[PATCH v4] Classify AF_ALG sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.

Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
---
 security/selinux/hooks.c            |    5 +++++
 security/selinux/include/classmap.h |    2 ++
 security/selinux/include/security.h |    2 ++
 security/selinux/ss/services.c      |    3 +++
 4 files changed, 12 insertions(+)

diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
--- linux-4.7.2-orig/security/selinux/hooks.c	2016-08-22 22:31:27.737767819 +0200
+++ linux-4.7.2/security/selinux/hooks.c	2016-08-22 22:40:29.102526024 +0200
@@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
 		return SECCLASS_KEY_SOCKET;
 	case PF_APPLETALK:
 		return SECCLASS_APPLETALK_SOCKET;
+	case PF_ALG:
+		if (selinux_policycap_algsocket)
+			return SECCLASS_ALG_SOCKET;
+		else
+			return SECCLASS_SOCKET;
 	}
 
 	return SECCLASS_SOCKET;
diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
--- linux-4.7.2-orig/security/selinux/include/classmap.h	2016-08-22 22:31:27.754768030 +0200
+++ linux-4.7.2/security/selinux/include/classmap.h	2016-08-22 22:32:14.795355585 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "appletalk_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket",
+	  { COMMON_SOCK_PERMS, NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",
diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
--- linux-4.7.2-orig/security/selinux/include/security.h	2016-03-14 05:28:54.000000000 +0100
+++ linux-4.7.2/security/selinux/include/security.h	2016-08-22 22:53:57.911660238 +0200
@@ -75,6 +75,7 @@ enum {
 	POLICYDB_CAPABILITY_OPENPERM,
 	POLICYDB_CAPABILITY_REDHAT1,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
+	POLICYDB_CAPABILITY_ALGSOCKET,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
@@ -82,6 +83,7 @@ enum {
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_alwaysnetwork;
+extern int selinux_policycap_algsocket;
 
 /*
  * type_datum properties
diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
--- linux-4.7.2-orig/security/selinux/ss/services.c	2016-08-05 21:27:22.275588616 +0200
+++ linux-4.7.2/security/selinux/ss/services.c	2016-08-22 22:56:58.616187510 +0200
@@ -73,6 +73,7 @@
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_alwaysnetwork;
+int selinux_policycap_algsocket;
 
 static DEFINE_RWLOCK(policy_rwlock);
 
@@ -2016,6 +2017,8 @@ static void security_load_policycaps(voi
 						  POLICYDB_CAPABILITY_OPENPERM);
 	selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
 						  POLICYDB_CAPABILITY_ALWAYSNETWORK);
+	selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
+						  POLICYDB_CAPABILITY_ALGSOCKET);
 }
 
 static int security_preserve_bools(struct policydb *p);
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux