diff options
Diffstat (limited to 'security')
29 files changed, 587 insertions, 642 deletions
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 38650e52ef57..2d9f2a4b4519 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -2373,6 +2373,7 @@ static struct aa_sfs_entry aa_sfs_entry_policy[] = { static struct aa_sfs_entry aa_sfs_entry_mount[] = { AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), + AA_SFS_FILE_STRING("move_mount", "detached"), { } }; diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index fb30204c761a..49fe8da6fea4 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -499,6 +499,10 @@ int aa_move_mount(const struct cred *subj_cred, error = -ENOMEM; if (!to_buffer || !from_buffer) goto out; + + if (!our_mnt(from_path->mnt)) + /* moving a mount detached from the namespace */ + from_path = NULL; error = fn_for_each_confined(label, profile, match_mnt(subj_cred, profile, to_path, to_buffer, from_path, from_buffer, diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index 51ad29940f05..f3738b2c8bcd 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c @@ -38,7 +38,7 @@ static int param_set_bufsize(const char *val, const struct kernel_param *kp) size = memparse(val, NULL); order = get_order(size); - if (order > MAX_ORDER) + if (order > MAX_PAGE_ORDER) return -EINVAL; ima_maxorder = order; ima_bufsize = PAGE_SIZE << order; diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index ad133fe120db..dadc1d138118 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -129,8 +129,8 @@ void ima_add_kexec_buffer(struct kimage *image) image->ima_buffer_size = kexec_segment_size; image->ima_buffer = kexec_buffer; - pr_debug("kexec measurement buffer for the loaded kernel at 0x%lx.\n", - kbuf.mem); + kexec_dprintk("kexec measurement buffer for the loaded kernel at 0x%lx.\n", + kbuf.mem); } #endif /* IMA_KEXEC */ diff --git a/security/keys/gc.c b/security/keys/gc.c index 3c90807476eb..eaddaceda14e 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c @@ -67,6 +67,19 @@ void key_schedule_gc(time64_t gc_at) } /* + * Set the expiration time on a key. + */ +void key_set_expiry(struct key *key, time64_t expiry) +{ + key->expiry = expiry; + if (expiry != TIME64_MAX) { + if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) + expiry += key_gc_delay; + key_schedule_gc(expiry); + } +} + +/* * Schedule a dead links collection run. */ void key_schedule_gc_links(void) @@ -176,7 +189,6 @@ static void key_garbage_collector(struct work_struct *work) static u8 gc_state; /* Internal persistent state */ #define KEY_GC_REAP_AGAIN 0x01 /* - Need another cycle */ #define KEY_GC_REAPING_LINKS 0x02 /* - We need to reap links */ -#define KEY_GC_SET_TIMER 0x04 /* - We need to restart the timer */ #define KEY_GC_REAPING_DEAD_1 0x10 /* - We need to mark dead keys */ #define KEY_GC_REAPING_DEAD_2 0x20 /* - We need to reap dead key links */ #define KEY_GC_REAPING_DEAD_3 0x40 /* - We need to reap dead keys */ @@ -184,21 +196,17 @@ static void key_garbage_collector(struct work_struct *work) struct rb_node *cursor; struct key *key; - time64_t new_timer, limit; + time64_t new_timer, limit, expiry; kenter("[%lx,%x]", key_gc_flags, gc_state); limit = ktime_get_real_seconds(); - if (limit > key_gc_delay) - limit -= key_gc_delay; - else - limit = key_gc_delay; /* Work out what we're going to be doing in this pass */ gc_state &= KEY_GC_REAPING_DEAD_1 | KEY_GC_REAPING_DEAD_2; gc_state <<= 1; if (test_and_clear_bit(KEY_GC_KEY_EXPIRED, &key_gc_flags)) - gc_state |= KEY_GC_REAPING_LINKS | KEY_GC_SET_TIMER; + gc_state |= KEY_GC_REAPING_LINKS; if (test_and_clear_bit(KEY_GC_REAP_KEYTYPE, &key_gc_flags)) gc_state |= KEY_GC_REAPING_DEAD_1; @@ -233,8 +241,11 @@ continue_scanning: } } - if (gc_state & KEY_GC_SET_TIMER) { - if (key->expiry > limit && key->expiry < new_timer) { + expiry = key->expiry; + if (expiry != TIME64_MAX) { + if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) + expiry += key_gc_delay; + if (expiry > limit && expiry < new_timer) { kdebug("will expire %x in %lld", key_serial(key), key->expiry - limit); new_timer = key->expiry; @@ -276,7 +287,7 @@ maybe_resched: */ kdebug("pass complete"); - if (gc_state & KEY_GC_SET_TIMER && new_timer != (time64_t)TIME64_MAX) { + if (new_timer != TIME64_MAX) { new_timer += key_gc_delay; key_schedule_gc(new_timer); } diff --git a/security/keys/internal.h b/security/keys/internal.h index 471cf36dedc0..2cffa6dc8255 100644 --- a/security/keys/internal.h +++ b/security/keys/internal.h @@ -167,6 +167,7 @@ extern unsigned key_gc_delay; extern void keyring_gc(struct key *keyring, time64_t limit); extern void keyring_restriction_gc(struct key *keyring, struct key_type *dead_type); +void key_set_expiry(struct key *key, time64_t expiry); extern void key_schedule_gc(time64_t gc_at); extern void key_schedule_gc_links(void); extern void key_gc_keytype(struct key_type *ktype); @@ -215,10 +216,18 @@ extern struct key *key_get_instantiation_authkey(key_serial_t target_id); */ static inline bool key_is_dead(const struct key *key, time64_t limit) { + time64_t expiry = key->expiry; + + if (expiry != TIME64_MAX) { + if (!(key->type->flags & KEY_TYPE_INSTANT_REAP)) + expiry += key_gc_delay; + if (expiry <= limit) + return true; + } + return key->flags & ((1 << KEY_FLAG_DEAD) | (1 << KEY_FLAG_INVALIDATED)) || - (key->expiry > 0 && key->expiry <= limit) || key->domain_tag->removed; } diff --git a/security/keys/key.c b/security/keys/key.c index 0260a1902922..5b10641debd5 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -294,6 +294,7 @@ struct key *key_alloc(struct key_type *type, const char *desc, key->uid = uid; key->gid = gid; key->perm = perm; + key->expiry = TIME64_MAX; key->restrict_link = restrict_link; key->last_used_at = ktime_get_real_seconds(); @@ -463,10 +464,7 @@ static int __key_instantiate_and_link(struct key *key, if (authkey) key_invalidate(authkey); - if (prep->expiry != TIME64_MAX) { - key->expiry = prep->expiry; - key_schedule_gc(prep->expiry + key_gc_delay); - } + key_set_expiry(key, prep->expiry); } } @@ -606,8 +604,7 @@ int key_reject_and_link(struct key *key, atomic_inc(&key->user->nikeys); mark_key_instantiated(key, -error); notify_key(key, NOTIFY_KEY_INSTANTIATED, -error); - key->expiry = ktime_get_real_seconds() + timeout; - key_schedule_gc(key->expiry + key_gc_delay); + key_set_expiry(key, ktime_get_real_seconds() + timeout); if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) awaken = 1; @@ -723,16 +720,14 @@ found_kernel_type: void key_set_timeout(struct key *key, unsigned timeout) { - time64_t expiry = 0; + time64_t expiry = TIME64_MAX; /* make the changes with the locks held to prevent races */ down_write(&key->sem); if (timeout > 0) expiry = ktime_get_real_seconds() + timeout; - - key->expiry = expiry; - key_schedule_gc(key->expiry + key_gc_delay); + key_set_expiry(key, expiry); up_write(&key->sem); } diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 19be69fa4d05..10ba439968f7 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1252,12 +1252,11 @@ long keyctl_instantiate_key(key_serial_t id, key_serial_t ringid) { if (_payload && plen) { - struct iovec iov; struct iov_iter from; int ret; - ret = import_single_range(ITER_SOURCE, (void __user *)_payload, plen, - &iov, &from); + ret = import_ubuf(ITER_SOURCE, (void __user *)_payload, plen, + &from); if (unlikely(ret)) return ret; diff --git a/security/keys/proc.c b/security/keys/proc.c index d0cde6685627..4f4e2c1824f1 100644 --- a/security/keys/proc.c +++ b/security/keys/proc.c @@ -198,7 +198,7 @@ static int proc_keys_show(struct seq_file *m, void *v) /* come up with a suitable timeout value */ expiry = READ_ONCE(key->expiry); - if (expiry == 0) { + if (expiry == TIME64_MAX) { memcpy(xbuf, "perm", 5); } else if (now >= expiry) { memcpy(xbuf, "expd", 5); diff --git a/security/security.c b/security/security.c index 69148dfc90cd..8b55ef346a62 100644 --- a/security/security.c +++ b/security/security.c @@ -2664,13 +2664,7 @@ int security_kernfs_init_security(struct kernfs_node *kn_dir, */ int security_file_permission(struct file *file, int mask) { - int ret; - - ret = call_int_hook(file_permission, 0, file, mask); - if (ret) - return ret; - - return fsnotify_perm(file, mask); + return call_int_hook(file_permission, 0, file, mask); } /** @@ -2939,7 +2933,7 @@ int security_file_open(struct file *file) if (ret) return ret; - return fsnotify_perm(file, MAY_OPEN); + return fsnotify_open_perm(file); } /** diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 179540441115..5e5fd5be6d93 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -1661,8 +1661,6 @@ static int inode_has_perm(const struct cred *cred, struct inode_security_struct *isec; u32 sid; - validate_creds(cred); - if (unlikely(IS_PRIVATE(inode))) return 0; @@ -2316,6 +2314,19 @@ static int selinux_bprm_creds_for_exec(struct linux_binprm *bprm) new_tsec->keycreate_sid = 0; new_tsec->sockcreate_sid = 0; + /* + * Before policy is loaded, label any task outside kernel space + * as SECINITSID_INIT, so that any userspace tasks surviving from + * early boot end up with a label different from SECINITSID_KERNEL + * (if the policy chooses to set SECINITSID_INIT != SECINITSID_KERNEL). + */ + if (!selinux_initialized()) { + new_tsec->sid = SECINITSID_INIT; + /* also clear the exec_sid just in case */ + new_tsec->exec_sid = 0; + return 0; + } + if (old_tsec->exec_sid) { new_tsec->sid = old_tsec->exec_sid; /* Reset exec SID on execve. */ @@ -3057,8 +3068,6 @@ static int selinux_inode_follow_link(struct dentry *dentry, struct inode *inode, struct inode_security_struct *isec; u32 sid; - validate_creds(cred); - ad.type = LSM_AUDIT_DATA_DENTRY; ad.u.dentry = dentry; sid = cred_sid(cred); @@ -3102,8 +3111,6 @@ static int selinux_inode_permission(struct inode *inode, int mask) if (!mask) return 0; - validate_creds(cred); - if (unlikely(IS_PRIVATE(inode))) return 0; @@ -4581,6 +4588,21 @@ static int sock_has_perm(struct sock *sk, u32 perms) if (sksec->sid == SECINITSID_KERNEL) return 0; + /* + * Before POLICYDB_CAP_USERSPACE_INITIAL_CONTEXT, sockets that + * inherited the kernel context from early boot used to be skipped + * here, so preserve that behavior unless the capability is set. + * + * By setting the capability the policy signals that it is ready + * for this quirk to be fixed. Note that sockets created by a kernel + * thread or a usermode helper executed without a transition will + * still be skipped in this check regardless of the policycap + * setting. + */ + if (!selinux_policycap_userspace_initial_context() && + sksec->sid == SECINITSID_INIT) + return 0; + ad_net_init_from_sk(&ad, &net, sk); return avc_has_perm(current_sid(), sksec->sid, sksec->sclass, perms, @@ -4695,6 +4717,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in return -EINVAL; addr4 = (struct sockaddr_in *)address; if (family_sa == AF_UNSPEC) { + if (family == PF_INET6) { + /* Length check from inet6_bind_sk() */ + if (addrlen < SIN6_LEN_RFC2133) + return -EINVAL; + /* Family check from __inet6_bind() */ + goto err_af; + } /* see __inet_bind(), we only want to allow * AF_UNSPEC if the address is INADDR_ANY */ @@ -6476,7 +6505,6 @@ static int selinux_lsm_setattr(u64 attr, void *value, size_t size) if (sid == 0) goto abort_change; - /* Only allow single threaded processes to change context */ if (!current_is_single_threaded()) { error = security_bounded_transition(tsec->sid, sid); if (error) diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h index d5495134a5b9..52aca71210b4 100644 --- a/security/selinux/include/audit.h +++ b/security/selinux/include/audit.h @@ -57,4 +57,3 @@ int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule); int selinux_audit_rule_known(struct audit_krule *rule); #endif /* _SELINUX_AUDIT_H */ - diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index 8f0aa66ccb13..96a614d47df8 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -4,6 +4,7 @@ * * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> */ + #ifndef _SELINUX_AVC_H_ #define _SELINUX_AVC_H_ @@ -60,11 +61,8 @@ struct selinux_audit_data { void __init avc_init(void); -static inline u32 avc_audit_required(u32 requested, - struct av_decision *avd, - int result, - u32 auditdeny, - u32 *deniedp) +static inline u32 avc_audit_required(u32 requested, struct av_decision *avd, + int result, u32 auditdeny, u32 *deniedp) { u32 denied, audited; denied = requested & ~avd->allowed; @@ -96,9 +94,8 @@ static inline u32 avc_audit_required(u32 requested, return audited; } -int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, - u32 requested, u32 audited, u32 denied, int result, - struct common_audit_data *a); +int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, u32 audited, + u32 denied, int result, struct common_audit_data *a); /** * avc_audit - Audit the granting or denial of permissions. @@ -119,36 +116,29 @@ int slow_avc_audit(u32 ssid, u32 tsid, u16 tclass, * be performed under a lock, to allow the lock to be released * before calling the auditing code. */ -static inline int avc_audit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - struct av_decision *avd, - int result, +static inline int avc_audit(u32 ssid, u32 tsid, u16 tclass, u32 requested, + struct av_decision *avd, int result, struct common_audit_data *a) { u32 audited, denied; audited = avc_audit_required(requested, avd, result, 0, &denied); if (likely(!audited)) return 0; - return slow_avc_audit(ssid, tsid, tclass, - requested, audited, denied, result, - a); + return slow_avc_audit(ssid, tsid, tclass, requested, audited, denied, + result, a); } -#define AVC_STRICT 1 /* Ignore permissive mode. */ -#define AVC_EXTENDED_PERMS 2 /* update extended permissions */ -int avc_has_perm_noaudit(u32 ssid, u32 tsid, - u16 tclass, u32 requested, - unsigned flags, - struct av_decision *avd); +#define AVC_STRICT 1 /* Ignore permissive mode. */ +#define AVC_EXTENDED_PERMS 2 /* update extended permissions */ +int avc_has_perm_noaudit(u32 ssid, u32 tsid, u16 tclass, u32 requested, + unsigned int flags, struct av_decision *avd); -int avc_has_perm(u32 ssid, u32 tsid, - u16 tclass, u32 requested, +int avc_has_perm(u32 ssid, u32 tsid, u16 tclass, u32 requested, struct common_audit_data *auditdata); int avc_has_extended_perms(u32 ssid, u32 tsid, u16 tclass, u32 requested, u8 driver, u8 perm, struct common_audit_data *ad); - u32 avc_policy_seqno(void); #define AVC_CALLBACK_GRANT 1 @@ -156,7 +146,7 @@ u32 avc_policy_seqno(void); #define AVC_CALLBACK_REVOKE 4 #define AVC_CALLBACK_RESET 8 #define AVC_CALLBACK_AUDITALLOW_ENABLE 16 -#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 +#define AVC_CALLBACK_AUDITALLOW_DISABLE 32 #define AVC_CALLBACK_AUDITDENY_ENABLE 64 #define AVC_CALLBACK_AUDITDENY_DISABLE 128 #define AVC_CALLBACK_ADD_XPERMS 256 @@ -173,4 +163,3 @@ DECLARE_PER_CPU(struct avc_cache_stats, avc_cache_stats); #endif #endif /* _SELINUX_AVC_H_ */ - diff --git a/security/selinux/include/avc_ss.h b/security/selinux/include/avc_ss.h index 88b139e086c4..48ad64d54032 100644 --- a/security/selinux/include/avc_ss.h +++ b/security/selinux/include/avc_ss.h @@ -4,6 +4,7 @@ * * Author : Stephen Smalley, <stephen.smalley.work@gmail.com> */ + #ifndef _SELINUX_AVC_SS_H_ #define _SELINUX_AVC_SS_H_ @@ -20,4 +21,3 @@ struct security_class_mapping { extern const struct security_class_mapping secclass_map[]; #endif /* _SELINUX_AVC_SS_H_ */ - diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index a3c380775d41..7229c9bf6c27 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h @@ -1,34 +1,40 @@ /* SPDX-License-Identifier: GPL-2.0 */ + #include <linux/capability.h> #include <linux/socket.h> -#define COMMON_FILE_SOCK_PERMS "ioctl", "read", "write", "create", \ - "getattr", "setattr", "lock", "relabelfrom", "relabelto", "append", "map" +#define COMMON_FILE_SOCK_PERMS \ + "ioctl", "read", "write", "create", "getattr", "setattr", "lock", \ + "relabelfrom", "relabelto", "append", "map" -#define COMMON_FILE_PERMS COMMON_FILE_SOCK_PERMS, "unlink", "link", \ - "rename", "execute", "quotaon", "mounton", "audit_access", \ - "open", "execmod", "watch", "watch_mount", "watch_sb", \ - "watch_with_perm", "watch_reads" +#define COMMON_FILE_PERMS \ + COMMON_FILE_SOCK_PERMS, "unlink", "link", "rename", "execute", \ + "quotaon", "mounton", "audit_access", "open", "execmod", \ + "watch", "watch_mount", "watch_sb", "watch_with_perm", \ + "watch_reads" -#define COMMON_SOCK_PERMS COMMON_FILE_SOCK_PERMS, "bind", "connect", \ - "listen", "accept", "getopt", "setopt", "shutdown", "recvfrom", \ - "sendto", "name_bind" +#define COMMON_SOCK_PERMS \ + COMMON_FILE_SOCK_PERMS, "bind", "connect", "listen", "accept", \ + "getopt", "setopt", "shutdown", "recvfrom", "sendto", \ + "name_bind" -#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \ - "write", "associate", "unix_read", "unix_write" +#define COMMON_IPC_PERMS \ + "create", "destroy", "getattr", "setattr", "read", "write", \ + "associate", "unix_read", "unix_write" -#define COMMON_CAP_PERMS "chown", "dac_override", "dac_read_search", \ - "fowner", "fsetid", "kill", "setgid", "setuid", "setpcap", \ - "linux_immutable", "net_bind_service", "net_broadcast", \ - "net_admin", "net_raw", "ipc_lock", "ipc_owner", "sys_module", \ - "sys_rawio", "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ - "sys_boot", "sys_nice", "sys_resource", "sys_time", \ - "sys_tty_config", "mknod", "lease", "audit_write", \ - "audit_control", "setfcap" +#define COMMON_CAP_PERMS \ + "chown", "dac_override", "dac_read_search", "fowner", "fsetid", \ + "kill", "setgid", "setuid", "setpcap", "linux_immutable", \ + "net_bind_service", "net_broadcast", "net_admin", "net_raw", \ + "ipc_lock", "ipc_owner", "sys_module", "sys_rawio", \ + "sys_chroot", "sys_ptrace", "sys_pacct", "sys_admin", \ + "sys_boot", "sys_nice", "sys_resource", "sys_time", \ + "sys_tty_config", "mknod", "lease", "audit_write", \ + "audit_control", "setfcap" -#define COMMON_CAP2_PERMS "mac_override", "mac_admin", "syslog", \ - "wake_alarm", "block_suspend", "audit_read", "perfmon", "bpf", \ - "checkpoint_restore" +#define COMMON_CAP2_PERMS \ + "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", \ + "audit_read", "perfmon", "bpf", "checkpoint_restore" #if CAP_LAST_CAP > CAP_CHECKPOINT_RESTORE #error New capability defined, please update COMMON_CAP2_PERMS. @@ -40,224 +46,140 @@ */ const struct security_class_mapping secclass_map[] = { { "security", - { "compute_av", "compute_create", "compute_member", - "check_context", "load_policy", "compute_relabel", - "compute_user", "setenforce", "setbool", "setsecparam", - "setcheckreqprot", "read_policy", "validate_trans", NULL } }, + { "compute_av", "compute_create", "compute_member", "check_context", + "load_policy", "compute_relabel", "compute_user", "setenforce", + "setbool", "setsecparam", "setcheckreqprot", "read_policy", + "validate_trans", NULL } }, { "process", - { "fork", "transition", "sigchld", "sigkill", - "sigstop", "signull", "signal", "ptrace", "getsched", "setsched", - "getsession", "getpgid", "setpgid", "getcap", "setcap", "share", - "getattr", "setexec", "setfscreate", "noatsecure", "siginh", - "setrlimit", "rlimitinh", "dyntransition", "setcurrent", - "execmem", "execstack", "execheap", "setkeycreate", - "setsockcreate", "getrlimit", NULL } }, - { "process2", - { "nnp_transition", "nosuid_transition", NULL } }, + { "fork", "transition", "sigchld", "sigkill", + "sigstop", "signull", "signal", "ptrace", + "getsched", "setsched", "getsession", "getpgid", + "setpgid", "getcap", "setcap", "share", + "getattr", "setexec", "setfscreate", "noatsecure", + "siginh", "setrlimit", "rlimitinh", "dyntransition", + "setcurrent", "execmem", "execstack", "execheap", + "setkeycreate", "setsockcreate", "getrlimit", NULL } }, + { "process2", { "nnp_transition", "nosuid_transition", NULL } }, { "system", - { "ipc_info", "syslog_read", "syslog_mod", - "syslog_console", "module_request", "module_load", NULL } }, - { "capability", - { COMMON_CAP_PERMS, NULL } }, + { "ipc_info", "syslog_read", "syslog_mod", "syslog_console", + "module_request", "module_load", NULL } }, + { "capability", { COMMON_CAP_PERMS, NULL } }, { "filesystem", - { "mount", "remount", "unmount", "getattr", - "relabelfrom", "relabelto", "associate", "quotamod", - "quotaget", "watch", NULL } }, + { "mount", "remount", "unmount", "getattr", "relabelfrom", + "relabelto", "associate", "quotamod", "quotaget", "watch", NULL } }, { "file", - { COMMON_FILE_PERMS, - "execute_no_trans", "entrypoint", NULL } }, + { COMMON_FILE_PERMS, "execute_no_trans", "entrypoint", NULL } }, { "dir", - { COMMON_FILE_PERMS, "add_name", "remove_name", - "reparent", "search", "rmdir", NULL } }, + { COMMON_FILE_PERMS, "add_name", "remove_name", "reparent", "search", + "rmdir", NULL } }, { "fd", { "use", NULL } }, - { "lnk_file", - { COMMON_FILE_PERMS, NULL } }, - { "chr_file", - { COMMON_FILE_PERMS, NULL } }, - { "blk_file", - { COMMON_FILE_PERMS, NULL } }, - { "sock_file", - { COMMON_FILE_PERMS, NULL } }, - { "fifo_file", - { COMMON_FILE_PERMS, NULL } }, - { "socket", - { COMMON_SOCK_PERMS, NULL } }, + { "lnk_file", { COMMON_FILE_PERMS, NULL } }, + { "chr_file", { COMMON_FILE_PERMS, NULL } }, + { "blk_file", { COMMON_FILE_PERMS, NULL } }, + { "sock_file", { COMMON_FILE_PERMS, NULL } }, + { "fifo_file", { COMMON_FILE_PERMS, NULL } }, + { "socket", { COMMON_SOCK_PERMS, NULL } }, { "tcp_socket", - { COMMON_SOCK_PERMS, - "node_bind", "name_connect", - NULL } }, - { "udp_socket", - { COMMON_SOCK_PERMS, - "node_bind", NULL } }, - { "rawip_socket", - { COMMON_SOCK_PERMS, - "node_bind", NULL } }, - { "node", - { "recvfrom", "sendto", NULL } }, - { "netif", - { "ingress", "egress", NULL } }, - { "netlink_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "packet_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "key_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "unix_stream_socket", - { COMMON_SOCK_PERMS, "connectto", NULL } }, - { "unix_dgram_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "sem", - { COMMON_IPC_PERMS, NULL } }, + { COMMON_SOCK_PERMS, "node_bind", "name_connect", NULL } }, + { "udp_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } }, + { "rawip_socket", { COMMON_SOCK_PERMS, "node_bind", NULL } }, + { "node", { "recvfrom", "sendto", NULL } }, + { "netif", { "ingress", "egress", NULL } }, + { "netlink_socket", { COMMON_SOCK_PERMS, NULL } }, + { "packet_socket", { COMMON_SOCK_PERMS, NULL } }, + { "key_socket", { COMMON_SOCK_PERMS, NULL } }, + { "unix_stream_socket", { COMMON_SOCK_PERMS, "connectto", NULL } }, + { "unix_dgram_socket", { COMMON_SOCK_PERMS, NULL } }, + { "sem", { COMMON_IPC_PERMS, NULL } }, { "msg", { "send", "receive", NULL } }, - { "msgq", - { COMMON_IPC_PERMS, "enqueue", NULL } }, - { "shm", - { COMMON_IPC_PERMS, "lock", NULL } }, - { "ipc", - { COMMON_IPC_PERMS, NULL } }, + { "msgq", { COMMON_IPC_PERMS, "enqueue", NULL } }, + { "shm", { COMMON_IPC_PERMS, "lock", NULL } }, + { "ipc", { COMMON_IPC_PERMS, NULL } }, { "netlink_route_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, + { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, { "netlink_tcpdiag_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_nflog_socket", - { COMMON_SOCK_PERMS, NULL } }, + { COMMON_SOCK_PERMS, "nlmsg_read", "nlmsg_write", NULL } }, + { "netlink_nflog_socket", { COMMON_SOCK_PERMS, NULL } }, { "netlink_xfrm_socket", - { COMMON_SOCK_PERMS, - "nlmsg_read", "nlmsg_write", NULL } }, - { "netlink_selinux_socket", - { COMMON_SOCK_PERMS, NULL } }, - { "netlink_iscsi_socket", |