Modify the SELinux kernel code so that it is able to differentiate between a unix_stream_socket and a sequential_packet_socket.
A companion patch has been created for the Reference Policy and it will be posted to its mailing list. Signed-off-by: Guido Trentalancia <[email protected]> --- security/selinux/hooks.c | 3 ++- security/selinux/include/classmap.h | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) --- linux-4.7.1-orig/security/selinux/include/classmap.h 2016-08-18 17:39:50.639133429 +0200 +++ linux-4.7.1/security/selinux/include/classmap.h 2016-08-18 17:52:25.921420278 +0200 @@ -86,6 +86,8 @@ struct security_class_mapping secclass_m { "ingress", "egress", NULL } }, { "netlink_socket", { COMMON_SOCK_PERMS, NULL } }, + { "sequential_packet_socket", + { COMMON_SOCK_PERMS, "connectto", NULL } }, { "packet_socket", { COMMON_SOCK_PERMS, NULL } }, { "key_socket", --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-18 21:47:32.204199470 +0200 +++ linux-4.7.1/security/selinux/hooks.c 2016-08-18 22:52:53.099296513 +0200 @@ -1246,8 +1246,9 @@ static inline u16 socket_type_to_securit switch (family) { case PF_UNIX: switch (type) { - case SOCK_STREAM: case SOCK_SEQPACKET: + return SECCLASS_SEQUENTIAL_PACKET_SOCKET; + case SOCK_STREAM: return SECCLASS_UNIX_STREAM_SOCKET; case SOCK_DGRAM: return SECCLASS_UNIX_DGRAM_SOCKET; _______________________________________________ Selinux mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
