extra extended permission considerably simplifies
the implementation here and in libselinux.
Signed-off-by: Thiébaud Weksteen <tweek@google.com>
Signed-off-by: Bram Bonné <brambonne@google.com>
[PM: manual merge fixes for sock_skip_has_perm()]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-09-12 01:45:03 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
switch (sclass) {
|
|
|
|
|
case SECCLASS_NETLINK_ROUTE_SOCKET:
|
2018-11-28 17:57:33 +00:00
|
|
|
/* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3.
|
|
|
|
|
* If the BUILD_BUG_ON() below fails you must update the
|
|
|
|
|
* structures at the top of this file with the new mappings
|
|
|
|
|
* before updating the BUILD_BUG_ON() macro!
|
|
|
|
|
*/
|
2022-03-01 05:04:34 +00:00
|
|
|
BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3));
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2024-09-25 20:11:07 +00:00
|
|
|
if (selinux_policycap_netlink_xperm()) {
|
|
|
|
|
*perm = NETLINK_ROUTE_SOCKET__NLMSG;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
|
|
|
|
|
sizeof(nlmsg_route_perms));
|
|
|
|
|
break;
|
2005-04-16 22:20:36 +00:00
|
|
|
case SECCLASS_NETLINK_TCPDIAG_SOCKET:
|
2024-09-25 20:11:07 +00:00
|
|
|
if (selinux_policycap_netlink_xperm()) {
|
|
|
|
|
*perm = NETLINK_TCPDIAG_SOCKET__NLMSG;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,
|
|
|
|
|
sizeof(nlmsg_tcpdiag_perms));
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
|
case SECCLASS_NETLINK_XFRM_SOCKET:
|
2018-11-28 17:57:33 +00:00
|
|
|
/* If the BUILD_BUG_ON() below fails you must update the
|
|
|
|
|
* structures at the top of this file with the new mappings
|
|
|
|
|
* before updating the BUILD_BUG_ON() macro!
|
|
|
|
|
*/
|
2021-09-12 12:22:34 +00:00
|
|
|
BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2024-09-25 20:11:07 +00:00
|
|
|
if (selinux_policycap_netlink_xperm()) {
|
|
|
|
|
*perm = NETLINK_XFRM_SOCKET__NLMSG;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
|
|
|
|
|
sizeof(nlmsg_xfrm_perms));
|
|
|
|
|
break;
|
2005-04-16 22:20:36 +00:00
|
|
|
case SECCLASS_NETLINK_AUDIT_SOCKET:
|
2024-09-25 20:11:07 +00:00
|
|
|
if (selinux_policycap_netlink_xperm()) {
|
|
|
|
|
*perm = NETLINK_AUDIT_SOCKET__NLMSG;
|
|
|
|
|
return 0;
|
|
|
|
|
} else if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
|
|
|
|
|
nlmsg_type <= AUDIT_LAST_USER_MSG) ||
|
|
|
|
|
(nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
|
|
|
|
|
nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
|
2005-05-18 09:21:07 +00:00
|
|
|
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
|
2024-09-25 20:11:07 +00:00
|
|
|
return 0;
|
2005-05-18 09:21:07 +00:00
|
|
|
}
|
2024-09-25 20:11:07 +00:00
|
|
|
return nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
|
|
|
|
|
sizeof(nlmsg_audit_perms));
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2024-09-25 20:11:07 +00:00
|
|
|
/* No messaging from userspace, or class unknown/unhandled */
|
|
|
|
|
return -ENOENT;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|