* [PATCH] selinux: update netlink socket classes
@ 2015-05-20 15:11 Stephen Smalley
2015-05-21 15:25 ` Paul Moore
0 siblings, 1 reply; 2+ messages in thread
From: Stephen Smalley @ 2015-05-20 15:11 UTC (permalink / raw)
To: selinux; +Cc: Stephen Smalley
Update the set of SELinux netlink socket class definitions to match
the set of netlink protocols implemented by the kernel. The
ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols
was removed in d16cf20e2f2f13411eece7f7fb72c17d141c4a84, so we can remove
the corresponding class definitions as this is dead code. Add new
classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR,
NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA,
and NETLINK_CRYPTO so that we can distinguish among sockets created
for each of these protocols. This change does not define the finer-grained
nlsmsg_read/write permissions or map specific nlmsg_type values to those
permissions in the SELinux nlmsgtab; if finer-grained control of these
sockets is desired/required, that can be added as a follow-on change.
We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation
was removed in 624ae5284516870657505103ada531c64dba2a9a.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/hooks.c | 20 ++++++++++++++++----
security/selinux/include/classmap.h | 22 ++++++++++++++++------
2 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 7dade28..9ae4a8b 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1188,8 +1188,6 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
switch (protocol) {
case NETLINK_ROUTE:
return SECCLASS_NETLINK_ROUTE_SOCKET;
- case NETLINK_FIREWALL:
- return SECCLASS_NETLINK_FIREWALL_SOCKET;
case NETLINK_SOCK_DIAG:
return SECCLASS_NETLINK_TCPDIAG_SOCKET;
case NETLINK_NFLOG:
@@ -1198,14 +1196,28 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
return SECCLASS_NETLINK_XFRM_SOCKET;
case NETLINK_SELINUX:
return SECCLASS_NETLINK_SELINUX_SOCKET;
+ case NETLINK_ISCSI:
+ return SECCLASS_NETLINK_ISCSI_SOCKET;
case NETLINK_AUDIT:
return SECCLASS_NETLINK_AUDIT_SOCKET;
- case NETLINK_IP6_FW:
- return SECCLASS_NETLINK_IP6FW_SOCKET;
+ case NETLINK_FIB_LOOKUP:
+ return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
+ case NETLINK_CONNECTOR:
+ return SECCLASS_NETLINK_CONNECTOR_SOCKET;
+ case NETLINK_NETFILTER:
+ return SECCLASS_NETLINK_NETFILTER_SOCKET;
case NETLINK_DNRTMSG:
return SECCLASS_NETLINK_DNRT_SOCKET;
case NETLINK_KOBJECT_UEVENT:
return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
+ case NETLINK_GENERIC:
+ return SECCLASS_NETLINK_GENERIC_SOCKET;
+ case NETLINK_SCSITRANSPORT:
+ return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
+ case NETLINK_RDMA:
+ return SECCLASS_NETLINK_RDMA_SOCKET;
+ case NETLINK_CRYPTO:
+ return SECCLASS_NETLINK_CRYPTO_SOCKET;
default:
return SECCLASS_NETLINK_SOCKET;
}
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index eccd61b..1d8b924 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -107,9 +107,6 @@ struct security_class_mapping secclass_map[] = {
{ "netlink_route_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
- { "netlink_firewall_socket",
- { COMMON_SOCK_PERMS,
- "nlmsg_read", "nlmsg_write", NULL } },
{ "netlink_tcpdiag_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", NULL } },
@@ -120,19 +117,32 @@ struct security_class_mapping secclass_map[] = {
"nlmsg_read", "nlmsg_write", NULL } },
{ "netlink_selinux_socket",
{ COMMON_SOCK_PERMS, NULL } },
+ { "netlink_iscsi_socket",
+ { COMMON_SOCK_PERMS, NULL } },
{ "netlink_audit_socket",
{ COMMON_SOCK_PERMS,
"nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
"nlmsg_tty_audit", NULL } },
- { "netlink_ip6fw_socket",
- { COMMON_SOCK_PERMS,
- "nlmsg_read", "nlmsg_write", NULL } },
+ { "netlink_fib_lookup_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_connector_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_netfilter_socket",
+ { COMMON_SOCK_PERMS, NULL } },
{ "netlink_dnrt_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "association",
{ "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
{ "netlink_kobject_uevent_socket",
{ COMMON_SOCK_PERMS, NULL } },
+ { "netlink_generic_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_scsitransport_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_rdma_socket",
+ { COMMON_SOCK_PERMS, NULL } },
+ { "netlink_crypto_socket",
+ { COMMON_SOCK_PERMS, NULL } },
{ "appletalk_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "packet",
--
2.1.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] selinux: update netlink socket classes
2015-05-20 15:11 [PATCH] selinux: update netlink socket classes Stephen Smalley
@ 2015-05-21 15:25 ` Paul Moore
0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2015-05-21 15:25 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux
On Wednesday, May 20, 2015 11:11:54 AM Stephen Smalley wrote:
> Update the set of SELinux netlink socket class definitions to match
> the set of netlink protocols implemented by the kernel. The
> ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW
> protocols was removed in d16cf20e2f2f13411eece7f7fb72c17d141c4a84, so we
> can remove the corresponding class definitions as this is dead code. Add
> new classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR,
> NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA,
> and NETLINK_CRYPTO so that we can distinguish among sockets created
> for each of these protocols. This change does not define the finer-grained
> nlsmsg_read/write permissions or map specific nlmsg_type values to those
> permissions in the SELinux nlmsgtab; if finer-grained control of these
> sockets is desired/required, that can be added as a follow-on change.
> We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation
> was removed in 624ae5284516870657505103ada531c64dba2a9a.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
> security/selinux/hooks.c | 20 ++++++++++++++++----
> security/selinux/include/classmap.h | 22 ++++++++++++++++------
> 2 files changed, 32 insertions(+), 10 deletions(-)
Applied, thanks.
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 7dade28..9ae4a8b 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1188,8 +1188,6 @@ static inline u16 socket_type_to_security_class(int
> family, int type, int protoc switch (protocol) {
> case NETLINK_ROUTE:
> return SECCLASS_NETLINK_ROUTE_SOCKET;
> - case NETLINK_FIREWALL:
> - return SECCLASS_NETLINK_FIREWALL_SOCKET;
> case NETLINK_SOCK_DIAG:
> return SECCLASS_NETLINK_TCPDIAG_SOCKET;
> case NETLINK_NFLOG:
> @@ -1198,14 +1196,28 @@ static inline u16 socket_type_to_security_class(int
> family, int type, int protoc return SECCLASS_NETLINK_XFRM_SOCKET;
> case NETLINK_SELINUX:
> return SECCLASS_NETLINK_SELINUX_SOCKET;
> + case NETLINK_ISCSI:
> + return SECCLASS_NETLINK_ISCSI_SOCKET;
> case NETLINK_AUDIT:
> return SECCLASS_NETLINK_AUDIT_SOCKET;
> - case NETLINK_IP6_FW:
> - return SECCLASS_NETLINK_IP6FW_SOCKET;
> + case NETLINK_FIB_LOOKUP:
> + return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
> + case NETLINK_CONNECTOR:
> + return SECCLASS_NETLINK_CONNECTOR_SOCKET;
> + case NETLINK_NETFILTER:
> + return SECCLASS_NETLINK_NETFILTER_SOCKET;
> case NETLINK_DNRTMSG:
> return SECCLASS_NETLINK_DNRT_SOCKET;
> case NETLINK_KOBJECT_UEVENT:
> return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
> + case NETLINK_GENERIC:
> + return SECCLASS_NETLINK_GENERIC_SOCKET;
> + case NETLINK_SCSITRANSPORT:
> + return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
> + case NETLINK_RDMA:
> + return SECCLASS_NETLINK_RDMA_SOCKET;
> + case NETLINK_CRYPTO:
> + return SECCLASS_NETLINK_CRYPTO_SOCKET;
> default:
> return SECCLASS_NETLINK_SOCKET;
> }
> diff --git a/security/selinux/include/classmap.h
> b/security/selinux/include/classmap.h index eccd61b..1d8b924 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -107,9 +107,6 @@ struct security_class_mapping secclass_map[] = {
> { "netlink_route_socket",
> { COMMON_SOCK_PERMS,
> "nlmsg_read", "nlmsg_write", NULL } },
> - { "netlink_firewall_socket",
> - { COMMON_SOCK_PERMS,
> - "nlmsg_read", "nlmsg_write", NULL } },
> { "netlink_tcpdiag_socket",
> { COMMON_SOCK_PERMS,
> "nlmsg_read", "nlmsg_write", NULL } },
> @@ -120,19 +117,32 @@ struct security_class_mapping secclass_map[] = {
> "nlmsg_read", "nlmsg_write", NULL } },
> { "netlink_selinux_socket",
> { COMMON_SOCK_PERMS, NULL } },
> + { "netlink_iscsi_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> { "netlink_audit_socket",
> { COMMON_SOCK_PERMS,
> "nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
> "nlmsg_tty_audit", NULL } },
> - { "netlink_ip6fw_socket",
> - { COMMON_SOCK_PERMS,
> - "nlmsg_read", "nlmsg_write", NULL } },
> + { "netlink_fib_lookup_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> + { "netlink_connector_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> + { "netlink_netfilter_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> { "netlink_dnrt_socket",
> { COMMON_SOCK_PERMS, NULL } },
> { "association",
> { "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
> { "netlink_kobject_uevent_socket",
> { COMMON_SOCK_PERMS, NULL } },
> + { "netlink_generic_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> + { "netlink_scsitransport_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> + { "netlink_rdma_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> + { "netlink_crypto_socket",
> + { COMMON_SOCK_PERMS, NULL } },
> { "appletalk_socket",
> { COMMON_SOCK_PERMS, NULL } },
> { "packet",
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-21 15:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-20 15:11 [PATCH] selinux: update netlink socket classes Stephen Smalley
2015-05-21 15:25 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.