162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * Netlink message type permission tables, for user generated messages. 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * Author: James Morris <jmorris@redhat.com> 662306a36Sopenharmony_ci * 762306a36Sopenharmony_ci * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 862306a36Sopenharmony_ci */ 962306a36Sopenharmony_ci#include <linux/types.h> 1062306a36Sopenharmony_ci#include <linux/kernel.h> 1162306a36Sopenharmony_ci#include <linux/netlink.h> 1262306a36Sopenharmony_ci#include <linux/rtnetlink.h> 1362306a36Sopenharmony_ci#include <linux/if.h> 1462306a36Sopenharmony_ci#include <linux/inet_diag.h> 1562306a36Sopenharmony_ci#include <linux/xfrm.h> 1662306a36Sopenharmony_ci#include <linux/audit.h> 1762306a36Sopenharmony_ci#include <linux/sock_diag.h> 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ci#include "flask.h" 2062306a36Sopenharmony_ci#include "av_permissions.h" 2162306a36Sopenharmony_ci#include "security.h" 2262306a36Sopenharmony_ci 2362306a36Sopenharmony_cistruct nlmsg_perm { 2462306a36Sopenharmony_ci u16 nlmsg_type; 2562306a36Sopenharmony_ci u32 perm; 2662306a36Sopenharmony_ci}; 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_cistatic const struct nlmsg_perm nlmsg_route_perms[] = { 2962306a36Sopenharmony_ci { RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 3062306a36Sopenharmony_ci { RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 3162306a36Sopenharmony_ci { RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 3262306a36Sopenharmony_ci { RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 3362306a36Sopenharmony_ci { RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 3462306a36Sopenharmony_ci { RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 3562306a36Sopenharmony_ci { RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 3662306a36Sopenharmony_ci { RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 3762306a36Sopenharmony_ci { RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 3862306a36Sopenharmony_ci { RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 3962306a36Sopenharmony_ci { RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 4062306a36Sopenharmony_ci { RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 4162306a36Sopenharmony_ci { RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 4262306a36Sopenharmony_ci { RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 4362306a36Sopenharmony_ci { RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 4462306a36Sopenharmony_ci { RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 4562306a36Sopenharmony_ci { RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 4662306a36Sopenharmony_ci { RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 4762306a36Sopenharmony_ci { RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 4862306a36Sopenharmony_ci { RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 4962306a36Sopenharmony_ci { RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 5062306a36Sopenharmony_ci { RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 5162306a36Sopenharmony_ci { RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 5262306a36Sopenharmony_ci { RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 5362306a36Sopenharmony_ci { RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 5462306a36Sopenharmony_ci { RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 5562306a36Sopenharmony_ci { RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 5662306a36Sopenharmony_ci { RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 5762306a36Sopenharmony_ci { RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 5862306a36Sopenharmony_ci { RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 5962306a36Sopenharmony_ci { RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 6062306a36Sopenharmony_ci { RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 6162306a36Sopenharmony_ci { RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 6262306a36Sopenharmony_ci { RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 6362306a36Sopenharmony_ci { RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 6462306a36Sopenharmony_ci { RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 6562306a36Sopenharmony_ci { RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 6662306a36Sopenharmony_ci { RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 6762306a36Sopenharmony_ci { RTM_NEWNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 6862306a36Sopenharmony_ci { RTM_DELNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 6962306a36Sopenharmony_ci { RTM_GETNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 7062306a36Sopenharmony_ci { RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 7162306a36Sopenharmony_ci { RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 7262306a36Sopenharmony_ci { RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 7362306a36Sopenharmony_ci { RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 7462306a36Sopenharmony_ci { RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 7562306a36Sopenharmony_ci { RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 7662306a36Sopenharmony_ci { RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 7762306a36Sopenharmony_ci { RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 7862306a36Sopenharmony_ci { RTM_SETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 7962306a36Sopenharmony_ci { RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 8062306a36Sopenharmony_ci { RTM_NEWCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 8162306a36Sopenharmony_ci { RTM_DELCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 8262306a36Sopenharmony_ci { RTM_GETCHAIN, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 8362306a36Sopenharmony_ci { RTM_NEWNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 8462306a36Sopenharmony_ci { RTM_DELNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 8562306a36Sopenharmony_ci { RTM_GETNEXTHOP, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 8662306a36Sopenharmony_ci { RTM_NEWLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 8762306a36Sopenharmony_ci { RTM_DELLINKPROP, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 8862306a36Sopenharmony_ci { RTM_NEWVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 8962306a36Sopenharmony_ci { RTM_DELVLAN, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 9062306a36Sopenharmony_ci { RTM_GETVLAN, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 9162306a36Sopenharmony_ci { RTM_NEWNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 9262306a36Sopenharmony_ci { RTM_DELNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 9362306a36Sopenharmony_ci { RTM_GETNEXTHOPBUCKET, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 9462306a36Sopenharmony_ci { RTM_NEWTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 9562306a36Sopenharmony_ci { RTM_DELTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE }, 9662306a36Sopenharmony_ci { RTM_GETTUNNEL, NETLINK_ROUTE_SOCKET__NLMSG_READ }, 9762306a36Sopenharmony_ci}; 9862306a36Sopenharmony_ci 9962306a36Sopenharmony_cistatic const struct nlmsg_perm nlmsg_tcpdiag_perms[] = { 10062306a36Sopenharmony_ci { TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, 10162306a36Sopenharmony_ci { DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, 10262306a36Sopenharmony_ci { SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ }, 10362306a36Sopenharmony_ci { SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE }, 10462306a36Sopenharmony_ci}; 10562306a36Sopenharmony_ci 10662306a36Sopenharmony_cistatic const struct nlmsg_perm nlmsg_xfrm_perms[] = { 10762306a36Sopenharmony_ci { XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 10862306a36Sopenharmony_ci { XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 10962306a36Sopenharmony_ci { XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ }, 11062306a36Sopenharmony_ci { XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11162306a36Sopenharmony_ci { XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11262306a36Sopenharmony_ci { XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ }, 11362306a36Sopenharmony_ci { XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11462306a36Sopenharmony_ci { XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11562306a36Sopenharmony_ci { XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11662306a36Sopenharmony_ci { XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11762306a36Sopenharmony_ci { XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11862306a36Sopenharmony_ci { XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 11962306a36Sopenharmony_ci { XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 12062306a36Sopenharmony_ci { XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 12162306a36Sopenharmony_ci { XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 12262306a36Sopenharmony_ci { XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ }, 12362306a36Sopenharmony_ci { XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ }, 12462306a36Sopenharmony_ci { XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 12562306a36Sopenharmony_ci { XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ }, 12662306a36Sopenharmony_ci { XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ }, 12762306a36Sopenharmony_ci { XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 12862306a36Sopenharmony_ci { XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ }, 12962306a36Sopenharmony_ci { XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ }, 13062306a36Sopenharmony_ci { XFRM_MSG_SETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_WRITE }, 13162306a36Sopenharmony_ci { XFRM_MSG_GETDEFAULT, NETLINK_XFRM_SOCKET__NLMSG_READ }, 13262306a36Sopenharmony_ci}; 13362306a36Sopenharmony_ci 13462306a36Sopenharmony_cistatic const struct nlmsg_perm nlmsg_audit_perms[] = { 13562306a36Sopenharmony_ci { AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 13662306a36Sopenharmony_ci { AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 13762306a36Sopenharmony_ci { AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, 13862306a36Sopenharmony_ci { AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 13962306a36Sopenharmony_ci { AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 14062306a36Sopenharmony_ci { AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV }, 14162306a36Sopenharmony_ci { AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 14262306a36Sopenharmony_ci { AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 14362306a36Sopenharmony_ci { AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY }, 14462306a36Sopenharmony_ci { AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 14562306a36Sopenharmony_ci { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 14662306a36Sopenharmony_ci { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 14762306a36Sopenharmony_ci { AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 14862306a36Sopenharmony_ci { AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT }, 14962306a36Sopenharmony_ci { AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ }, 15062306a36Sopenharmony_ci { AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE }, 15162306a36Sopenharmony_ci}; 15262306a36Sopenharmony_ci 15362306a36Sopenharmony_ci 15462306a36Sopenharmony_cistatic int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize) 15562306a36Sopenharmony_ci{ 15662306a36Sopenharmony_ci unsigned int i; 15762306a36Sopenharmony_ci int err = -EINVAL; 15862306a36Sopenharmony_ci 15962306a36Sopenharmony_ci for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++) 16062306a36Sopenharmony_ci if (nlmsg_type == tab[i].nlmsg_type) { 16162306a36Sopenharmony_ci *perm = tab[i].perm; 16262306a36Sopenharmony_ci err = 0; 16362306a36Sopenharmony_ci break; 16462306a36Sopenharmony_ci } 16562306a36Sopenharmony_ci 16662306a36Sopenharmony_ci return err; 16762306a36Sopenharmony_ci} 16862306a36Sopenharmony_ci 16962306a36Sopenharmony_ciint selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm) 17062306a36Sopenharmony_ci{ 17162306a36Sopenharmony_ci int err = 0; 17262306a36Sopenharmony_ci 17362306a36Sopenharmony_ci switch (sclass) { 17462306a36Sopenharmony_ci case SECCLASS_NETLINK_ROUTE_SOCKET: 17562306a36Sopenharmony_ci /* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3. 17662306a36Sopenharmony_ci * If the BUILD_BUG_ON() below fails you must update the 17762306a36Sopenharmony_ci * structures at the top of this file with the new mappings 17862306a36Sopenharmony_ci * before updating the BUILD_BUG_ON() macro! 17962306a36Sopenharmony_ci */ 18062306a36Sopenharmony_ci BUILD_BUG_ON(RTM_MAX != (RTM_NEWTUNNEL + 3)); 18162306a36Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms, 18262306a36Sopenharmony_ci sizeof(nlmsg_route_perms)); 18362306a36Sopenharmony_ci break; 18462306a36Sopenharmony_ci 18562306a36Sopenharmony_ci case SECCLASS_NETLINK_TCPDIAG_SOCKET: 18662306a36Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms, 18762306a36Sopenharmony_ci sizeof(nlmsg_tcpdiag_perms)); 18862306a36Sopenharmony_ci break; 18962306a36Sopenharmony_ci 19062306a36Sopenharmony_ci case SECCLASS_NETLINK_XFRM_SOCKET: 19162306a36Sopenharmony_ci /* If the BUILD_BUG_ON() below fails you must update the 19262306a36Sopenharmony_ci * structures at the top of this file with the new mappings 19362306a36Sopenharmony_ci * before updating the BUILD_BUG_ON() macro! 19462306a36Sopenharmony_ci */ 19562306a36Sopenharmony_ci BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_GETDEFAULT); 19662306a36Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms, 19762306a36Sopenharmony_ci sizeof(nlmsg_xfrm_perms)); 19862306a36Sopenharmony_ci break; 19962306a36Sopenharmony_ci 20062306a36Sopenharmony_ci case SECCLASS_NETLINK_AUDIT_SOCKET: 20162306a36Sopenharmony_ci if ((nlmsg_type >= AUDIT_FIRST_USER_MSG && 20262306a36Sopenharmony_ci nlmsg_type <= AUDIT_LAST_USER_MSG) || 20362306a36Sopenharmony_ci (nlmsg_type >= AUDIT_FIRST_USER_MSG2 && 20462306a36Sopenharmony_ci nlmsg_type <= AUDIT_LAST_USER_MSG2)) { 20562306a36Sopenharmony_ci *perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY; 20662306a36Sopenharmony_ci } else { 20762306a36Sopenharmony_ci err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms, 20862306a36Sopenharmony_ci sizeof(nlmsg_audit_perms)); 20962306a36Sopenharmony_ci } 21062306a36Sopenharmony_ci break; 21162306a36Sopenharmony_ci 21262306a36Sopenharmony_ci /* No messaging from userspace, or class unknown/unhandled */ 21362306a36Sopenharmony_ci default: 21462306a36Sopenharmony_ci err = -ENOENT; 21562306a36Sopenharmony_ci break; 21662306a36Sopenharmony_ci } 21762306a36Sopenharmony_ci 21862306a36Sopenharmony_ci return err; 21962306a36Sopenharmony_ci} 220