Hello Paul,
thanks for getting back on this.
The patch follows a recent discussion with Christopher PeBenito on the Reference Policy mailing list.
Christopher suggested to modify the actual code.
I suppose it provides a better insight during code analysis on the type of socket connections being made and a more fine-grained control of permissions being granted or denied to the policy designer.
For some reason however, I have seen code using the SOCK_SEQPACKET type and executed immediately after policy load (possibly from initramfs, before switchroot) showing up in the log files as using an unspecified socket type. I have explained already to Christopher that this patch won't change such behavior...
Guido Trentalancia
On the 20th August 2016 19:17:58 CEST, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
>On Sat, Aug 20, 2016 at 12:18 PM, Guido Trentalancia
><guido@xxxxxxxxxxxxxxxx> wrote:
>> Modify the SELinux kernel code so that it is able to differentiate
>between
>> a unix_stream_socket and a sequential_packet_socket.
>>
>> A companion patch has been created for the Reference Policy and it
>will be
>> posted to its mailing list.
>>
>> Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
>> ---
>> security/selinux/hooks.c | 3 ++-
>> security/selinux/include/classmap.h | 2 ++
>> 2 files changed, 4 insertions(+), 1 deletion(-)
>
>I'm going to need to hear a better explanation of why we need to make
>this change. What problem does this solve that you can't solve today?
>
>> --- linux-4.7.1-orig/security/selinux/include/classmap.h
>2016-08-18 17:39:50.639133429 +0200
>> +++ linux-4.7.1/security/selinux/include/classmap.h 2016-08-18
>17:52:25.921420278 +0200
>> @@ -86,6 +86,8 @@ struct security_class_mapping secclass_m
>> { "ingress", "egress", NULL } },
>> { "netlink_socket",
>> { COMMON_SOCK_PERMS, NULL } },
>> + { "sequential_packet_socket",
>> + { COMMON_SOCK_PERMS, "connectto", NULL } },
>> { "packet_socket",
>> { COMMON_SOCK_PERMS, NULL } },
>> { "key_socket",
>> --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-18
>21:47:32.204199470 +0200
>> +++ linux-4.7.1/security/selinux/hooks.c 2016-08-18
>22:52:53.099296513 +0200
>> @@ -1246,8 +1246,9 @@ static inline u16 socket_type_to_securit
>> switch (family) {
>> case PF_UNIX:
>> switch (type) {
>> - case SOCK_STREAM:
>> case SOCK_SEQPACKET:
>> + return SECCLASS_SEQUENTIAL_PACKET_SOCKET;
>> + case SOCK_STREAM:
>> return SECCLASS_UNIX_STREAM_SOCKET;
>> case SOCK_DGRAM:
>> return SECCLASS_UNIX_DGRAM_SOCKET;
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
