Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).
A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.
Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
---
security/selinux/hooks.c | 5 +++--
security/selinux/include/classmap.h | 2 ++
2 files changed, 5 insertions(+), 2 deletions(-)
--- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 18:20:52.788066467 +0200
+++ linux-4.7.1/security/selinux/hooks.c 2016-08-21 18:23:48.603479911 +0200
@@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit
return SECCLASS_KEY_SOCKET;
case PF_APPLETALK:
return SECCLASS_APPLETALK_SOCKET;
+ case PF_ALG:
+ return SECCLASS_ALG_SOCKET;
}
return SECCLASS_SOCKET;
--- linux-4.7.1-orig/security/selinux/include/classmap.h 2016-08-18 17:39:50.639133429 +0200
+++ linux-4.7.1/security/selinux/include/classmap.h 2016-08-21 18:30:00.306088371 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
{ COMMON_SOCK_PERMS, NULL } },
{ "appletalk_socket",
{ COMMON_SOCK_PERMS, NULL } },
+ { "alg_socket",
+ { COMMON_SOCK_PERMS, NULL } },
{ "packet",
{ "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
{ "key",
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
