On 01/24/2014 06:55 AM, Heiko Stumpf wrote: > Hello SEAndroid Community, > > is SEAndroid able to handle CAN-Sockets? The socket is not listed under > /dev/socket. > > The initialisation of the device is currently done via adb not through > init. From my app, i am calling a native library which creates the can > socket. In the end I want to disable the use of the can port for untrusted > apps. > > Thanks for your advice!
SELinux does not presently define a specific security class for PF_CAN sockets, and thus they are handled via the generic socket security class in policy. To specifically prevent use of such sockets while allowing other sockets that do not have their own specific security class, you would need to introduce a distinct security class for them, which would require a change to the kernel to define the class and map PF_CAN to it and a change to policy to define the class and allow it where needed. The relevant kernel changes would be security/selinux/include/classmap.h (add a new entry for can_socket with COMMON_SOCK_PERMS), and security/selinux/hooks.c (add a case for PF_CAN that maps to SECCLASS_CAN_SOCKET in socket_type_to_security_class). In policy, you would append the definitions to security_classes and access_vectors. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
