Evolution-X-Devices/kernel_xiaomi_raphael
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10.0
kernel_xiaomi_raphael/security/selinux/nlmsgtab.c
Srinivasarao P 84303e9b45 Merge android-4.14.163 (1cfd841) into msm-4.14 
* refs/heads/tmp-1cfd841:
  Revert "BACKPORT: perf_event: Add support for LSM and SELinux checks"
  Linux 4.14.163
  perf/x86/intel/bts: Fix the use of page_private()
  xen/blkback: Avoid unmapping unmapped grant pages
  s390/smp: fix physical to logical CPU map for SMT
  net: add annotations on hh->hh_len lockless accesses
  arm64: dts: meson: odroid-c2: Disable usb_otg bus to avoid power failed warning
  ath9k_htc: Discard undersized packets
  ath9k_htc: Modify byte order for an error message
  rxrpc: Fix possible NULL pointer access in ICMP handling
  selftests: rtnetlink: add addresses with fixed life time
  powerpc/pseries/hvconsole: Fix stack overread via udbg
  drm/mst: Fix MST sideband up-reply failure handling
  scsi: qedf: Do not retry ELS request if qedf_alloc_cmd fails
  fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP
  tty: serial: msm_serial: Fix lockup for sysrq and oops
  dt-bindings: clock: renesas: rcar-usb2-clock-sel: Fix typo in example
  media: usb: fix memory leak in af9005_identify_state
  regulator: ab8500: Remove AB8505 USB regulator
  media: flexcop-usb: ensure -EIO is returned on error condition
  Bluetooth: Fix memory leak in hci_connect_le_scan
  Bluetooth: delete a stray unlock
  Bluetooth: btusb: fix PM leak in error case of setup
  platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table
  xfs: don't check for AG deadlock for realtime files in bunmapi
  scsi: qla2xxx: Drop superfluous INIT_WORK of del_work
  nfsd4: fix up replay_matches_cache()
  PM / devfreq: Check NULL governor in available_governors_show
  arm64: Revert support for execute-only user mappings
  ftrace: Avoid potential division by zero in function profiler
  exit: panic before exit_mm() on global init exit
  ALSA: firewire-motu: Correct a typo in the clock proc string
  ALSA: cs4236: fix error return comparison of an unsigned integer
  tracing: Have the histogram compare functions convert to u64 first
  tracing: Fix lock inversion in trace_event_enable_tgid_record()
  gpiolib: fix up emulated open drain outputs
  ata: ahci_brcm: Fix AHCI resources management
  ata: ahci_brcm: Allow optional reset controller to be used
  ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys()
  compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE
  compat_ioctl: block: handle Persistent Reservations
  dmaengine: Fix access to uninitialized dma_slave_caps
  locks: print unsigned ino in /proc/locks
  pstore/ram: Write new dumps to start of recycled zones
  memcg: account security cred as well to kmemcg
  mm/zsmalloc.c: fix the migrated zspage statistics.
  media: cec: avoid decrementing transmit_queue_sz if it is 0
  media: cec: CEC 2.0-only bcast messages were ignored
  media: pulse8-cec: fix lost cec_transmit_attempt_done() call
  MIPS: Avoid VDSO ABI breakage due to global register variable
  drm/sun4i: hdmi: Remove duplicate cleanup calls
  ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code
  drm: limit to INT_MAX in create_blob ioctl
  taskstats: fix data-race
  xfs: fix mount failure crash on invalid iclog memory access
  PM / hibernate: memory_bm_find_bit(): Tighten node optimisation
  xen/balloon: fix ballooned page accounting without hotplug enabled
  xen-blkback: prevent premature module unload
  IB/mlx4: Follow mirror sequence of device add during device removal
  s390/cpum_sf: Avoid SBD overflow condition in irq handler
  s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
  md: raid1: check rdev before reference in raid1_sync_request func
  net: make socket read/write_iter() honor IOCB_NOWAIT
  usb: gadget: fix wrong endpoint desc
  drm/nouveau: Move the declaration of struct nouveau_conn_atom up a bit
  scsi: libsas: stop discovering if oob mode is disconnected
  scsi: iscsi: qla4xxx: fix double free in probe
  scsi: qla2xxx: Don't call qlt_async_event twice
  scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
  rxe: correctly calculate iCRC for unaligned payloads
  RDMA/cma: add missed unregister_pernet_subsys in init failure
  PM / devfreq: Don't fail devfreq_dev_release if not in list
  iio: adc: max9611: Fix too short conversion time delay
  nvme_fc: add module to ops template to allow module references
  UPSTREAM: selinux: sidtab reverse lookup hash table
  UPSTREAM: selinux: avoid atomic_t usage in sidtab
  UPSTREAM: selinux: check sidtab limit before adding a new entry
  UPSTREAM: selinux: fix context string corruption in convert_context()
  BACKPORT: selinux: overhaul sidtab to fix bug and improve performance
  UPSTREAM: selinux: refactor mls_context_to_sid() and make it stricter
  UPSTREAM: selinux: Cleanup printk logging in services
  UPSTREAM: scsi: ilog2: create truly constant version for sparse
  BACKPORT: selinux: use separate table for initial SID lookup
  UPSTREAM: selinux: make "selinux_policycap_names[]" const char *
  UPSTREAM: selinux: refactor sidtab conversion
  BACKPORT: selinux: wrap AVC state
  UPSTREAM: selinux: wrap selinuxfs state
  UPSTREAM: selinux: rename the {is,set}_enforcing() functions
  BACKPORT: selinux: wrap global selinux state
  UPSTREAM: selinux: Use kmem_cache for hashtab_node
  BACKPORT: perf_event: Add support for LSM and SELinux checks
  UPSTREAM: binder: Add binder_proc logging to binderfs
  UPSTREAM: binder: Make transaction_log available in binderfs
  UPSTREAM: binder: Add stats, state and transactions files
  UPSTREAM: binder: add a mount option to show global stats
  UPSTREAM: binder: Validate the default binderfs device names.
  UPSTREAM: binder: Add default binder devices through binderfs when configured
  UPSTREAM: binder: fix CONFIG_ANDROID_BINDER_DEVICES
  UPSTREAM: android: binder: use kstrdup instead of open-coding it
  UPSTREAM: binderfs: remove separate device_initcall()
  BACKPORT: binderfs: respect limit on binder control creation
  UPSTREAM: binderfs: switch from d_add() to d_instantiate()
  UPSTREAM: binderfs: drop lock in binderfs_binder_ctl_create
  UPSTREAM: binderfs: kill_litter_super() before cleanup
  UPSTREAM: binderfs: rework binderfs_binder_device_create()
  UPSTREAM: binderfs: rework binderfs_fill_super()
  UPSTREAM: binderfs: prevent renaming the control dentry
  UPSTREAM: binderfs: remove outdated comment
  UPSTREAM: binderfs: fix error return code in binderfs_fill_super()
  UPSTREAM: binderfs: handle !CONFIG_IPC_NS builds
  BACKPORT: binderfs: reserve devices for initial mount
  UPSTREAM: binderfs: rename header to binderfs.h
  BACKPORT: binderfs: implement "max" mount option
  UPSTREAM: binderfs: make each binderfs mount a new instance
  UPSTREAM: binderfs: remove wrong kern_mount() call
  BACKPORT: binder: implement binderfs
  UPSTREAM: binder: remove BINDER_DEBUG_ENTRY()
  UPSTREAM: seq_file: Introduce DEFINE_SHOW_ATTRIBUTE() helper macro
  UPSTREAM: exit: panic before exit_mm() on global init exit

 Conflicts:
	drivers/gpu/drm/drm_property.c
	security/selinux/avc.c
	security/selinux/hooks.c
	security/selinux/include/security.h
	security/selinux/ss/services.c

 Changed below files to fix build errors:
	gen_headers_arm64.bp
	gen_headers_arm.bp

Change-Id: Ie7e5cd66a03cfaa765a491598302b8f073ac159c
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
2020-05-15 16:04:08 +05:30

222 lines
8.1 KiB
C
Raw Permalink Blame History

/*
* Netlink message type permission tables, for user generated messages.
*
* Author: James Morris <jmorris@redhat.com>
*
* Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
* as published by the Free Software Foundation.
*/
#include <linux/types.h>
#include <linux/kernel.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <linux/if.h>
#include <linux/inet_diag.h>
#include <linux/xfrm.h>
#include <linux/audit.h>
#include <linux/sock_diag.h>
#include "flask.h"
#include "av_permissions.h"
#include "security.h"
struct nlmsg_perm {
u16 nlmsg_type;
u32 perm;
};
static struct nlmsg_perm nlmsg_route_perms[] =
{
{ RTM_NEWLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETLINK, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_SETLINK, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_NEWADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELADDR, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETADDR, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELROUTE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETROUTE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETNEIGH, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELRULE, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETRULE, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELQDISC, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETQDISC, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETTCLASS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETTFILTER, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELACTION, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETACTION, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWPREFIX, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETMULTICAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_GETANYCAST, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_GETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_SETNEIGHTBL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_NEWADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETADDRLABEL, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_GETDCB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_SETDCB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_NEWNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETNETCONF, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELMDB, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_GETMDB, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWNSID, NETLINK_ROUTE_SOCKET__NLMSG_WRITE },
{ RTM_DELNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_GETNSID, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_GETSTATS, NETLINK_ROUTE_SOCKET__NLMSG_READ },
{ RTM_NEWCACHEREPORT, NETLINK_ROUTE_SOCKET__NLMSG_READ },
};
static const struct nlmsg_perm nlmsg_tcpdiag_perms[] =
{
{ TCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
{ DCCPDIAG_GETSOCK, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
{ SOCK_DIAG_BY_FAMILY, NETLINK_TCPDIAG_SOCKET__NLMSG_READ },
{ SOCK_DESTROY, NETLINK_TCPDIAG_SOCKET__NLMSG_WRITE },
};
static const struct nlmsg_perm nlmsg_xfrm_perms[] =
{
{ XFRM_MSG_NEWSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_DELSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETSA, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_DELPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETPOLICY, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_ALLOCSPI, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_ACQUIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_EXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_UPDPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_UPDSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_POLEXPIRE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_FLUSHSA, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_FLUSHPOLICY, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_NEWAE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETAE, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_REPORT, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_MIGRATE, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_NEWSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_GETSADINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_NEWSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_WRITE },
{ XFRM_MSG_GETSPDINFO, NETLINK_XFRM_SOCKET__NLMSG_READ },
{ XFRM_MSG_MAPPING, NETLINK_XFRM_SOCKET__NLMSG_READ },
};
static const struct nlmsg_perm nlmsg_audit_perms[] =
{
{ AUDIT_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_SET, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_LIST, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
{ AUDIT_ADD, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_DEL, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_LIST_RULES, NETLINK_AUDIT_SOCKET__NLMSG_READPRIV },
{ AUDIT_ADD_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY },
{ AUDIT_SIGNAL_INFO, NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
{ AUDIT_TTY_GET, NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_TTY_SET, NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },
{ AUDIT_GET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_SET_FEATURE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE },
};
static int nlmsg_perm(u16 nlmsg_type, u32 *perm, const struct nlmsg_perm *tab, size_t tabsize)
{
int i, err = -EINVAL;
for (i = 0; i < tabsize/sizeof(struct nlmsg_perm); i++)
if (nlmsg_type == tab[i].nlmsg_type) {
*perm = tab[i].perm;
err = 0;
break;
}
return err;
}
int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
{
int err = 0;
switch (sclass) {
case SECCLASS_NETLINK_ROUTE_SOCKET:
/* RTM_MAX always point to RTM_SETxxxx, ie RTM_NEWxxx + 3 */
BUILD_BUG_ON(RTM_MAX != (RTM_NEWCACHEREPORT + 3));
err = nlmsg_perm(nlmsg_type, perm, nlmsg_route_perms,
sizeof(nlmsg_route_perms));
break;
case SECCLASS_NETLINK_TCPDIAG_SOCKET:
err = nlmsg_perm(nlmsg_type, perm, nlmsg_tcpdiag_perms,
sizeof(nlmsg_tcpdiag_perms));
break;
case SECCLASS_NETLINK_XFRM_SOCKET:
BUILD_BUG_ON(XFRM_MSG_MAX != XFRM_MSG_MAPPING);
err = nlmsg_perm(nlmsg_type, perm, nlmsg_xfrm_perms,
sizeof(nlmsg_xfrm_perms));
break;
case SECCLASS_NETLINK_AUDIT_SOCKET:
if ((nlmsg_type >= AUDIT_FIRST_USER_MSG &&
nlmsg_type <= AUDIT_LAST_USER_MSG) ||
(nlmsg_type >= AUDIT_FIRST_USER_MSG2 &&
nlmsg_type <= AUDIT_LAST_USER_MSG2)) {
*perm = NETLINK_AUDIT_SOCKET__NLMSG_RELAY;
} else {
err = nlmsg_perm(nlmsg_type, perm, nlmsg_audit_perms,
sizeof(nlmsg_audit_perms));
}
break;
/* No messaging from userspace, or class unknown/unhandled */
default:
err = -ENOENT;
break;
}
return err;
}
static void nlmsg_set_getlink_perm(u32 perm)
{
int i;
for (i = 0; i < ARRAY_SIZE(nlmsg_route_perms); i++) {
if (nlmsg_route_perms[i].nlmsg_type == RTM_GETLINK) {
nlmsg_route_perms[i].perm = perm;
break;
}
}
}
/**
* Use nlmsg_readpriv as the permission for RTM_GETLINK messages if the
* netlink_route_getlink policy capability is set. Otherwise use nlmsg_read.
*/
void selinux_nlmsg_init(void)
{
if (selinux_android_nlroute_getlink())
nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READPRIV);
else
nlmsg_set_getlink_perm(NETLINK_ROUTE_SOCKET__NLMSG_READ);
}
Reference in New Issue View Git Blame Copy Permalink