summaryrefslogtreecommitdiff
path: root/security/selinux/nlmsgtab.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/selinux/nlmsgtab.c')
-rw-r--r--security/selinux/nlmsgtab.c27
1 files changed, 27 insertions, 0 deletions
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index 8ff670cf1ee5..acc7d74b99d5 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -170,6 +170,33 @@ int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm)
{
int err = 0;
+ if (selinux_policycap_netlink_xperm()) {
+ switch (sclass) {
+ case SECCLASS_NETLINK_ROUTE_SOCKET:
+ *perm = NETLINK_ROUTE_SOCKET__NLMSG;
+ break;
+ case SECCLASS_NETLINK_TCPDIAG_SOCKET:
+ *perm = NETLINK_TCPDIAG_SOCKET__NLMSG;
+ break;
+ case SECCLASS_NETLINK_XFRM_SOCKET:
+ *perm = NETLINK_XFRM_SOCKET__NLMSG;
+ break;
+ case SECCLASS_NETLINK_AUDIT_SOCKET:
+ *perm = NETLINK_AUDIT_SOCKET__NLMSG;
+ break;
+ /* While it is possible to add a similar permission to other
+ * netlink classes, note that the extended permission value is
+ * matched against the nlmsg_type field. Notably,
+ * SECCLASS_NETLINK_GENERIC_SOCKET uses dynamic values for this
+ * field, which means that it cannot be added as-is.
+ */
+ default:
+ err = -ENOENT;
+ break;
+ }
+ return err;
+ }
+
switch (sclass) {
case SECCLASS_NETLINK_ROUTE_SOCKET:
/* RTM_MAX always points to RTM_SETxxxx, ie RTM_NEWxxx + 3.
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-06 19:20:39 +0000