From patchwork Mon Jul 20 07:45:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 11673085 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 288B8138C for ; Mon, 20 Jul 2020 07:45:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id ED9F92176B for ; Mon, 20 Jul 2020 07:45:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="Nqse+4JB" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726938AbgGTHp3 (ORCPT ); Mon, 20 Jul 2020 03:45:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49614 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726030AbgGTHp3 (ORCPT ); Mon, 20 Jul 2020 03:45:29 -0400 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id EAE00C061794 for ; Mon, 20 Jul 2020 00:45:28 -0700 (PDT) Received: from localhost.localdomain (brutus [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id DBE0B2A1007; Mon, 20 Jul 2020 09:45:26 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl DBE0B2A1007 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1595231127; bh=5f76SqoyomCc4SIsSq1BZLOvZugyopHLu64pnJsIggU=; h=From:To:Cc:Subject:Date:From; b=Nqse+4JBDvOZyDgjylv2B2c6YXO6z4upZ00p+ZmKiF/wbW5ikx0YXA+kWtK/UIC5d 6Oy+5rjn1dzDzhQKdjhMiB/zkgmSjh+nUaGca9xcJ+zOH7d8g/aE5ekOO7TQ/MFUGE ED0kCBv7cWBkB15fTDL11hyNVdZNh3Rh3ufk3JUU= From: Dominick Grift To: selinux@vger.kernel.org Cc: Dominick Grift Subject: [SELinux-notebook PATCH] object_classes_permissions: describe bpf and perfmon capabilities Date: Mon, 20 Jul 2020 09:45:15 +0200 Message-Id: <20200720074515.1687720-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org These capabilities were introduced with Linux 5.8 The ipc security class is deprecated (kind of at least) Fix a typo in net_broadcast Signed-off-by: Dominick Grift Acked-by: Stephen Smalley --- src/object_classes_permissions.md | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/src/object_classes_permissions.md b/src/object_classes_permissions.md index 1b183bb..498d872 100644 --- a/src/object_classes_permissions.md +++ b/src/object_classes_permissions.md @@ -421,7 +421,7 @@ inherited by a number of object classes. Allows opening of raw sockets and packet sockets. -netbroadcast +net_broadcast Grant network broadcasting and listening to incoming multicasts. @@ -496,13 +496,18 @@ inherited by a number of object classes. Permissions -Description (6 permissions) +Description (8 permissions) audit_read Allow reading audits logs. +bpf +

Create maps, do other sys_bpf() commands and load 'SK_REUSEPORT' progs.

+

Note that loading tracing programs also requires 'CAP_PERFMON' and that loading networking programs also requires 'CAP_NET_ADMIN'.

+ + block_suspend Prevent system suspends (was epollwakeup) @@ -516,6 +521,11 @@ inherited by a number of object classes. Allow MAC policy to be overridden. (not used) + +perfmon +Allow system performance monitoring and observability operations. + + syslog Allow configuration of kernel syslog (printk behaviour). @@ -2015,7 +2025,7 @@ implementation. ## IPC Object Classes -### `ipc` +### `ipc` (Deprecated) @@ -2600,11 +2610,11 @@ Note that while this is defined as a kernel object class, the userspace - + - +
PermissionsDescription (Inherit 6 permissions)Description (Inherit 8 permissions)
Common Capability2 Permissionsaudit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarmaudit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm
@@ -2638,11 +2648,11 @@ Note that while this is defined as a kernel object class, the userspace Permissions -Description (Inherit 6 permissions) +Description (Inherit 8 permissions) Common Capability2 Permissions -audit_read, block_suspend, mac_admin, mac_override, syslog, wake_alarm +audit_read, bpf, block_suspend, mac_admin, mac_override, perfmon, syslog, wake_alarm