18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Netlink message type permission tables, for user generated messages. 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Author: James Morris <jmorris@redhat.com> 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 88c2ecf20Sopenharmony_ci */ 98c2ecf20Sopenharmony_ci#include <linux/types.h> 108c2ecf20Sopenharmony_ci#include <linux/kernel.h> 118c2ecf20Sopenharmony_ci#include <linux/netlink.h> 128c2ecf20Sopenharmony_ci#include <linux/rtnetlink.h> 138c2ecf20Sopenharmony_ci#include <linux/if.h> 148c2ecf20Sopenharmony_ci#include <linux/inet_diag.h> 158c2ecf20Sopenharmony_ci#include <linux/xfrm.h> 168c2ecf20Sopenharmony_ci#include <linux/audit.h> 178c2ecf20Sopenharmony_ci#include <linux/sock_diag.h> 188c2ecf20Sopenharmony_ci 198c2ecf20Sopenharmony_ci#include "flask.h" 208c2ecf20Sopenharmony_ci#include "av_permissions.h" 218c2ecf20Sopenharmony_ci#include "security.h" 228c2ecf20Sopenharmony_ci 238c2ecf20Sopenharmony_cistruct nlmsg_perm { 248c2ecf20Sopenharmony_ci u16 nlmsg_type; 258c2ecf20Sopenharmony_ci u32 perm; 268c2ecf20Sopenharmony_ci}; 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_cistatic const struct nlmsg_perm nlmsg_route_perms[] = 298c2ecf20Sopenharmony_ci{ 308c2ecf20Sopenharmony_ci { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 318c2ecf20Sopenharmony_ci { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 328c2ecf20Sopenharmony_ci { RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 338c2ecf20Sopenharmony_ci { RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 348c2ecf20Sopenharmony_ci { RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 358c2ecf20Sopenharmony_ci { RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 368c2ecf20Sopenharmony_ci { RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 378c2ecf20Sopenharmony_ci { RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 388c2ecf20Sopenharmony_ci { RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 398c2ecf20Sopenharmony_ci { RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 408c2ecf20Sopenharmony_ci { RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 418c2ecf20Sopenharmony_ci { RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 428c2ecf20Sopenharmony_ci { RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 438c2ecf20Sopenharmony_ci { RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 448c2ecf20Sopenharmony_ci { RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 458c2ecf20Sopenharmony_ci { RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 468c2ecf20Sopenharmony_ci { RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 478c2ecf20Sopenharmony_ci { RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 488c2ecf20Sopenharmony_ci { RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 498c2ecf20Sopenharmony_ci { RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 508c2ecf20Sopenharmony_ci { RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 518c2ecf20Sopenharmony_ci { RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 528c2ecf20Sopenharmony_ci { RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 538c2ecf20Sopenharmony_ci { RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 548c2ecf20Sopenharmony_ci { RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 558c2ecf20Sopenharmony_ci { RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 568c2ecf20Sopenharmony_ci { RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 578c2ecf20Sopenharmony_ci { RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 588c2ecf20Sopenharmony_ci { RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 598c2ecf20Sopenharmony_ci { RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 608c2ecf20Sopenharmony_ci { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 618c2ecf20Sopenharmony_ci { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 628c2ecf20Sopenharmony_ci { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 638c2ecf20Sopenharmony_ci { RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 648c2ecf20Sopenharmony_ci { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 658c2ecf20Sopenharmony_ci { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 668c2ecf20Sopenharmony_ci { RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 678c2ecf20Sopenharmony_ci { RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 688c2ecf20Sopenharmony_ci { RTM_NEWNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 698c2ecf20Sopenharmony_ci { RTM_DELNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 708c2ecf20Sopenharmony_ci { RTM_GETNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 718c2ecf20Sopenharmony_ci { RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 728c2ecf20Sopenharmony_ci { RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 738c2ecf20Sopenharmony_ci { RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 748c2ecf20Sopenharmony_ci { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 758c2ecf20Sopenharmony_ci { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 768c2ecf20Sopenharmony_ci { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 778c2ecf20Sopenharmony_ci { RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 788c2ecf20Sopenharmony_ci { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 798c2ecf20Sopenharmony_ci { RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 808c2ecf20Sopenharmony_ci { RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 818c2ecf20Sopenharmony_ci { RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 828c2ecf20Sopenharmony_ci { RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 838c2ecf20Sopenharmony_ci { RTM_NEWNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 848c2ecf20Sopenharmony_ci { RTM_DELNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 858c2ecf20Sopenharmony_ci { RTM_GETNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 868c2ecf20Sopenharmony_ci { RTM_NEWLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 878c2ecf20Sopenharmony_ci { RTM_DELLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 888c2ecf20Sopenharmony_ci { RTM_NEWVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 898c2ecf20Sopenharmony_ci { RTM_DELVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 908c2ecf20Sopenharmony_ci { RTM_GETVLAN, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 918c2ecf20Sopenharmony_ci}; 928c2ecf20Sopenharmony_ci 938c2ecf20Sopenharmony_cistatic const struct nlmsg_perm nlmsg_tcpdiag_perms[] = 948c2ecf20Sopenharmony_ci{ 958c2ecf20Sopenharmony_ci { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, 968c2ecf20Sopenharmony_ci { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, 978c2ecf20Sopenharmony_ci { SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, 988c2ecf20Sopenharmony_ci { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, 998c2ecf20Sopenharmony_ci}; 1008c2ecf20Sopenharmony_ci 1018c2ecf20Sopenharmony_cistatic const struct nlmsg_perm nlmsg_xfrm_perms[] = 1028c2ecf20Sopenharmony_ci{ 1038c2ecf20Sopenharmony_ci { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1048c2ecf20Sopenharmony_ci { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1058c2ecf20Sopenharmony_ci { XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1068c2ecf20Sopenharmony_ci { XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1078c2ecf20Sopenharmony_ci { XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1088c2ecf20Sopenharmony_ci { XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1098c2ecf20Sopenharmony_ci { XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1108c2ecf20Sopenharmony_ci { XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1118c2ecf20Sopenharmony_ci { XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1128c2ecf20Sopenharmony_ci { XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1138c2ecf20Sopenharmony_ci { XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1148c2ecf20Sopenharmony_ci { XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1158c2ecf20Sopenharmony_ci { XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1168c2ecf20Sopenharmony_ci { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1178c2ecf20Sopenharmony_ci { XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1188c2ecf20Sopenharmony_ci { XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1198c2ecf20Sopenharmony_ci { XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1208c2ecf20Sopenharmony_ci { XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1218c2ecf20Sopenharmony_ci { XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1228c2ecf20Sopenharmony_ci { XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1238c2ecf20Sopenharmony_ci { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1248c2ecf20Sopenharmony_ci { XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1258c2ecf20Sopenharmony_ci { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1268c2ecf20Sopenharmony_ci { XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 1278c2ecf20Sopenharmony_ci { XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ }, 1288c2ecf20Sopenharmony_ci}; 1298c2ecf20Sopenharmony_ci 1308c2ecf20Sopenharmony_cistatic const struct nlmsg_perm nlmsg_audit_perms[] = 1318c2ecf20Sopenharmony_ci{ 1328c2ecf20Sopenharmony_ci { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 1338c2ecf20Sopenharmony_ci { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1348c2ecf20Sopenharmony_ci { AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, 1358c2ecf20Sopenharmony_ci { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1368c2ecf20Sopenharmony_ci { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1378c2ecf20Sopenharmony_ci { AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, 1388c2ecf20Sopenharmony_ci { AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1398c2ecf20Sopenharmony_ci { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1408c2ecf20Sopenharmony_ci { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, 1418c2ecf20Sopenharmony_ci { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 1428c2ecf20Sopenharmony_ci { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1438c2ecf20Sopenharmony_ci { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1448c2ecf20Sopenharmony_ci { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 1458c2ecf20Sopenharmony_ci { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, 1468c2ecf20Sopenharmony_ci { AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 1478c2ecf20Sopenharmony_ci { AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 1488c2ecf20Sopenharmony_ci}; 1498c2ecf20Sopenharmony_ci 1508c2ecf20Sopenharmony_ci 1518c2ecf20Sopenharmony_cistatic int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize) 1528c2ecf20Sopenharmony_ci{ 1538c2ecf20Sopenharmony_ci int i, err = -EINVAL; 1548c2ecf20Sopenharmony_ci 1558c2ecf20Sopenharmony_ci for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++) 1568c2ecf20Sopenharmony_ci if (nlmsg_type == tab[i].nlmsg_type) { 1578c2ecf20Sopenharmony_ci *perm = tab[i].perm; 1588c2ecf20Sopenharmony_ci err = 0; 1598c2ecf20Sopenharmony_ci break; 1608c2ecf20Sopenharmony_ci } 1618c2ecf20Sopenharmony_ci 1628c2ecf20Sopenharmony_ci return err; 1638c2ecf20Sopenharmony_ci} 1648c2ecf20Sopenharmony_ci 1658c2ecf20Sopenharmony_ciint selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) 1668c2ecf20Sopenharmony_ci{ 1678c2ecf20Sopenharmony_ci int err = 0; 1688c2ecf20Sopenharmony_ci 1698c2ecf20Sopenharmony_ci switch (sclass) { 1708c2ecf20Sopenharmony_ci case SECCLASS_NETLINK_ROUTE_SOCKET: 1718c2ecf20Sopenharmony_ci /* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3. 1728c2ecf20Sopenharmony_ci * If the BUILD_BUG_ON() below fails you must update the 1738c2ecf20Sopenharmony_ci * structures at the top of this file with the new mappings 1748c2ecf20Sopenharmony_ci * before updating the BUILD_BUG_ON() macro! 1758c2ecf20Sopenharmony_ci */ 1768c2ecf20Sopenharmony_ci BUILD_BUG_ON(RTM_MAX != (RTM_NEWVLAN + 3)); 1778c2ecf20Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms, 1788c2ecf20Sopenharmony_ci sizeof(nlmsg_route_perms)); 1798c2ecf20Sopenharmony_ci break; 1808c2ecf20Sopenharmony_ci 1818c2ecf20Sopenharmony_ci case SECCLASS_NETLINK_TCPDIAG_SOCKET: 1828c2ecf20Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms, 1838c2ecf20Sopenharmony_ci sizeof(nlmsg_tcpdiag_perms)); 1848c2ecf20Sopenharmony_ci break; 1858c2ecf20Sopenharmony_ci 1868c2ecf20Sopenharmony_ci case SECCLASS_NETLINK_XFRM_SOCKET: 1878c2ecf20Sopenharmony_ci /* If the BUILD_BUG_ON() below fails you must update the 1888c2ecf20Sopenharmony_ci * structures at the top of this file with the new mappings 1898c2ecf20Sopenharmony_ci * before updating the BUILD_BUG_ON() macro! 1908c2ecf20Sopenharmony_ci */ 1918c2ecf20Sopenharmony_ci BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT); 1928c2ecf20Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms, 1938c2ecf20Sopenharmony_ci sizeof(nlmsg_xfrm_perms)); 1948c2ecf20Sopenharmony_ci break; 1958c2ecf20Sopenharmony_ci 1968c2ecf20Sopenharmony_ci case SECCLASS_NETLINK_AUDIT_SOCKET: 1978c2ecf20Sopenharmony_ci if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && 1988c2ecf20Sopenharmony_ci nlmsg_type <= AUDIT_LAST_USER_MSG) || 1998c2ecf20Sopenharmony_ci (nlmsg_type >= AUDIT_FIRST_USER_MSG2 && 2008c2ecf20Sopenharmony_ci nlmsg_type <= AUDIT_LAST_USER_MSG2)) { 2018c2ecf20Sopenharmony_ci *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; 2028c2ecf20Sopenharmony_ci } else { 2038c2ecf20Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, 2048c2ecf20Sopenharmony_ci sizeof(nlmsg_audit_perms)); 2058c2ecf20Sopenharmony_ci } 2068c2ecf20Sopenharmony_ci break; 2078c2ecf20Sopenharmony_ci 2088c2ecf20Sopenharmony_ci /* No messaging from userspace, or class unknown/unhandled */ 2098c2ecf20Sopenharmony_ci default: 2108c2ecf20Sopenharmony_ci err = -ENOENT; 2118c2ecf20Sopenharmony_ci break; 2128c2ecf20Sopenharmony_ci } 2138c2ecf20Sopenharmony_ci 2148c2ecf20Sopenharmony_ci return err; 2158c2ecf20Sopenharmony_ci} 216