works perfectly! thank you very much!! > On 01/24/2014 06:55 AM, Heiko Stumpf wrote: >> Hello SEAndroid Community, >> >> is SEAndroid able to handle CAN-Sockets? The socket is not listed under >> /dev/socket. >> >> The initialisation of the device is currently done via adb not through >> init. From my app, i am calling a native library which creates the can >> socket. In the end I want to disable the use of the can port for >> untrusted >> apps. >> >> Thanks for your advice! > > SELinux does not presently define a specific security class for PF_CAN > sockets, and thus they are handled via the generic socket security class > in policy. > > To specifically prevent use of such sockets while allowing other sockets > that do not have their own specific security class, you would need to > introduce a distinct security class for them, which would require a > change to the kernel to define the class and map PF_CAN to it and a > change to policy to define the class and allow it where needed. > The relevant kernel changes would be security/selinux/include/classmap.h > (add a new entry for can_socket with COMMON_SOCK_PERMS), and > security/selinux/hooks.c (add a case for PF_CAN that maps to > SECCLASS_CAN_SOCKET in socket_type_to_security_class). In policy, you > would append the definitions to security_classes and access_vectors. > > >
_______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
