mirror of
https://github.com/armbian/linux.git
synced 2026-01-06 10:13:00 -08:00
6e6d8f546c
Add security hooks to the binder and implement the hooks for SELinux. The security hooks enable security modules such as SELinux to implement controls over binder IPC. The security hooks include support for controlling what process can become the binder context manager (binder_set_context_mgr), controlling the ability of a process to invoke a binder transaction/IPC to another process (binder_transaction), controlling the ability a process to transfer a binder reference to another process (binder_transfer_binder), and controlling the ability of a process to transfer an open file to another process (binder_transfer_file). This support is used by SE Android, http://selinuxproject.org/page/SEAndroid. Change-Id: I9a64a87825df2e60b9c51400377af4a9cd1c4049 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
157 lines
5.5 KiB
C
157 lines
5.5 KiB
C
#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \
|
|
"getattr", "setattr", "lock", "relabelfrom", "relabelto", "append"
|
|
|
|
#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \
|
|
"rename", "execute", "swapon", "quotaon", "mounton", "audit_access", \
|
|
"open", "execmod"
|
|
|
|
#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \
|
|
"listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \
|
|
"sendto", "recv_msg", "send_msg", "name_bind"
|
|
|
|
#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
|
|
"write", "associate", "unix_read", "unix_write"
|
|
|
|
/*
|
|
* Note: The name for any socket class should be suffixed by "socket",
|
|
* and doesn't contain more than one substr of "socket".
|
|
*/
|
|
struct security_class_mapping secclass_map[] = {
|
|
{ "security",
|
|
{ "compute_av", "compute_create", "compute_member",
|
|
"check_context", "load_policy", "compute_relabel",
|
|
"compute_user", "setenforce", "setbool", "setsecparam",
|
|
"setcheckreqprot", "read_policy", NULL } },
|
|
{ "process",
|
|
{ "fork", "transition", "sigchld", "sigkill",
|
|
"sigstop", "signull", "signal", "ptrace", "getsched", "setsched",
|
|
"getsession", "getpgid", "setpgid", "getcap", "setcap", "share",
|
|
"getattr", "setexec", "setfscreate", "noatsecure", "siginh",
|
|
"setrlimit", "rlimitinh", "dyntransition", "setcurrent",
|
|
"execmem", "execstack", "execheap", "setkeycreate",
|
|
"setsockcreate", NULL } },
|
|
{ "system",
|
|
{ "ipc_info", "syslog_read", "syslog_mod",
|
|
"syslog_console", "module_request", NULL } },
|
|
{ "capability",
|
|
{ "chown", "dac_override", "dac_read_search",
|
|
"fowner", "fsetid", "kill", "setgid", "setuid", "setpcap",
|
|
"linux_immutable", "net_bind_service", "net_broadcast",
|
|
"net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module",
|
|
"sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin",
|
|
"sys_boot", "sys_nice", "sys_resource", "sys_time",
|
|
"sys_tty_config", "mknod", "lease", "audit_write",
|
|
"audit_control", "setfcap", NULL } },
|
|
{ "filesystem",
|
|
{ "mount", "remount", "unmount", "getattr",
|
|
"relabelfrom", "relabelto", "transition", "associate", "quotamod",
|
|
"quotaget", NULL } },
|
|
{ "file",
|
|
{ COMMON_FILE_PERMS,
|
|
"execute_no_trans", "entrypoint", NULL } },
|
|
{ "dir",
|
|
{ COMMON_FILE_PERMS, "add_name", "remove_name",
|
|
"reparent", "search", "rmdir", NULL } },
|
|
{ "fd", { "use", NULL } },
|
|
{ "lnk_file",
|
|
{ COMMON_FILE_PERMS, NULL } },
|
|
{ "chr_file",
|
|
{ COMMON_FILE_PERMS, NULL } },
|
|
{ "blk_file",
|
|
{ COMMON_FILE_PERMS, NULL } },
|
|
{ "sock_file",
|
|
{ COMMON_FILE_PERMS, NULL } },
|
|
{ "fifo_file",
|
|
{ COMMON_FILE_PERMS, NULL } },
|
|
{ "socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "tcp_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"connectto", "newconn", "acceptfrom", "node_bind", "name_connect",
|
|
NULL } },
|
|
{ "udp_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"node_bind", NULL } },
|
|
{ "rawip_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"node_bind", NULL } },
|
|
{ "node",
|
|
{ "tcp_recv", "tcp_send", "udp_recv", "udp_send",
|
|
"rawip_recv", "rawip_send", "enforce_dest",
|
|
"dccp_recv", "dccp_send", "recvfrom", "sendto", NULL } },
|
|
{ "netif",
|
|
{ "tcp_recv", "tcp_send", "udp_recv", "udp_send",
|
|
"rawip_recv", "rawip_send", "dccp_recv", "dccp_send",
|
|
"ingress", "egress", NULL } },
|
|
{ "netlink_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "packet_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "key_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "unix_stream_socket",
|
|
{ COMMON_SOCK_PERMS, "connectto", "newconn", "acceptfrom", NULL
|
|
} },
|
|
{ "unix_dgram_socket",
|
|
{ COMMON_SOCK_PERMS, NULL
|
|
} },
|
|
{ "sem",
|
|
{ COMMON_IPC_PERMS, NULL } },
|
|
{ "msg", { "send", "receive", NULL } },
|
|
{ "msgq",
|
|
{ COMMON_IPC_PERMS, "enqueue", NULL } },
|
|
{ "shm",
|
|
{ COMMON_IPC_PERMS, "lock", NULL } },
|
|
{ "ipc",
|
|
{ COMMON_IPC_PERMS, NULL } },
|
|
{ "netlink_route_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"nlmsg_read", "nlmsg_write", NULL } },
|
|
{ "netlink_firewall_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"nlmsg_read", "nlmsg_write", NULL } },
|
|
{ "netlink_tcpdiag_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"nlmsg_read", "nlmsg_write", NULL } },
|
|
{ "netlink_nflog_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "netlink_xfrm_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"nlmsg_read", "nlmsg_write", NULL } },
|
|
{ "netlink_selinux_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "netlink_audit_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
|
|
"nlmsg_tty_audit", NULL } },
|
|
{ "netlink_ip6fw_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"nlmsg_read", "nlmsg_write", NULL } },
|
|
{ "netlink_dnrt_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "association",
|
|
{ "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
|
|
{ "netlink_kobject_uevent_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "appletalk_socket",
|
|
{ COMMON_SOCK_PERMS, NULL } },
|
|
{ "packet",
|
|
{ "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
|
|
{ "key",
|
|
{ "view", "read", "write", "search", "link", "setattr", "create",
|
|
NULL } },
|
|
{ "dccp_socket",
|
|
{ COMMON_SOCK_PERMS,
|
|
"node_bind", "name_connect", NULL } },
|
|
{ "memprotect", { "mmap_zero", NULL } },
|
|
{ "peer", { "recv", NULL } },
|
|
{ "capability2",
|
|
{ "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",
|
|
NULL } },
|
|
{ "kernel_service", { "use_as_override", "create_files_as", NULL } },
|
|
{ "tun_socket",
|
|
{ COMMON_SOCK_PERMS, "attach_queue", NULL } },
|
|
{ "binder", { "impersonate", "call", "set_context_mgr", "transfer", NULL } },
|
|
{ NULL }
|
|
};
|