On Monday, June 15, 2015 01:24:50 PM Stephen Smalley wrote: > Initialize the security class of sock security structures > to the generic socket class. This is similar to what is > already done in inode_alloc_security for files. Generally > the sclass field will later by set by socket_post_create > or sk_clone or sock_graft, but for protocol implementations > that fail to call any of these for newly accepted sockets, > we want some sane default that will yield a legitimate > avc denied message with non-garbage values for class and > permission. > > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> > --- > security/selinux/hooks.c | 1 + > 1 file changed, 1 insertion(+) Applied to the SELinux next-queue, thanks. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 312537d..90e6cdc 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -4507,6 +4507,7 @@ static int selinux_sk_alloc_security(struct sock *sk, > int family, gfp_t priority > > sksec->peer_sid = SECINITSID_UNLABELED; > sksec->sid = SECINITSID_UNLABELED; > + sksec->sclass = SECCLASS_SOCKET; > selinux_netlbl_sk_security_reset(sksec); > sk->sk_security = sksec; -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
