162306a36Sopenharmony_ci/* SPDX-License-Identifier: GPL-2.0 */ 262306a36Sopenharmony_ci#include <linux/capability.h> 362306a36Sopenharmony_ci#include <linux/socket.h> 462306a36Sopenharmony_ci 562306a36Sopenharmony_ci#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ 662306a36Sopenharmony_ci "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map" 762306a36Sopenharmony_ci 862306a36Sopenharmony_ci#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ 962306a36Sopenharmony_ci "rename", "execute", "quotaon", "mounton", "audit_access", \ 1062306a36Sopenharmony_ci "open", "execmod", "watch", "watch_mount", "watch_sb", \ 1162306a36Sopenharmony_ci "watch_with_perm", "watch_reads" 1262306a36Sopenharmony_ci 1362306a36Sopenharmony_ci#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ 1462306a36Sopenharmony_ci "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ 1562306a36Sopenharmony_ci "sendto", "name_bind" 1662306a36Sopenharmony_ci 1762306a36Sopenharmony_ci#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ 1862306a36Sopenharmony_ci "write", "associate", "unix_read", "unix_write" 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ci#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ 2162306a36Sopenharmony_ci "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ 2262306a36Sopenharmony_ci "linux_immutable", "net_bind_service", "net_broadcast", \ 2362306a36Sopenharmony_ci "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ 2462306a36Sopenharmony_ci "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ 2562306a36Sopenharmony_ci "sys_boot", "sys_nice", "sys_resource", "sys_time", \ 2662306a36Sopenharmony_ci "sys_tty_config", "mknod", "lease", "audit_write", \ 2762306a36Sopenharmony_ci "audit_control", "setfcap" 2862306a36Sopenharmony_ci 2962306a36Sopenharmony_ci#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ 3062306a36Sopenharmony_ci "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \ 3162306a36Sopenharmony_ci "checkpoint_restore" 3262306a36Sopenharmony_ci 3362306a36Sopenharmony_ci#if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE 3462306a36Sopenharmony_ci#error New capability defined, please update COMMON_CAP2_PERMS. 3562306a36Sopenharmony_ci#endif 3662306a36Sopenharmony_ci 3762306a36Sopenharmony_ci/* 3862306a36Sopenharmony_ci * Note: The name for any socket class should be suffixed by "socket", 3962306a36Sopenharmony_ci * and doesn't contain more than one substr of "socket". 4062306a36Sopenharmony_ci */ 4162306a36Sopenharmony_ciconst struct security_class_mapping secclass_map[] = { 4262306a36Sopenharmony_ci { "security", 4362306a36Sopenharmony_ci { "compute_av", "compute_create", "compute_member", 4462306a36Sopenharmony_ci "check_context", "load_policy", "compute_relabel", 4562306a36Sopenharmony_ci "compute_user", "setenforce", "setbool", "setsecparam", 4662306a36Sopenharmony_ci "setcheckreqprot", "read_policy", "validate_trans", NULL } }, 4762306a36Sopenharmony_ci { "process", 4862306a36Sopenharmony_ci { "fork", "transition", "sigchld", "sigkill", 4962306a36Sopenharmony_ci "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", 5062306a36Sopenharmony_ci "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", 5162306a36Sopenharmony_ci "getattr", "setexec", "setfscreate", "noatsecure", "siginh", 5262306a36Sopenharmony_ci "setrlimit", "rlimitinh", "dyntransition", "setcurrent", 5362306a36Sopenharmony_ci "execmem", "execstack", "execheap", "setkeycreate", 5462306a36Sopenharmony_ci "setsockcreate", "getrlimit", NULL } }, 5562306a36Sopenharmony_ci { "process2", 5662306a36Sopenharmony_ci { "nnp_transition", "nosuid_transition", NULL } }, 5762306a36Sopenharmony_ci { "system", 5862306a36Sopenharmony_ci { "ipc_info", "syslog_read", "syslog_mod", 5962306a36Sopenharmony_ci "syslog_console", "module_request", "module_load", NULL } }, 6062306a36Sopenharmony_ci { "capability", 6162306a36Sopenharmony_ci { COMMON_CAP_PERMS, NULL } }, 6262306a36Sopenharmony_ci { "filesystem", 6362306a36Sopenharmony_ci { "mount", "remount", "unmount", "getattr", 6462306a36Sopenharmony_ci "relabelfrom", "relabelto", "associate", "quotamod", 6562306a36Sopenharmony_ci "quotaget", "watch", NULL } }, 6662306a36Sopenharmony_ci { "file", 6762306a36Sopenharmony_ci { COMMON_FILE_PERMS, 6862306a36Sopenharmony_ci "execute_no_trans", "entrypoint", NULL } }, 6962306a36Sopenharmony_ci { "dir", 7062306a36Sopenharmony_ci { COMMON_FILE_PERMS, "add_name", "remove_name", 7162306a36Sopenharmony_ci "reparent", "search", "rmdir", NULL } }, 7262306a36Sopenharmony_ci { "fd", { "use", NULL } }, 7362306a36Sopenharmony_ci { "lnk_file", 7462306a36Sopenharmony_ci { COMMON_FILE_PERMS, NULL } }, 7562306a36Sopenharmony_ci { "chr_file", 7662306a36Sopenharmony_ci { COMMON_FILE_PERMS, NULL } }, 7762306a36Sopenharmony_ci { "blk_file", 7862306a36Sopenharmony_ci { COMMON_FILE_PERMS, NULL } }, 7962306a36Sopenharmony_ci { "sock_file", 8062306a36Sopenharmony_ci { COMMON_FILE_PERMS, NULL } }, 8162306a36Sopenharmony_ci { "fifo_file", 8262306a36Sopenharmony_ci { COMMON_FILE_PERMS, NULL } }, 8362306a36Sopenharmony_ci { "socket", 8462306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 8562306a36Sopenharmony_ci { "tcp_socket", 8662306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 8762306a36Sopenharmony_ci "node_bind", "name_connect", 8862306a36Sopenharmony_ci NULL } }, 8962306a36Sopenharmony_ci { "udp_socket", 9062306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 9162306a36Sopenharmony_ci "node_bind", NULL } }, 9262306a36Sopenharmony_ci { "rawip_socket", 9362306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 9462306a36Sopenharmony_ci "node_bind", NULL } }, 9562306a36Sopenharmony_ci { "node", 9662306a36Sopenharmony_ci { "recvfrom", "sendto", NULL } }, 9762306a36Sopenharmony_ci { "netif", 9862306a36Sopenharmony_ci { "ingress", "egress", NULL } }, 9962306a36Sopenharmony_ci { "netlink_socket", 10062306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 10162306a36Sopenharmony_ci { "packet_socket", 10262306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 10362306a36Sopenharmony_ci { "key_socket", 10462306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 10562306a36Sopenharmony_ci { "unix_stream_socket", 10662306a36Sopenharmony_ci { COMMON_SOCK_PERMS, "connectto", NULL } }, 10762306a36Sopenharmony_ci { "unix_dgram_socket", 10862306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 10962306a36Sopenharmony_ci { "sem", 11062306a36Sopenharmony_ci { COMMON_IPC_PERMS, NULL } }, 11162306a36Sopenharmony_ci { "msg", { "send", "receive", NULL } }, 11262306a36Sopenharmony_ci { "msgq", 11362306a36Sopenharmony_ci { COMMON_IPC_PERMS, "enqueue", NULL } }, 11462306a36Sopenharmony_ci { "shm", 11562306a36Sopenharmony_ci { COMMON_IPC_PERMS, "lock", NULL } }, 11662306a36Sopenharmony_ci { "ipc", 11762306a36Sopenharmony_ci { COMMON_IPC_PERMS, NULL } }, 11862306a36Sopenharmony_ci { "netlink_route_socket", 11962306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 12062306a36Sopenharmony_ci "nlmsg_read", "nlmsg_write", NULL } }, 12162306a36Sopenharmony_ci { "netlink_tcpdiag_socket", 12262306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 12362306a36Sopenharmony_ci "nlmsg_read", "nlmsg_write", NULL } }, 12462306a36Sopenharmony_ci { "netlink_nflog_socket", 12562306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 12662306a36Sopenharmony_ci { "netlink_xfrm_socket", 12762306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 12862306a36Sopenharmony_ci "nlmsg_read", "nlmsg_write", NULL } }, 12962306a36Sopenharmony_ci { "netlink_selinux_socket", 13062306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 13162306a36Sopenharmony_ci { "netlink_iscsi_socket", 13262306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 13362306a36Sopenharmony_ci { "netlink_audit_socket", 13462306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 13562306a36Sopenharmony_ci "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv", 13662306a36Sopenharmony_ci "nlmsg_tty_audit", NULL } }, 13762306a36Sopenharmony_ci { "netlink_fib_lookup_socket", 13862306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 13962306a36Sopenharmony_ci { "netlink_connector_socket", 14062306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 14162306a36Sopenharmony_ci { "netlink_netfilter_socket", 14262306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 14362306a36Sopenharmony_ci { "netlink_dnrt_socket", 14462306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 14562306a36Sopenharmony_ci { "association", 14662306a36Sopenharmony_ci { "sendto", "recvfrom", "setcontext", "polmatch", NULL } }, 14762306a36Sopenharmony_ci { "netlink_kobject_uevent_socket", 14862306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 14962306a36Sopenharmony_ci { "netlink_generic_socket", 15062306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 15162306a36Sopenharmony_ci { "netlink_scsitransport_socket", 15262306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 15362306a36Sopenharmony_ci { "netlink_rdma_socket", 15462306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 15562306a36Sopenharmony_ci { "netlink_crypto_socket", 15662306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 15762306a36Sopenharmony_ci { "appletalk_socket", 15862306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 15962306a36Sopenharmony_ci { "packet", 16062306a36Sopenharmony_ci { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, 16162306a36Sopenharmony_ci { "key", 16262306a36Sopenharmony_ci { "view", "read", "write", "search", "link", "setattr", "create", 16362306a36Sopenharmony_ci NULL } }, 16462306a36Sopenharmony_ci { "dccp_socket", 16562306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 16662306a36Sopenharmony_ci "node_bind", "name_connect", NULL } }, 16762306a36Sopenharmony_ci { "memprotect", { "mmap_zero", NULL } }, 16862306a36Sopenharmony_ci { "peer", { "recv", NULL } }, 16962306a36Sopenharmony_ci { "capability2", 17062306a36Sopenharmony_ci { COMMON_CAP2_PERMS, NULL } }, 17162306a36Sopenharmony_ci { "kernel_service", { "use_as_override", "create_files_as", NULL } }, 17262306a36Sopenharmony_ci { "tun_socket", 17362306a36Sopenharmony_ci { COMMON_SOCK_PERMS, "attach_queue", NULL } }, 17462306a36Sopenharmony_ci { "binder", { "impersonate", "call", "set_context_mgr", "transfer", 17562306a36Sopenharmony_ci NULL } }, 17662306a36Sopenharmony_ci { "cap_userns", 17762306a36Sopenharmony_ci { COMMON_CAP_PERMS, NULL } }, 17862306a36Sopenharmony_ci { "cap2_userns", 17962306a36Sopenharmony_ci { COMMON_CAP2_PERMS, NULL } }, 18062306a36Sopenharmony_ci { "sctp_socket", 18162306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 18262306a36Sopenharmony_ci "node_bind", "name_connect", "association", NULL } }, 18362306a36Sopenharmony_ci { "icmp_socket", 18462306a36Sopenharmony_ci { COMMON_SOCK_PERMS, 18562306a36Sopenharmony_ci "node_bind", NULL } }, 18662306a36Sopenharmony_ci { "ax25_socket", 18762306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 18862306a36Sopenharmony_ci { "ipx_socket", 18962306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 19062306a36Sopenharmony_ci { "netrom_socket", 19162306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 19262306a36Sopenharmony_ci { "atmpvc_socket", 19362306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 19462306a36Sopenharmony_ci { "x25_socket", 19562306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 19662306a36Sopenharmony_ci { "rose_socket", 19762306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 19862306a36Sopenharmony_ci { "decnet_socket", 19962306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 20062306a36Sopenharmony_ci { "atmsvc_socket", 20162306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 20262306a36Sopenharmony_ci { "rds_socket", 20362306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 20462306a36Sopenharmony_ci { "irda_socket", 20562306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 20662306a36Sopenharmony_ci { "pppox_socket", 20762306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 20862306a36Sopenharmony_ci { "llc_socket", 20962306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 21062306a36Sopenharmony_ci { "can_socket", 21162306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 21262306a36Sopenharmony_ci { "tipc_socket", 21362306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 21462306a36Sopenharmony_ci { "bluetooth_socket", 21562306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 21662306a36Sopenharmony_ci { "iucv_socket", 21762306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 21862306a36Sopenharmony_ci { "rxrpc_socket", 21962306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 22062306a36Sopenharmony_ci { "isdn_socket", 22162306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 22262306a36Sopenharmony_ci { "phonet_socket", 22362306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 22462306a36Sopenharmony_ci { "ieee802154_socket", 22562306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 22662306a36Sopenharmony_ci { "caif_socket", 22762306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 22862306a36Sopenharmony_ci { "alg_socket", 22962306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 23062306a36Sopenharmony_ci { "nfc_socket", 23162306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 23262306a36Sopenharmony_ci { "vsock_socket", 23362306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 23462306a36Sopenharmony_ci { "kcm_socket", 23562306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 23662306a36Sopenharmony_ci { "qipcrtr_socket", 23762306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 23862306a36Sopenharmony_ci { "smc_socket", 23962306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 24062306a36Sopenharmony_ci { "infiniband_pkey", 24162306a36Sopenharmony_ci { "access", NULL } }, 24262306a36Sopenharmony_ci { "infiniband_endport", 24362306a36Sopenharmony_ci { "manage_subnet", NULL } }, 24462306a36Sopenharmony_ci { "bpf", 24562306a36Sopenharmony_ci { "map_create", "map_read", "map_write", "prog_load", "prog_run", 24662306a36Sopenharmony_ci NULL } }, 24762306a36Sopenharmony_ci { "xdp_socket", 24862306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 24962306a36Sopenharmony_ci { "mctp_socket", 25062306a36Sopenharmony_ci { COMMON_SOCK_PERMS, NULL } }, 25162306a36Sopenharmony_ci { "perf_event", 25262306a36Sopenharmony_ci { "open", "cpu", "kernel", "tracepoint", "read", "write", NULL } }, 25362306a36Sopenharmony_ci { "anon_inode", 25462306a36Sopenharmony_ci { COMMON_FILE_PERMS, NULL } }, 25562306a36Sopenharmony_ci { "io_uring", 25662306a36Sopenharmony_ci { "override_creds", "sqpoll", "cmd", NULL } }, 25762306a36Sopenharmony_ci { "user_namespace", 25862306a36Sopenharmony_ci { "create", NULL } }, 25962306a36Sopenharmony_ci { "hideaddr", 26062306a36Sopenharmony_ci { "hide_exec_anon_mem", "hide_exec_anon_mem_debug", NULL } }, 26162306a36Sopenharmony_ci { "jit_memory", 26262306a36Sopenharmony_ci { "exec_mem_ctrl", NULL} }, 26362306a36Sopenharmony_ci { "ced", 26462306a36Sopenharmony_ci { "container_escape_check", NULL} }, 26562306a36Sopenharmony_ci { "code_sign", 26662306a36Sopenharmony_ci { "add_cert_chain", "remove_cert_chain", NULL } }, 26762306a36Sopenharmony_ci { "xpm", 26862306a36Sopenharmony_ci { "exec_no_sign", "exec_anon_mem", NULL } }, 26962306a36Sopenharmony_ci { NULL } 27062306a36Sopenharmony_ci }; 27162306a36Sopenharmony_ci 27262306a36Sopenharmony_ci#if PF_MAX > 46 27362306a36Sopenharmony_ci#error New address family defined, please update secclass_map. 27462306a36Sopenharmony_ci#endif 275