| Message ID | 1471870947.2354.1.camel@trentalancia.net (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On Mon, Aug 22, 2016 at 9:02 AM, Guido Trentalancia <guido@trentalancia.net> wrote: > Modify the SELinux kernel code so that it is able to classify sockets with > the new AF_ALG namespace (used for the user-space interface to the kernel > Crypto API). > > A companion patch has been created for the Reference Policy and it will be > posted to its mailing list, once this patch is merged. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > security/selinux/hooks.c | 5 +++-- > security/selinux/include/classmap.h | 2 ++ > 2 files changed, 5 insertions(+), 2 deletions(-) > > --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 18:20:52.788066467 +0200 > +++ linux-4.7.1/security/selinux/hooks.c 2016-08-21 18:23:48.603479911 +0200 > @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit > return SECCLASS_KEY_SOCKET; > case PF_APPLETALK: > return SECCLASS_APPLETALK_SOCKET; > + case PF_ALG: > + return SECCLASS_ALG_SOCKET; > } Because this patch changes the object class for existing permission checks you will need to wrap this with a policy capability, see selinux_policycap_netpeer for an example.
Hello Paul. Thanks for providing your feedback. On Mon, 22/08/2016 at 16.17 -0400, Paul Moore wrote: > On Mon, Aug 22, 2016 at 9:02 AM, Guido Trentalancia > <guido@trentalancia.net> wrote: > > > > Modify the SELinux kernel code so that it is able to classify > > sockets with > > the new AF_ALG namespace (used for the user-space interface to the > > kernel > > Crypto API). > > > > A companion patch has been created for the Reference Policy and it > > will be > > posted to its mailing list, once this patch is merged. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > --- > > security/selinux/hooks.c | 5 +++-- > > security/selinux/include/classmap.h | 2 ++ > > 2 files changed, 5 insertions(+), 2 deletions(-) > > > > --- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 > > 18:20:52.788066467 +0200 > > +++ linux-4.7.1/security/selinux/hooks.c 2016-08-21 > > 18:23:48.603479911 +0200 > > @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit > > return SECCLASS_KEY_SOCKET; > > case PF_APPLETALK: > > return SECCLASS_APPLETALK_SOCKET; > > + case PF_ALG: > > + return SECCLASS_ALG_SOCKET; > > } > > Because this patch changes the object class for existing permission > checks you will need to wrap this with a policy capability, see > selinux_policycap_netpeer for an example. I have posted a revised version of the patch (v4). By the way, I think libsepol needs to be patched too. And, of course, the Reference Policy (the patch is ready). -- Guido
--- linux-4.7.1-orig/security/selinux/hooks.c 2016-08-21 18:20:52.788066467 +0200 +++ linux-4.7.1/security/selinux/hooks.c 2016-08-21 18:23:48.603479911 +0200 @@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit return SECCLASS_KEY_SOCKET; case PF_APPLETALK: return SECCLASS_APPLETALK_SOCKET; + case PF_ALG: + return SECCLASS_ALG_SOCKET; } return SECCLASS_SOCKET; --- linux-4.7.1-orig/security/selinux/include/classmap.h 2016-08-18 17:39:50.639133429 +0200 +++ linux-4.7.1/security/selinux/include/classmap.h 2016-08-21 18:30:00.306088371 +0200 @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m { COMMON_SOCK_PERMS, NULL } }, { "appletalk_socket", { COMMON_SOCK_PERMS, NULL } }, + { "alg_socket", + { COMMON_SOCK_PERMS, NULL } }, { "packet", { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } }, { "key",
Modify the SELinux kernel code so that it is able to classify sockets with the new AF_ALG namespace (used for the user-space interface to the kernel Crypto API). A companion patch has been created for the Reference Policy and it will be posted to its mailing list, once this patch is merged. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- security/selinux/hooks.c | 5 +++-- security/selinux/include/classmap.h | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-)