From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7ML4duv020214 for ; Mon, 22 Aug 2016 17:04:39 -0400 Message-ID: <1471899875.19333.3.camel@trentalancia.net> Subject: [PATCH v4] Classify AF_ALG sockets From: Guido Trentalancia To: Paul Moore Cc: selinux@tycho.nsa.gov Date: Mon, 22 Aug 2016 23:04:35 +0200 In-Reply-To: <1471870947.2354.1.camel@trentalancia.net> References: <1471709886.22998.1.camel@trentalancia.net> <89E5C3EA-9794-4496-A195-1C997A5BBF44@trentalancia.net> <43BE5B4F-9AE4-4EDB-825A-F1C15042B385@trentalancia.net> <1471799849.2544.2.camel@trentalancia.net> <1471870947.2354.1.camel@trentalancia.net> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Modify the SELinux kernel code so that it is able to classify sockets with the new AF_ALG namespace (used for the user-space interface to the kernel Crypto API). A companion patch has been created for the Reference Policy and it will be posted to its mailing list, once this patch is merged. Signed-off-by: Guido Trentalancia --- security/selinux/hooks.c | 5 +++++ security/selinux/include/classmap.h | 2 ++ security/selinux/include/security.h | 2 ++ security/selinux/ss/services.c | 3 +++ 4 files changed, 12 insertions(+) diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c --- linux-4.7.2-orig/security/selinux/hooks.c 2016-08-22 22:31:27.737767819 +0200 +++ linux-4.7.2/security/selinux/hooks.c 2016-08-22 22:40:29.102526024 +0200 @@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit return SECCLASS_KEY_SOCKET; case PF_APPLETALK: return SECCLASS_APPLETALK_SOCKET; + case PF_ALG: + if (selinux_policycap_algsocket) + return SECCLASS_ALG_SOCKET; + else + return SECCLASS_SOCKET; } return SECCLASS_SOCKET; diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h --- linux-4.7.2-orig/security/selinux/include/classmap.h 2016-08-22 22:31:27.754768030 +0200 +++ linux-4.7.2/security/selinux/include/classmap.h 2016-08-22 22:32:14.795355585 +0200 @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m { COMMON_SOCK_PERMS, NULL } }, { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, + { "alg_socket", + { COMMON_SOCK_PERMS, NULL } }, { "packet", { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key", diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h --- linux-4.7.2-orig/security/selinux/include/security.h 2016-03-14 05:28:54.000000000 +0100 +++ linux-4.7.2/security/selinux/include/security.h 2016-08-22 22:53:57.911660238 +0200 @@ -75,6 +75,7 @@ enum { POLICYDB_CAPABILITY_OPENPERM, POLICYDB_CAPABILITY_REDHAT1, POLICYDB_CAPABILITY_ALWAYSNETWORK, + POLICYDB_CAPABILITY_ALGSOCKET, __POLICYDB_CAPABILITY_MAX }; #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) @@ -82,6 +83,7 @@ enum { extern int selinux_policycap_netpeer; extern int selinux_policycap_openperm; extern int selinux_policycap_alwaysnetwork; +extern int selinux_policycap_algsocket; /* * type_datum properties diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c --- linux-4.7.2-orig/security/selinux/ss/services.c 2016-08-05 21:27:22.275588616 +0200 +++ linux-4.7.2/security/selinux/ss/services.c 2016-08-22 22:56:58.616187510 +0200 @@ -73,6 +73,7 @@ int selinux_policycap_netpeer; int selinux_policycap_openperm; int selinux_policycap_alwaysnetwork; +int selinux_policycap_algsocket; static DEFINE_RWLOCK(policy_rwlock); @@ -2016,6 +2017,8 @@ static void security_load_policycaps(voi POLICYDB_CAPABILITY_OPENPERM); selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps, POLICYDB_CAPABILITY_ALWAYSNETWORK); + selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps, + POLICYDB_CAPABILITY_ALGSOCKET); } static int security_preserve_bools(struct policydb *p);