selinux/kernel_permissions.rs
1// Copyright 2024 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5use strum::VariantArray as _;
6use strum_macros::VariantArray;
7
8/// Declares an `enum` with a `name()` method that returns the name for the given variant.
9macro_rules! named_enum {
10 ($(#[$meta:meta])* $name:ident {
11 $($(#[$variant_meta:meta])* $variant:ident ($variant_name:literal),)*
12 }) => {
13 $(#[$meta])*
14 pub enum $name {
15 $($(#[$variant_meta])* $variant,)*
16 }
17
18 impl $name {
19 pub fn name(&self) -> &'static str {
20 match self {
21 $($name::$variant => $variant_name,)*
22 }
23 }
24 }
25 }
26}
27
28/// Declares an `enum` with the specified subset of values from an existing enum.
29macro_rules! subset_enum {
30 ($(#[$meta:meta])* $name:ident from $existing_enum:ident {
31 $($(#[$variant_meta:meta])* $variant:ident,)*
32 }) => {
33 $(#[$meta])*
34 pub enum $name {
35 $($(#[$variant_meta])* $variant = $existing_enum::$variant as isize,)*
36 }
37
38 impl From<$name> for $existing_enum {
39 fn from(other: $name) -> Self {
40 match other {
41 $($name::$variant => Self::$variant,)*
42 }
43 }
44 }
45 }
46}
47
48named_enum! {
49 /// A well-known class in SELinux policy that has a particular meaning in policy enforcement
50 /// hooks.
51 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, VariantArray)]
52 KernelClass {
53 // keep-sorted start
54 /// The SELinux "anon_inode" object class.
55 AnonFsNode("anon_inode"),
56 /// The SELinux "binder" object class.
57 Binder("binder"),
58 /// The SELinux "blk_file" object class.
59 Block("blk_file"),
60 /// The SELinux "bpf" object class.
61 Bpf("bpf"),
62 /// The SELinux "capability" object class.
63 Capability("capability"),
64 /// The SELinux "capability2" object class.
65 Capability2("capability2"),
66 /// The SELinux "chr_file" object class.
67 Character("chr_file"),
68 /// The SELinux "dir" object class.
69 Dir("dir"),
70 /// The SELinux "fd" object class.
71 Fd("fd"),
72 /// The SELinux "fifo_file" object class.
73 Fifo("fifo_file"),
74 /// The SELinux "file" object class.
75 File("file"),
76 /// The SELinux "filesystem" object class.
77 FileSystem("filesystem"),
78 /// "icmp_socket" class enabled via the "extended_socket_class" policy capability.
79 IcmpSocket("icmp_socket"),
80 /// The SELinux "key_socket" object class.
81 KeySocket("key_socket"),
82 /// The SELinux "lnk_file" object class.
83 Link("lnk_file"),
84 /// The SELinux "memfd_file" object class.
85 MemFdFile("memfd_file"),
86 /// The SELinux "netlink_audit_socket" object class.
87 NetlinkAuditSocket("netlink_audit_socket"),
88 /// The SELinux "netlink_connector_socket" object class.
89 NetlinkConnectorSocket("netlink_connector_socket"),
90 /// The SELinux "netlink_crypto_socket" object class.
91 NetlinkCryptoSocket("netlink_crypto_socket"),
92 /// The SELinux "netlink_dnrt_socket" object class.
93 NetlinkDnrtSocket("netlink_dnrt_socket"),
94 /// The SELinux "netlink_fib_lookup_socket" object class.
95 NetlinkFibLookupSocket("netlink_fib_lookup_socket"),
96 /// The SELinux "netlink_firewall_socket" object class.
97 NetlinkFirewallSocket("netlink_firewall_socket"),
98 /// The SELinux "netlink_generic_socket" object class.
99 NetlinkGenericSocket("netlink_generic_socket"),
100 /// The SELinux "netlink_ip6fw_socket" object class.
101 NetlinkIp6FwSocket("netlink_ip6fw_socket"),
102 /// The SELinux "netlink_iscsi_socket" object class.
103 NetlinkIscsiSocket("netlink_iscsi_socket"),
104 /// The SELinux "netlink_kobject_uevent_socket" object class.
105 NetlinkKobjectUeventSocket("netlink_kobject_uevent_socket"),
106 /// The SELinux "netlink_netfilter_socket" object class.
107 NetlinkNetfilterSocket("netlink_netfilter_socket"),
108 /// The SELinux "netlink_nflog_socket" object class.
109 NetlinkNflogSocket("netlink_nflog_socket"),
110 /// The SELinux "netlink_rdma_socket" object class.
111 NetlinkRdmaSocket("netlink_rdma_socket"),
112 /// The SELinux "netlink_route_socket" object class.
113 NetlinkRouteSocket("netlink_route_socket"),
114 /// The SELinux "netlink_scsitransport_socket" object class.
115 NetlinkScsitransportSocket("netlink_scsitransport_socket"),
116 /// The SELinux "netlink_selinux_socket" object class.
117 NetlinkSelinuxSocket("netlink_selinux_socket"),
118 /// The SELinux "netlink_socket" object class.
119 NetlinkSocket("netlink_socket"),
120 /// The SELinux "netlink_tcpdiag_socket" object class.
121 NetlinkTcpDiagSocket("netlink_tcpdiag_socket"),
122 /// The SELinux "netlink_xfrm_socket" object class.
123 NetlinkXfrmSocket("netlink_xfrm_socket"),
124 /// The SELinux "packet_socket" object class.
125 PacketSocket("packet_socket"),
126 /// The SELinux "perf_event" object class.
127 PerfEvent("perf_event"),
128 /// The SELinux "process" object class.
129 Process("process"),
130 /// The SELinux "process2" object class.
131 Process2("process2"),
132 /// The SELinux "qipcrtr_socket" object class.
133 QipcrtrSocket("qipcrtr_socket"),
134 /// The SELinux "rawip_socket" object class.
135 RawIpSocket("rawip_socket"),
136 /// "sctp_socket" class enabled via the "extended_socket_class" policy capability.
137 SctpSocket("sctp_socket"),
138 /// The SELinux "security" object class.
139 Security("security"),
140 /// The SELinux "sock_file" object class.
141 SockFile("sock_file"),
142 /// The SELinux "socket" object class.
143 Socket("socket"),
144 /// The SELinux "system" object class.
145 System("system"),
146 /// The SELinux "tcp_socket" object class.
147 TcpSocket("tcp_socket"),
148 /// The SELinux "tun_socket" object class.
149 TunSocket("tun_socket"),
150 /// The SELinux "udp_socket" object class.
151 UdpSocket("udp_socket"),
152 /// The SELinux "unix_dgram_socket" object class.
153 UnixDgramSocket("unix_dgram_socket"),
154 /// The SELinux "unix_stream_socket" object class.
155 UnixStreamSocket("unix_stream_socket"),
156 /// "vsock_socket" class enabled via the "extended_socket_class" policy capability.
157 VsockSocket("vsock_socket"),
158 // keep-sorted end
159 }
160}
161
162impl From<FsNodeClass> for KernelClass {
163 fn from(class: FsNodeClass) -> Self {
164 match class {
165 FsNodeClass::File(file_class) => file_class.into(),
166 FsNodeClass::Socket(sock_class) => sock_class.into(),
167 }
168 }
169}
170
171pub trait ForClass<T> {
172 /// Returns the `class`-affine `KernelPermission` value corresponding to this common permission.
173 /// This is used to allow hooks to resolve e.g. common "sys_nice" permission access based on the
174 /// "allow" rules for the correct target object class.
175 fn for_class(&self, class: T) -> KernelPermission;
176}
177
178subset_enum! {
179 /// Covers the set of classes that inherit from the common "cap" symbol (e.g. "capability" for
180 /// now and "cap_userns" after Starnix gains user namespacing support).
181 #[derive(Copy, Clone, Debug, Eq, Hash, PartialEq)]
182 CapClass from KernelClass {
183 // keep-sorted start
184 /// The SELinux "capability" object class.
185 Capability,
186 // keep-sorted end
187 }
188}
189
190subset_enum! {
191 /// Covers the set of classes that inherit from the common "cap2" symbol (e.g. "capability2" for
192 /// now and "cap2_userns" after Starnix gains user namespacing support).
193 #[derive(Copy, Clone, Debug, Eq, Hash, PartialEq)]
194 Cap2Class from KernelClass {
195 // keep-sorted start
196 /// The SELinux "capability2" object class.
197 Capability2,
198 // keep-sorted end
199 }
200}
201
202subset_enum! {
203 /// A well-known file-like class in SELinux policy that has a particular meaning in policy
204 /// enforcement hooks.
205 #[derive(Copy, Clone, Debug, Eq, Hash, PartialEq)]
206 FileClass from KernelClass {
207 // keep-sorted start
208 /// The SELinux "anon_inode" object class.
209 AnonFsNode,
210 /// The SELinux "blk_file" object class.
211 Block,
212 /// The SELinux "chr_file" object class.
213 Character,
214 /// The SELinux "dir" object class.
215 Dir,
216 /// The SELinux "fifo_file" object class.
217 Fifo,
218 /// The SELinux "file" object class.
219 File,
220 /// The SELinux "lnk_file" object class.
221 Link,
222 /// The SELinux "memfd_file" object class.
223 MemFdFile,
224 /// The SELinux "sock_file" object class.
225 SockFile,
226 // keep-sorted end
227 }
228}
229
230subset_enum! {
231 /// Distinguishes socket-like kernel object classes defined in SELinux policy.
232 #[derive(Copy, Clone, Debug, Eq, Hash, PartialEq)]
233 SocketClass from KernelClass {
234 // keep-sorted start
235 IcmpSocket,
236 KeySocket,
237 NetlinkAuditSocket,
238 NetlinkConnectorSocket,
239 NetlinkCryptoSocket,
240 NetlinkDnrtSocket,
241 NetlinkFibLookupSocket,
242 NetlinkFirewallSocket,
243 NetlinkGenericSocket,
244 NetlinkIp6FwSocket,
245 NetlinkIscsiSocket,
246 NetlinkKobjectUeventSocket,
247 NetlinkNetfilterSocket,
248 NetlinkNflogSocket,
249 NetlinkRdmaSocket,
250 NetlinkRouteSocket,
251 NetlinkScsitransportSocket,
252 NetlinkSelinuxSocket,
253 NetlinkSocket,
254 NetlinkTcpDiagSocket,
255 NetlinkXfrmSocket,
256 PacketSocket,
257 QipcrtrSocket,
258 RawIpSocket,
259 SctpSocket,
260 /// Generic socket class applied to all socket-like objects for which no more specific
261 /// class is defined.
262 Socket,
263 TcpSocket,
264 TunSocket,
265 UdpSocket,
266 UnixDgramSocket,
267 UnixStreamSocket,
268 VsockSocket,
269 // keep-sorted end
270 }
271}
272
273/// Container for a security class that could be associated with a [`crate::vfs::FsNode`], to allow
274/// permissions common to both file-like and socket-like classes to be generated easily by hooks.
275#[derive(Copy, Clone, Debug, Eq, Hash, PartialEq)]
276pub enum FsNodeClass {
277 File(FileClass),
278 Socket(SocketClass),
279}
280
281impl From<FileClass> for FsNodeClass {
282 fn from(file_class: FileClass) -> Self {
283 FsNodeClass::File(file_class)
284 }
285}
286
287impl From<SocketClass> for FsNodeClass {
288 fn from(sock_class: SocketClass) -> Self {
289 FsNodeClass::Socket(sock_class)
290 }
291}
292
293pub trait ClassPermission {
294 fn class(&self) -> KernelClass;
295 fn id(&self) -> u8;
296}
297
298macro_rules! permission_enum {
299 ($(#[$meta:meta])* $name:ident {
300 $($(#[$variant_meta:meta])* $variant:ident($inner:ident)),*,
301 }) => {
302 $(#[$meta])*
303 pub enum $name {
304 $($(#[$variant_meta])* $variant($inner)),*
305 }
306
307 $(impl From<$inner> for $name {
308 fn from(v: $inner) -> Self {
309 Self::$variant(v)
310 }
311 })*
312
313 impl ClassPermission for $name {
314 fn class(&self) -> KernelClass {
315 match self {
316 $($name::$variant(_) => KernelClass::$variant),*
317 }
318 }
319 fn id(&self) -> u8 {
320 match self {
321 $($name::$variant(v) => v.id()),*
322 }
323 }
324 }
325
326 impl $name {
327 pub fn name(&self) -> &'static str {
328 match self {
329 $($name::$variant(v) => v.name()),*
330 }
331 }
332
333 pub fn all_variants() -> impl Iterator<Item=Self> {
334 let iter = [].iter().map(Clone::clone);
335 $(let variant_iter = $inner::VARIANTS.iter().map(Clone::clone).map($name::from);
336 let iter = iter.chain(variant_iter);)*
337 iter
338 }
339 }
340 }
341}
342
343permission_enum! {
344 /// A well-known `(class, permission)` pair in SELinux policy that has a particular meaning in
345 /// policy enforcement hooks.
346 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq)]
347 KernelPermission {
348 // keep-sorted start
349 /// Permissions for the well-known SELinux "anon_inode" file-like object class.
350 AnonFsNode(AnonFsNodePermission),
351 /// Permissions for the well-known SELinux "binder" file-like object class.
352 Binder(BinderPermission),
353 /// Permissions for the well-known SELinux "blk_file" file-like object class.
354 Block(BlockFilePermission),
355 /// Permissions for the well-known SELinux "bpf" file-like object class.
356 Bpf(BpfPermission),
357 /// Permissions for the well-known SELinux "capability" object class.
358 Capability(CapabilityPermission),
359 /// Permissions for the well-known SELinux "capability2" object class.
360 Capability2(Capability2Permission),
361 /// Permissions for the well-known SELinux "chr_file" file-like object class.
362 Character(CharacterFilePermission),
363 /// Permissions for the well-known SELinux "dir" file-like object class.
364 Dir(DirPermission),
365 /// Permissions for the well-known SELinux "fd" object class.
366 Fd(FdPermission),
367 /// Permissions for the well-known SELinux "fifo_file" file-like object class.
368 Fifo(FifoFilePermission),
369 /// Permissions for the well-known SELinux "file" object class.
370 File(FilePermission),
371 /// Permissions for the well-known SELinux "filesystem" object class.
372 FileSystem(FileSystemPermission),
373 /// "icmp_socket" class permissions, enabled by "extended_socket_class" policy capability.
374 IcmpSocket(IcmpSocketPermission),
375 /// Permissions for the well-known SELinux "packet_socket" object class.
376 KeySocket(KeySocketPermission),
377 /// Permissions for the well-known SELinux "lnk_file" file-like object class.
378 Link(LinkFilePermission),
379 /// Permissions for the well-known SELinux "memfd_file" file-like object class.
380 MemFdFile(MemFdFilePermission),
381 /// Permissions for the well-known SELinux "netlink_audit_socket" file-like object class.
382 NetlinkAuditSocket(NetlinkAuditSocketPermission),
383 /// Permissions for the well-known SELinux "netlink_connector_socket" file-like object class.
384 NetlinkConnectorSocket(NetlinkConnectorSocketPermission),
385 /// Permissions for the well-known SELinux "netlink_crypto_socket" file-like object class.
386 NetlinkCryptoSocket(NetlinkCryptoSocketPermission),
387 /// Permissions for the well-known SELinux "netlink_dnrt_socket" file-like object class.
388 NetlinkDnrtSocket(NetlinkDnrtSocketPermission),
389 /// Permissions for the well-known SELinux "netlink_fib_lookup_socket" file-like object class.
390 NetlinkFibLookupSocket(NetlinkFibLookupSocketPermission),
391 /// Permissions for the well-known SELinux "netlink_firewall_socket" file-like object class.
392 NetlinkFirewallSocket(NetlinkFirewallSocketPermission),
393 /// Permissions for the well-known SELinux "netlink_generic_socket" file-like object class.
394 NetlinkGenericSocket(NetlinkGenericSocketPermission),
395 /// Permissions for the well-known SELinux "netlink_ip6fw_socket" file-like object class.
396 NetlinkIp6FwSocket(NetlinkIp6FwSocketPermission),
397 /// Permissions for the well-known SELinux "netlink_iscsi_socket" file-like object class.
398 NetlinkIscsiSocket(NetlinkIscsiSocketPermission),
399 /// Permissions for the well-known SELinux "netlink_kobject_uevent_socket" file-like object class.
400 NetlinkKobjectUeventSocket(NetlinkKobjectUeventSocketPermission),
401 /// Permissions for the well-known SELinux "netlink_netfilter_socket" file-like object class.
402 NetlinkNetfilterSocket(NetlinkNetfilterSocketPermission),
403 /// Permissions for the well-known SELinux "netlink_nflog_socket" file-like object class.
404 NetlinkNflogSocket(NetlinkNflogSocketPermission),
405 /// Permissions for the well-known SELinux "netlink_rdma_socket" file-like object class.
406 NetlinkRdmaSocket(NetlinkRdmaSocketPermission),
407 /// Permissions for the well-known SELinux "netlink_route_socket" file-like object class.
408 NetlinkRouteSocket(NetlinkRouteSocketPermission),
409 /// Permissions for the well-known SELinux "netlink_scsitransport_socket" file-like object class.
410 NetlinkScsitransportSocket(NetlinkScsitransportSocketPermission),
411 /// Permissions for the well-known SELinux "netlink_selinux_socket" file-like object class.
412 NetlinkSelinuxSocket(NetlinkSelinuxSocketPermission),
413 /// Permissions for the well-known SELinux "netlink_socket" file-like object class.
414 NetlinkSocket(NetlinkSocketPermission),
415 /// Permissions for the well-known SELinux "netlink_tcpdiag_socket" file-like object class.
416 NetlinkTcpDiagSocket(NetlinkTcpDiagSocketPermission),
417 /// Permissions for the well-known SELinux "netlink_xfrm_socket" file-like object class.
418 NetlinkXfrmSocket(NetlinkXfrmSocketPermission),
419 /// Permissions for the well-known SELinux "packet_socket" object class.
420 PacketSocket(PacketSocketPermission),
421 /// Permissions for the well-known SELinux "perf_event" object class.
422 PerfEvent(PerfEventPermission),
423 /// Permissions for the well-known SELinux "process" object class.
424 Process(ProcessPermission),
425 /// Permissions for the well-known SELinux "process2" object class.
426 Process2(Process2Permission),
427 /// Permissions for the well-known SELinux "qipcrtr_socket" object class.
428 QipcrtrSocket(QipcrtrSocketPermission),
429 /// Permissions for the well-known SELinux "rawip_socket" object class.
430 RawIpSocket(RawIpSocketPermission),
431 /// "sctp_socket" class permissions, enabled by "extended_socket_class" policy capability.
432 SctpSocket(SctpSocketPermission),
433 /// Permissions for access to parts of the "selinuxfs" used to administer and query SELinux.
434 Security(SecurityPermission),
435 /// Permissions for the well-known SELinux "sock_file" file-like object class.
436 SockFile(SockFilePermission),
437 /// Permissions for the well-known SELinux "socket" object class.
438 Socket(SocketPermission),
439 /// Permissions for the well-known SELinux "system" object class.
440 System(SystemPermission),
441 /// Permissions for the well-known SELinux "tcp_socket" object class.
442 TcpSocket(TcpSocketPermission),
443 /// Permissions for the well-known SELinux "tun_socket" object class.
444 TunSocket(TunSocketPermission),
445 /// Permissions for the well-known SELinux "udp_socket" object class.
446 UdpSocket(UdpSocketPermission),
447 /// Permissions for the well-known SELinux "unix_dgram_socket" object class.
448 UnixDgramSocket(UnixDgramSocketPermission),
449 /// Permissions for the well-known SELinux "unix_stream_socket" object class.
450 UnixStreamSocket(UnixStreamSocketPermission),
451 /// "vsock_socket" class permissions, enabled by "extended_socket_class" policy capability.
452 VsockSocket(VsockSocketPermission),
453 // keep-sorted end
454 }
455}
456
457impl<T: Into<KernelClass>> ForClass<T> for KernelPermission {
458 fn for_class(&self, class: T) -> KernelPermission {
459 assert_eq!(self.class(), class.into());
460 *self
461 }
462}
463
464/// Helper used to declare the set of named permissions associated with an SELinux class.
465/// The `ClassType` trait is implemented on the declared `enum`, enabling values to be wrapped into
466/// the generic `KernelPermission` container.
467/// If an "extends" type is specified then a `Common` enum case is added, encapsulating the values
468/// of that underlying permission type. This is used to represent e.g. SELinux "dir" class deriving
469/// a basic set of permissions from the common "file" symbol.
470macro_rules! class_permission_enum {
471 ($(#[$meta:meta])* $name:ident $(for $kernel_class:ident)? {
472 $($(#[$variant_meta:meta])* $variant:ident ($variant_name:literal),)*
473 }) => {
474 named_enum! {
475 #[derive(Clone, Copy, Debug, Eq, Hash, PartialEq, VariantArray)]
476 #[repr(u8)]
477 $(#[$meta])* $name {
478 $($(#[$variant_meta])* $variant ($variant_name),)*
479 }
480 }
481
482 $(impl ClassPermission for $name {
483 fn class(&self) -> KernelClass {
484 KernelClass::$kernel_class
485 }
486 fn id(&self) -> u8 {
487 *self as u8
488 }
489 })?
490 }
491}
492
493/// Permissions common to all cap-like object classes (e.g. "capability" for now and
494/// "cap_userns" after Starnix gains user namespacing support). These are combined with a
495/// specific `CapabilityClass` by policy enforcement hooks, to obtain class-affine permission
496/// values to check.
497macro_rules! cap_class_permission_enum {
498 ($(#[$meta:meta])* $name:ident $(for $kernel_class:ident)? {
499 $($(#[$variant_meta:meta])* $variant:ident ($variant_name:literal),)*
500 }) => {
501 class_permission_enum! {
502 $(#[$meta])* $ name $(for $kernel_class)? {
503 // keep-sorted start
504
505 AuditControl("audit_control"),
506 AuditWrite("audit_write"),
507 Chown("chown"),
508 DacOverride("dac_override"),
509 DacReadSearch("dac_read_search"),
510 Fowner("fowner"),
511 Fsetid("fsetid"),
512 IpcLock("ipc_lock"),
513 IpcOwner("ipc_owner"),
514 Kill("kill"),
515 Lease("lease"),
516 LinuxImmutable("linux_immutable"),
517 Mknod("mknod"),
518 NetAdmin("net_admin"),
519 NetBindService("net_bind_service"),
520 NetBroadcast("net_broadcast"),
521 NetRaw("net_raw"),
522 Setfcap("setfcap"),
523 Setgid("setgid"),
524 Setpcap("setpcap"),
525 Setuid("setuid"),
526 SysAdmin("sys_admin"),
527 SysBoot("sys_boot"),
528 SysChroot("sys_chroot"),
529 SysModule("sys_module"),
530 SysNice("sys_nice"),
531 SysPacct("sys_pacct"),
532 SysPtrace("sys_ptrace"),
533 SysRawio("sys_rawio"),
534 SysResource("sys_resource"),
535 SysTime("sys_time"),
536 SysTtyConfig("sys_tty_config"),
537
538 // keep-sorted end
539
540 // Additional permissions specific to the derived class.
541 $($(#[$variant_meta])* $variant ($variant_name),)*
542 }
543 }
544 }
545}
546
547cap_class_permission_enum! {
548 CapabilityPermission for Capability {}
549}
550
551cap_class_permission_enum! {
552 CommonCapPermission {}
553}
554
555impl ForClass<CapClass> for CommonCapPermission {
556 /// Returns the `class`-affine `KernelPermission` value corresponding to this common permission.
557 /// This is used to allow hooks to resolve e.g. common "sys_nice" permission access based on the
558 /// "allow" rules for the correct target object class.
559 fn for_class(&self, class: CapClass) -> KernelPermission {
560 match class {
561 CapClass::Capability => CapabilityPermission::from(*self).into(),
562 }
563 }
564}
565
566impl From<CommonCapPermission> for CapabilityPermission {
567 fn from(other: CommonCapPermission) -> Self {
568 // SAFETY: CapabilityPermission's values include all of CommonCapPermission.
569 unsafe { std::mem::transmute(other) }
570 }
571}
572
573/// Permissions common to all cap2-like object classes (e.g. "capability2" for now and
574/// "cap2_userns" after Starnix gains user namespacing support). These are combined with a
575/// specific `Capability2Class` by policy enforcement hooks, to obtain class-affine permission
576/// values to check.
577macro_rules! cap2_class_permission_enum {
578 ($(#[$meta:meta])* $name:ident $(for $kernel_class:ident)? {
579 $($(#[$variant_meta:meta])* $variant:ident ($variant_name:literal),)*
580 }) => {
581 class_permission_enum! {
582 $(#[$meta])* $ name $(for $kernel_class)? {
583 // keep-sorted start
584
585 AuditRead("audit_read"),
586 BlockSuspend("block_suspend"),
587 Bpf("bpf"),
588 MacAdmin("mac_admin"),
589 MacOverride("mac_override"),
590 Perfmon("perfmon"),
591 Syslog("syslog"),
592 WakeAlarm("wake_alarm"),
593
594 // keep-sorted end
595
596 // Additional permissions specific to the derived class.
597 $($(#[$variant_meta])* $variant ($variant_name),)*
598 }
599 }
600 }
601}
602
603cap2_class_permission_enum! {
604 /// Permissions for the kernel "capability" class.
605 Capability2Permission for Capability2 {}
606}
607
608cap2_class_permission_enum! {
609 /// Common symbol inherited by "capability2" and "capuser2" classes.
610 CommonCap2Permission {}
611}
612
613impl ForClass<Cap2Class> for CommonCap2Permission {
614 /// Returns the `class`-affine `KernelPermission` value corresponding to this common permission.
615 /// This is used to allow hooks to resolve e.g. common "mac_admin" permission access based on
616 /// the "allow" rules for the correct target object class.
617 fn for_class(&self, class: Cap2Class) -> KernelPermission {
618 match class {
619 Cap2Class::Capability2 => Capability2Permission::from(*self).into(),
620 }
621 }
622}
623
624impl From<CommonCap2Permission> for Capability2Permission {
625 fn from(other: CommonCap2Permission) -> Self {
626 // SAFETY: Capability2Permission's values include all of CommonCap2Permission.
627 unsafe { std::mem::transmute(other) }
628 }
629}
630
631/// Permissions meaningful for all [`crate::vfs::FsNode`]s, whether file- or socket-like.
632///
633/// This extra layer of common permissions is not reflected in the hierarchy defined by the
634/// SELinux Reference Policy. Because even common permissions are mapped per-class, by name, to
635/// the policy equivalents, the implementation and policy notions of common permissions need not
636/// be identical.
637macro_rules! fs_node_class_permission_enum {
638 ($(#[$meta:meta])* $name:ident $(for $kernel_class:ident)? {
639 $($(#[$variant_meta:meta])* $variant:ident ($variant_name:literal),)*
640 }) => {
641 class_permission_enum! {
642 $(#[$meta])* $ name $(for $kernel_class)? {
643 // keep-sorted start
644 /// Permission to append to a file or socket.
645 Append("append"),
646 /// Pseudo-permission used in `dontaudit` access-rules to allow access checks to be made
647 /// between specific sources & targets without generating audit logs.
648 AuditAccess("audit_access"),
649 /// Permission to create a file or socket.
650 Create("create"),
651 /// Permission to query attributes, including uid, gid and extended attributes.
652 GetAttr("getattr"),
653 /// Permission to execute ioctls on the file or socket.
654 Ioctl("ioctl"),
655 /// Permission to set and unset file or socket locks.
656 Lock("lock"),
657 /// Permission to map a file.
658 Map("map"),
659 /// Permission to read content from a file or socket, as well as reading or following links.
660 Read("read"),
661 /// Permission checked against the existing label when updating a node's security label.
662 RelabelFrom("relabelfrom"),
663 /// Permission checked against the new label when updating a node's security label.
664 RelabelTo("relabelto"),
665 /// Permission to modify attributes, including uid, gid and extended attributes.
666 SetAttr("setattr"),
667 /// Permission to write contents to the file or socket.
668 Write("write"),
669 // keep-sorted end
670
671 // Additional permissions specific to the derived class.
672 $($(#[$variant_meta])* $variant ($variant_name),)*
673 }
674 }
675 }
676}
677
678fs_node_class_permission_enum! {
679 CommonFsNodePermission {}
680}
681
682impl<T: Into<FsNodeClass>> ForClass<T> for CommonFsNodePermission {
683 /// Returns the `class`-affine `KernelPermission` value corresponding to this common permission.
684 /// This is used to allow hooks to resolve e.g. common "read" permission access based on the
685 /// "allow" rules for the correct target object class.
686 fn for_class(&self, class: T) -> KernelPermission {
687 match class.into() {
688 FsNodeClass::File(file_class) => {
689 CommonFilePermission::from(*self).for_class(file_class)
690 }
691 FsNodeClass::Socket(sock_class) => {
692 CommonSocketPermission::from(*self).for_class(sock_class)
693 }
694 }
695 }
696}
697
698impl From<CommonFsNodePermission> for CommonFilePermission {
699 fn from(other: CommonFsNodePermission) -> Self {
700 // SAFETY: CommonFilePermission's values include all of CommonFsNodePermission.
701 unsafe { std::mem::transmute(other) }
702 }
703}
704
705impl From<CommonFsNodePermission> for CommonSocketPermission {
706 fn from(other: CommonFsNodePermission) -> Self {
707 // SAFETY: CommonSocketPermission's values include all of CommonFsNodePermission.
708 unsafe { std::mem::transmute(other) }
709 }
710}
711
712/// Permissions common to all socket-like object classes. These are combined with a specific
713/// `SocketClass` by policy enforcement hooks, to obtain class-affine permission values.
714macro_rules! socket_class_permission_enum {
715 ($(#[$meta:meta])* $name:ident $(for $kernel_class:ident)? {
716 $($(#[$variant_meta:meta])* $variant:ident ($variant_name:literal),)*
717 }) => {
718 fs_node_class_permission_enum! {
719 $(#[$meta])* $ name $(for $kernel_class)? {
720 // keep-sorted start
721 /// Permission to accept a connection.
722 Accept("accept"),
723 /// Permission to bind to a name.
724 Bind("bind"),
725 /// Permission to initiate a connection.
726 Connect("connect"),
727 /// Permission to get socket options.
728 GetOpt("getopt"),
729 /// Permission to listen for connections.
730 Listen("listen"),
731 /// Permission to send datagrams to the socket.
732 SendTo("sendto"),
733 /// Permission to set socket options.
734 SetOpt("setopt"),
735 /// Permission to terminate connection.
736 Shutdown("shutdown"),
737 // keep-sorted end
738
739 // Additional permissions specific to the derived class.
740 $($(#[$variant_meta])* $variant ($variant_name),)*
741 }
742 }
743
744 $(impl From<CommonSocketPermission> for $name {
745 fn from(other: CommonSocketPermission) -> Self {
746 // SAFETY: $name's values include all of CommonSocketPermission.
747 let result: $name = unsafe { std::mem::transmute(other) };
748 debug_assert_eq!(result.class(), KernelClass::$kernel_class);
749 result
750 }
751 })?
752 }
753}
754
755socket_class_permission_enum! {
756 CommonSocketPermission {}
757}
758
759impl ForClass<SocketClass> for CommonSocketPermission {
760 /// Returns the `class`-affine `KernelPermission` value corresponding to this common permission.
761 /// This is used to allow hooks to resolve e.g. common "read" permission access based on the
762 /// "allow" rules for the correct target object class.
763 fn for_class(&self, class: SocketClass) -> KernelPermission {
764 match class {
765 SocketClass::KeySocket => KeySocketPermission::from(*self).into(),
766 SocketClass::NetlinkSocket => NetlinkSocketPermission::from(*self).into(),
767 SocketClass::NetlinkAuditSocket => NetlinkAuditSocketPermission::from(*self).into(),
768 SocketClass::NetlinkConnectorSocket => {
769 NetlinkConnectorSocketPermission::from(*self).into()
770 }
771 SocketClass::NetlinkCryptoSocket => NetlinkCryptoSocketPermission::from(*self).into(),
772 SocketClass::NetlinkDnrtSocket => NetlinkDnrtSocketPermission::from(*self).into(),
773 SocketClass::NetlinkFibLookupSocket => {
774 NetlinkFibLookupSocketPermission::from(*self).into()
775 }
776 SocketClass::NetlinkFirewallSocket => {
777 NetlinkFirewallSocketPermission::from(*self).into()
778 }
779 SocketClass::NetlinkGenericSocket => NetlinkGenericSocketPermission::from(*self).into(),
780 SocketClass::NetlinkIp6FwSocket => NetlinkIp6FwSocketPermission::from(*self).into(),
781 SocketClass::NetlinkIscsiSocket => NetlinkIscsiSocketPermission::from(*self).into(),
782 SocketClass::NetlinkKobjectUeventSocket => {
783 NetlinkKobjectUeventSocketPermission::from(*self).into()
784 }
785 SocketClass::NetlinkNetfilterSocket => {
786 NetlinkNetfilterSocketPermission::from(*self).into()
787 }
788 SocketClass::NetlinkNflogSocket => NetlinkNflogSocketPermission::from(*self).into(),
789 SocketClass::NetlinkRdmaSocket => NetlinkRdmaSocketPermission::from(*self).into(),
790 SocketClass::NetlinkRouteSocket => NetlinkRouteSocketPermission::from(*self).into(),
791 SocketClass::NetlinkScsitransportSocket => {
792 NetlinkScsitransportSocketPermission::from(*self).into()
793 }
794 SocketClass::NetlinkSelinuxSocket => NetlinkSelinuxSocketPermission::from(*self).into(),
795 SocketClass::NetlinkTcpDiagSocket => NetlinkTcpDiagSocketPermission::from(*self).into(),
796 SocketClass::NetlinkXfrmSocket => NetlinkXfrmSocketPermission::from(*self).into(),
797 SocketClass::PacketSocket => PacketSocketPermission::from(*self).into(),
798 SocketClass::QipcrtrSocket => QipcrtrSocketPermission::from(*self).into(),
799 SocketClass::RawIpSocket => RawIpSocketPermission::from(*self).into(),
800 SocketClass::SctpSocket => SctpSocketPermission::from(*self).into(),
801 SocketClass::Socket => SocketPermission::from(*self).into(),
802 SocketClass::TcpSocket => TcpSocketPermission::from(*self).into(),
803 SocketClass::TunSocket => TunSocketPermission::from(*self).into(),
804 SocketClass::UdpSocket => UdpSocketPermission::from(*self).into(),
805 SocketClass::UnixDgramSocket => UnixDgramSocketPermission::from(*self).into(),
806 SocketClass::UnixStreamSocket => UnixStreamSocketPermission::from(*self).into(),
807 SocketClass::VsockSocket => VsockSocketPermission::from(*self).into(),
808 SocketClass::IcmpSocket => IcmpSocketPermission::from(*self).into(),
809 }
810 }
811}
812
813socket_class_permission_enum! {
814 KeySocketPermission for KeySocket {
815 }
816}
817
818socket_class_permission_enum! {
819 NetlinkSocketPermission for NetlinkSocket {}
820}
821
822socket_class_permission_enum! {
823 NetlinkRouteSocketPermission for NetlinkRouteSocket {
824 // keep-sorted start
825 /// Permission for nlmsg xperms.
826 Nlmsg("nlmsg"),
827 /// Permission to read the kernel routing table.
828 NlmsgRead("nlmsg_read"),
829 /// Permission to write to the kernel routing table.
830 NlmsgWrite("nlmsg_write"),
831 // keep-sorted end
832 }
833}
834
835socket_class_permission_enum! {
836 NetlinkFirewallSocketPermission for NetlinkFirewallSocket {
837 }
838}
839
840socket_class_permission_enum! {
841 NetlinkTcpDiagSocketPermission for NetlinkTcpDiagSocket {
842 // keep-sorted start
843 /// Permission for nlmsg xperms.
844 Nlmsg("nlmsg"),
845 /// Permission to request information about a protocol.
846 NlmsgRead("nlmsg_read"),
847 /// Permission to write netlink message.
848 NlmsgWrite("nlmsg_write"),
849 // keep-sorted end
850 }
851}
852
853socket_class_permission_enum! {
854 NetlinkNflogSocketPermission for NetlinkNflogSocket {
855 }
856}
857
858socket_class_permission_enum! {
859 NetlinkXfrmSocketPermission for NetlinkXfrmSocket {
860 // keep-sorted start
861 /// Permission for nlmsg xperms.
862 Nlmsg("nlmsg"),
863 /// Permission to get IPSec configuration information.
864 NlmsgRead("nlmsg_read"),
865 /// Permission to set IPSec configuration information.
866 NlmsgWrite("nlmsg_write"),
867 // keep-sorted end
868 }
869}
870
871socket_class_permission_enum! {
872 NetlinkSelinuxSocketPermission for NetlinkSelinuxSocket {
873 }
874}
875
876socket_class_permission_enum! {
877 NetlinkIscsiSocketPermission for NetlinkIscsiSocket {
878 }
879}
880
881socket_class_permission_enum! {
882 NetlinkAuditSocketPermission for NetlinkAuditSocket {
883 // keep-sorted start
884 /// Permission for nlmsg xperms.
885 Nlmsg("nlmsg"),
886 /// Permission to query status of audit service.
887 NlmsgRead("nlmsg_read"),
888 /// Permission to list auditing configuration rules.
889 NlmsgReadPriv("nlmsg_readpriv"),
890 /// Permission to send userspace audit messages to the audit service.
891 NlmsgRelay("nlmsg_relay"),
892 /// Permission to control TTY auditing.
893 NlmsgTtyAudit("nlmsg_tty_audit"),
894 /// Permission to update the audit service configuration.
895 NlmsgWrite("nlmsg_write"),
896 // keep-sorted end
897 }
898}
899
900socket_class_permission_enum! {
901 NetlinkFibLookupSocketPermission for NetlinkFibLookupSocket {
902 }
903}
904
905socket_class_permission_enum! {
906 NetlinkConnectorSocketPermission for NetlinkConnectorSocket {
907 }
908}
909
910socket_class_permission_enum! {
911 NetlinkNetfilterSocketPermission for NetlinkNetfilterSocket {
912 }
913}
914
915socket_class_permission_enum! {
916 NetlinkIp6FwSocketPermission for NetlinkIp6FwSocket {
917 }
918}
919
920socket_class_permission_enum! {
921 NetlinkDnrtSocketPermission for NetlinkDnrtSocket {
922 }
923}
924
925socket_class_permission_enum! {
926 NetlinkKobjectUeventSocketPermission for NetlinkKobjectUeventSocket {
927 }
928}
929
930socket_class_permission_enum! {
931 NetlinkGenericSocketPermission for NetlinkGenericSocket {
932 }
933}
934
935socket_class_permission_enum! {
936 NetlinkScsitransportSocketPermission for NetlinkScsitransportSocket {
937 }
938}
939
940socket_class_permission_enum! {
941 NetlinkRdmaSocketPermission for NetlinkRdmaSocket {
942 }
943}
944
945socket_class_permission_enum! {
946 NetlinkCryptoSocketPermission for NetlinkCryptoSocket {
947 }
948}
949
950socket_class_permission_enum! {
951 PacketSocketPermission for PacketSocket {
952 }
953}
954
955socket_class_permission_enum! {
956 QipcrtrSocketPermission for QipcrtrSocket {
957 }
958}
959
960socket_class_permission_enum! {
961 RawIpSocketPermission for RawIpSocket {
962 }
963}
964
965socket_class_permission_enum! {
966 SctpSocketPermission for SctpSocket {
967 // keep-sorted start
968 /// Permission to create an SCTP association.
969 Associate("associate"),
970 /// Permission to `connect()` or `connectx()` an SCTP socket.
971 NameConnect("name_connect"),
972 /// Permission to `bind()` or `bindx()` an SCTP socket.
973 NodeBind("node_bind"),
974 // keep-sorted end
975 }
976}
977
978socket_class_permission_enum! {
979 SocketPermission for Socket {
980 }
981}
982
983socket_class_permission_enum! {
984 TcpSocketPermission for TcpSocket {
985 }
986}
987
988socket_class_permission_enum! {
989 TunSocketPermission for TunSocket {
990 }
991}
992
993socket_class_permission_enum! {
994 UdpSocketPermission for UdpSocket {
995 }
996}
997
998socket_class_permission_enum! {
999 UnixStreamSocketPermission for UnixStreamSocket {
1000 // keep-sorted start
1001 /// Permission to connect a streaming Unix-domain socket.
1002 ConnectTo("connectto"),
1003 // keep-sorted end
1004 }
1005}
1006
1007socket_class_permission_enum! {
1008 UnixDgramSocketPermission for UnixDgramSocket {
1009 }
1010}
1011
1012socket_class_permission_enum! {
1013 VsockSocketPermission for VsockSocket {
1014 }
1015}
1016
1017socket_class_permission_enum! {
1018 IcmpSocketPermission for IcmpSocket {
1019 // keep-sorted start
1020 /// Permission to `bind()` an ICMP socket.
1021 NodeBind("node_bind"),
1022 // keep-sorted end
1023 }
1024}
1025
1026/// Permissions common to all file-like object classes (e.g. "lnk_file", "dir"). These are
1027/// combined with a specific `FileClass` by policy enforcement hooks, to obtain class-affine
1028/// permission values to check.
1029macro_rules! file_class_permission_enum {
1030 ($(#[$meta:meta])* $name:ident $(for $kernel_class:ident)? {
1031 $($(#[$variant_meta:meta])* $variant:ident ($variant_name:literal),)*
1032 }) => {
1033 fs_node_class_permission_enum! {
1034 $(#[$meta])* $name $(for $kernel_class)? {
1035 // keep-sorted start
1036
1037 /// Permission to execute a file with domain transition.
1038 Execute("execute"),
1039 /// Permissions to create hard link.
1040 Link("link"),
1041 /// Permission to use as mount point; only useful for directories and files.
1042 MountOn("mounton"),
1043 /// Permission to open a file.
1044 Open("open"),
1045 /// Permission to rename a file.
1046 Rename("rename"),
1047 /// Permission to delete a file or remove a hard link.
1048 Unlink("unlink"),
1049 // keep-sorted end
1050
1051 // Additional permissions specific to the derived class.
1052 $($(#[$variant_meta])* $variant ($variant_name),)*
1053 }}
1054
1055 $(impl From<CommonFilePermission> for $name {
1056 fn from(other: CommonFilePermission) -> Self {
1057 // SAFETY: $name's values include all of CommonFilePermission.
1058 let result: $name = unsafe { std::mem::transmute(other) };
1059 debug_assert_eq!(result.class(), KernelClass::$kernel_class);
1060 result
1061 }
1062 })?
1063 }
1064}
1065
1066file_class_permission_enum! {
1067 CommonFilePermission {}
1068}
1069
1070impl ForClass<FileClass> for CommonFilePermission {
1071 /// Returns the `class`-affine `KernelPermission` value corresponding to this common permission.
1072 /// This is used to allow hooks to resolve e.g. common "read" permission access based on the
1073 /// "allow" rules for the correct target object class.
1074 fn for_class(&self, class: FileClass) -> KernelPermission {
1075 match class {
1076 FileClass::AnonFsNode => AnonFsNodePermission::from(*self).into(),
1077 FileClass::Block => BlockFilePermission::from(*self).into(),
1078 FileClass::Character => CharacterFilePermission::from(*self).into(),
1079 FileClass::Dir => DirPermission::from(*self).into(),
1080 FileClass::Fifo => FifoFilePermission::from(*self).into(),
1081 FileClass::File => FilePermission::from(*self).into(),
1082 FileClass::Link => LinkFilePermission::from(*self).into(),
1083 FileClass::SockFile => SockFilePermission::from(*self).into(),
1084 FileClass::MemFdFile => MemFdFilePermission::from(*self).into(),
1085 }
1086 }
1087}
1088
1089file_class_permission_enum! {
1090 AnonFsNodePermission for AnonFsNode {
1091 }
1092}
1093
1094class_permission_enum! {
1095 BinderPermission for Binder {
1096 // keep-sorted start
1097 /// Permission to perform a binder IPC to a given target process.
1098 Call("call"),
1099 /// Permission to use a Binder connection created with a different security context.
1100 Impersonate("impersonate"),
1101 /// Permission to set oneself as a context manager.
1102 SetContextMgr("set_context_mgr"),
1103 /// Permission to transfer Binder objects as part of a Binder transaction.
1104 Transfer("transfer"),
1105 // keep-sorted end
1106 }
1107}
1108
1109file_class_permission_enum! {
1110 BlockFilePermission for Block {
1111 }
1112}
1113
1114file_class_permission_enum! {
1115 CharacterFilePermission for Character {
1116 }
1117}
1118
1119file_class_permission_enum! {
1120 DirPermission for Dir {
1121 // keep-sorted start
1122 /// Permission to add a file to the directory.
1123 AddName("add_name"),
1124 /// Permission to remove a directory.
1125 RemoveDir("rmdir"),
1126 /// Permission to remove an entry from a directory.
1127 RemoveName("remove_name"),
1128 /// Permission to change parent directory.
1129 Reparent("reparent"),
1130 /// Search access to the directory.
1131 Search("search"),
1132 // keep-sorted end
1133 }
1134}
1135
1136class_permission_enum! {
1137 FdPermission for Fd {
1138 // keep-sorted start
1139 /// Permission to use file descriptors copied/retained/inherited from another security
1140 /// context. This permission is generally used to control whether an `exec*()` call from a
1141 /// cloned process that retained a copy of the file descriptor table should succeed.
1142 Use("use"),
1143 // keep-sorted end
1144 }
1145}
1146
1147class_permission_enum! {
1148 BpfPermission for Bpf {
1149 // keep-sorted start
1150 /// Permission to create a map.
1151 MapCreate("map_create"),
1152 /// Permission to read from a map.
1153 MapRead("map_read"),
1154 /// Permission to write on a map.
1155 MapWrite("map_write"),
1156 /// Permission to load a program.
1157 ProgLoad("prog_load"),
1158 /// Permission to run a program.
1159 ProgRun("prog_run"),
1160 // keep-sorted end
1161 }
1162}
1163
1164class_permission_enum! {
1165 PerfEventPermission for PerfEvent {
1166 // keep-sorted start
1167 /// Permission to monitor the cpu.
1168 Cpu("cpu"),
1169 /// Permission to monitor the kernel.
1170 Kernel("kernel"),
1171 /// Permission to open a perf event.
1172 Open("open"),
1173 /// Permission to read a perf event.
1174 Read("read"),
1175 /// Permission to set tracepoints.
1176 Tracepoint("tracepoint"),
1177 /// Permission to write a perf event.
1178 Write("write"),
1179 // keep-sorted end
1180 }
1181}
1182
1183file_class_permission_enum! {
1184 FifoFilePermission for Fifo {
1185 }
1186}
1187
1188file_class_permission_enum! {
1189 FilePermission for File {
1190 // keep-sorted start
1191 /// Permission to use a file as an entry point into the new domain on transition.
1192 Entrypoint("entrypoint"),
1193 /// Permission to use a file as an entry point to the calling domain without performing a
1194 /// transition.
1195 ExecuteNoTrans("execute_no_trans"),
1196 // keep-sorted end
1197 }
1198}
1199
1200class_permission_enum! {
1201 FileSystemPermission for FileSystem {
1202 // keep-sorted start
1203 /// Permission to associate a file to the filesystem.
1204 Associate("associate"),
1205 /// Permission to get filesystem attributes.
1206 GetAttr("getattr"),
1207 /// Permission mount a filesystem.
1208 Mount("mount"),
1209 /// Permission to remount a filesystem with different flags.
1210 Remount("remount"),
1211 /// Permission to unmount a filesystem.
1212 Unmount("unmount"),
1213 // keep-sorted end
1214 }
1215}
1216
1217file_class_permission_enum! {
1218 LinkFilePermission for Link {
1219 }
1220}
1221
1222file_class_permission_enum! {
1223 MemFdFilePermission for MemFdFile {
1224 }
1225}
1226
1227file_class_permission_enum! {
1228 SockFilePermission for SockFile {
1229 }
1230}
1231
1232class_permission_enum! {
1233 ProcessPermission for Process {
1234 // keep-sorted start
1235 /// Permission to dynamically transition a process to a different security domain.
1236 DynTransition("dyntransition"),
1237 /// Permission to execute arbitrary code from the heap.
1238 ExecHeap("execheap"),
1239 /// Permission to execute arbitrary code from memory.
1240 ExecMem("execmem"),
1241 /// Permission to execute arbitrary code from the stack.
1242 ExecStack("execstack"),
1243 /// Permission to fork the current running process.
1244 Fork("fork"),
1245 /// Permission to get Linux capabilities of a process.
1246 GetCap("getcap"),
1247 /// Permission to get the process group ID.
1248 GetPgid("getpgid"),
1249 /// Permission to get the resource limits on a process.
1250 GetRlimit("getrlimit"),
1251 /// Permission to get scheduling policy currently applied to a process.
1252 GetSched("getsched"),
1253 /// Permission to get the session ID.
1254 GetSession("getsession"),
1255 /// Permission to exec into a new security domain without setting the AT_SECURE entry in the
1256 /// executable's auxiliary vector.
1257 NoAtSecure("noatsecure"),
1258 /// Permission to trace a process.
1259 Ptrace("ptrace"),
1260 /// Permission to inherit the parent process's resource limits on exec.
1261 RlimitInh("rlimitinh"),
1262 /// Permission to set Linux capabilities of a process.
1263 SetCap("setcap"),
1264 /// Permission to set the calling task's current Security Context.
1265 /// The "dyntransition" permission separately limits which Contexts "setcurrent" may be used to transition to.
1266 SetCurrent("setcurrent"),
1267 /// Permission to set the Security Context used by `exec()`.
1268 SetExec("setexec"),
1269 /// Permission to set the Security Context used when creating filesystem objects.
1270 SetFsCreate("setfscreate"),
1271 /// Permission to set the Security Context used when creating kernel keyrings.
1272 SetKeyCreate("setkeycreate"),
1273 /// Permission to set the process group ID.
1274 SetPgid("setpgid"),
1275 /// Permission to set the resource limits on a process.
1276 SetRlimit("setrlimit"),
1277 /// Permission to set scheduling policy for a process.
1278 SetSched("setsched"),
1279 /// Permission to set the Security Context used when creating new labeled sockets.
1280 SetSockCreate("setsockcreate"),
1281 /// Permission to share resources (e.g. FD table, address-space, etc) with a process.
1282 Share("share"),
1283 /// Permission to send SIGCHLD to a process.
1284 SigChld("sigchld"),
1285 /// Permission to inherit the parent process's signal state.
1286 SigInh("siginh"),
1287 /// Permission to send SIGKILL to a process.
1288 SigKill("sigkill"),
1289 /// Permission to send SIGSTOP to a process.
1290 SigStop("sigstop"),
1291 /// Permission to send a signal other than SIGKILL, SIGSTOP, or SIGCHLD to a process.
1292 Signal("signal"),
1293 /// Permission to transition to a different security domain.
1294 Transition("transition"),
1295 // keep-sorted end
1296 }
1297}
1298
1299class_permission_enum! {
1300 Process2Permission for Process2 {
1301 // keep-sorted start
1302 /// Permission to transition to an unbounded domain when no-new-privileges is set.
1303 NnpTransition("nnp_transition"),
1304 /// Permission to transition domain when executing from a no-SUID mounted filesystem.
1305 NosuidTransition("nosuid_transition"),
1306 // keep-sorted end
1307 }
1308}
1309
1310class_permission_enum! {
1311 SecurityPermission for Security {
1312 // keep-sorted start
1313 /// Permission to validate Security Context using the "context" API.
1314 CheckContext("check_context"),
1315 /// Permission to compute access vectors via the "access" API.
1316 ComputeAv("compute_av"),
1317 /// Permission to compute security contexts based on `type_transition` rules via "create".
1318 ComputeCreate("compute_create"),
1319 /// Permission to compute security contexts based on `type_member` rules via "member".
1320 ComputeMember("compute_member"),
1321 /// Permission to compute security contexts based on `type_change` rules via "relabel".
1322 ComputeRelabel("compute_relabel"),
1323 /// Permission to compute user decisions via "user".
1324 ComputeUser("compute_user"),
1325 /// Permission to load a new binary policy into the kernel via the "load" API.
1326 LoadPolicy("load_policy"),
1327 /// Permission to commit booleans to control conditional elements of the policy.
1328 SetBool("setbool"),
1329 /// Permission to change the way permissions are validated for `mmap()` operations.
1330 SetCheckReqProt("setcheckreqprot"),
1331 /// Permission to switch the system between permissive and enforcing modes, via "enforce".
1332 SetEnforce("setenforce"),
1333 // keep-sorted end
1334 }
1335}
1336
1337class_permission_enum! {
1338 SystemPermission for System {
1339 // keep-sorted start
1340 /// Permission to use the syslog(2) CONSOLE action types.
1341 SyslogConsole("syslog_console"),
1342 /// Permission to use other syslog(2) action types.
1343 SyslogMod("syslog_mod"),
1344 /// Permission to use the syslog(2) READ_ALL related action types.
1345 SyslogRead("syslog_read"),
1346 // keep-sorted end
1347 }
1348}