On Wed, Jun 07, 2017 at 02:13:57PM -0400, Stephen Smalley wrote: > On Wed, 2017-06-07 at 19:37 +0200, Dominick Grift wrote: > > Was it intentional to add icmp_socket class? Because this use to be > > rawip_socket. rawip_socket includes more than just icmp (IGMP/OSPF) > > but still I thought that the extended socket classes only applied to > > what is otherwise generic "socket" > > It was intentional, yes, and described in the patch description (for > both the kernel and refpolicy) and in the inline documentation for the > policy capability in refpolicy. I chose to address all known gaps in > our ability to distinguish among sockets at once. > > Note btw that icmp_socket is only used for the unprivileged ICMP > sockets (aka "ping sockets") created via socket(PF_INET, SOCK_DGRAM, > IPPROTO_ICMP) or socket(PF_INET6, SOCK_DGRAM, IPPROTO_ICMP6). > rawip_socket is still used for SOCK_RAW ICMP sockets. Thanks for the answer, I suppose I was unable to connect the dots. > > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
