From patchwork Sat Aug 20 16:18:06 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guido Trentalancia <guido@trentalancia.net>
X-Patchwork-Id: 9291759
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	8DB3D60574 for <patchwork-selinux@patchwork.kernel.org>;
	Sat, 20 Aug 2016 16:22:45 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 780CA28BBC
	for <patchwork-selinux@patchwork.kernel.org>;
	Sat, 20 Aug 2016 16:22:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6C55F28BBF; Sat, 20 Aug 2016 16:22:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (smtp.nsa.gov [8.44.101.9])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 1DF3728BBC
	for <patchwork-selinux@patchwork.kernel.org>;
	Sat, 20 Aug 2016 16:22:43 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.28,550,1464652800"; d="scan'208";a="18626640"
IronPort-PHdr: =?us-ascii?q?9a23=3ARxua0hMnIJQuMtzUn1Ul6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0Kf39rarrMEGX3/hxlliBBdydsKMdzbCG+PC/ESxYuNDa4ShEKMQNHzY+yu?=
	=?us-ascii?q?wu1zQ6B8CEDUCpZNXLVAcdWPp4aVl+4nugOlJUEsutL3fbo3m18CJAUk6nbVk9?=
	=?us-ascii?q?GO35F8bogtit0KjqotuIMlwO3mr2Mew6bE3v616A7o9O2coqA51y4yOBmmFPde?=
	=?us-ascii?q?VSyDEgDnOotDG42P2N+oV++T9bofMr+p0Ie6z7e6MlUe4QV2x+YCgO/MTulRTK?=
	=?us-ascii?q?QQaVyHoRVmleshdBDwXfpCrxWY3wtCSy9rElmXqnJ8m+cZQYEXTntv8qG1fUj3?=
	=?us-ascii?q?IcOjo49nzHotBhh6Jc5hS6rlpwxJCHTpuSMa9RY6LRepsmX2dHQs9VXipKA4r0?=
	=?us-ascii?q?O4QSDuYGFfpCoo/hrl8HqxC/DE+qCf+5mWwAvWP/waBvi7dpKgrBxgF1RYoD?=
X-IPAS-Result: =?us-ascii?q?A2HJBQCPgrhX/wHyM5Beg0SBUrlmJYdBTAEBAQEBAQECAQJ?=
	=?us-ascii?q?bJ4IygjQCNxQgDgMJAhcnAggIAwEtDAkfCwUYBIgQBLtLjwgCEQFohQ8FmUiQB?=
	=?us-ascii?q?okJhV4CjD+DeFSBQQyCL26FNg8XgR8BAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 20 Aug 2016 16:22:40 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7KGIa6u012210;
	Sat, 20 Aug 2016 12:19:52 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u7KGIOWd062346 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Sat, 20 Aug 2016 12:18:24 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7KGILEa012208
	for <selinux@tycho.nsa.gov>; Sat, 20 Aug 2016 12:18:23 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1DPAACHgbhXh0g2WFFeKQEBBAEBhGWkQJElhAwUiBIBAQEBAQEBAhMBAQEIDQkJGYU3S0ACGA4CPzOINZtNj2WQF4ECjgZ8gjWCWgWZSJAGjmcCjD+DeIIVAQtWgVluhTaBRQEBAQ
X-IPAS-Result: 
 A1DPAACHgbhXh0g2WFFeKQEBBAEBhGWkQJElhAwUiBIBAQEBAQEBAhMBAQEIDQkJGYU3S0ACGA4CPzOINZtNj2WQF4ECjgZ8gjWCWgWZSJAGjmcCjD+DeIIVAQtWgVluhTaBRQEBAQ
X-IronPort-AV: E=Sophos;i="5.28,550,1464667200"; d="scan'208";a="5656191"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 20 Aug 2016 12:18:16 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3ANnJrLBF8dHcSMBMP8DSSE51GYnF86YWxBRYc798d?=
	=?us-ascii?q?s5kLTJ74p86wAkXT6L1XgUPTWs2DsrQf2rOQ6fCrCTNIoc7Y9itTKNoUD15NoP?=
	=?us-ascii?q?5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blIt?=
	=?us-ascii?q?dazLE4Lfx/66y/q1s8WKJV4Z3XznMfgic1329VyX7ZhOx9M6a+4Y8VjgmjNwYe?=
	=?us-ascii?q?NYxGdldxq4vi3XwYOOxqNl6DlaoPk79sRNAu3QdqU8SqFEXnx9azhmrPbzvBzj?=
	=?us-ascii?q?QAKD62EyU2gSnlJoDgHJ4QuyZZz2qCr8uaI9g3HbboXKSuUvVDCj6bp7YAP5gy?=
	=?us-ascii?q?cAcTgi+SfYjdIjorhcpUeOuh1zxMboeoyTKPN6d6XWfNpSEWVcX8pWfzBbD4Wg?=
	=?us-ascii?q?Zo8GCeEANKBeopWr9AhGlge3GQT5XLCn8TRPnHKjhvU3?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FIAQA1gbhXh0g2WFFeKQEBBAEBhGWkP?=
	=?us-ascii?q?5ElhAwUiBIBAQEBAQEBAgECEAEBAQgNCQkZL4IyglZLQAIYDgI/M4g1m02PZZA?=
	=?us-ascii?q?XgQKOBnyCNYJaBZlIkAaOZwKMP4N4ghUBC1aBWW6FNoFFAQEB?=
X-IPAS-Result: =?us-ascii?q?A0FIAQA1gbhXh0g2WFFeKQEBBAEBhGWkP5ElhAwUiBIBAQE?=
	=?us-ascii?q?BAQEBAgECEAEBAQgNCQkZL4IyglZLQAIYDgI/M4g1m02PZZAXgQKOBnyCNYJaB?=
	=?us-ascii?q?ZlIkAaOZwKMP4N4ghUBC1aBWW6FNoFFAQEB?=
X-IronPort-AV: E=Sophos;i="5.28,550,1464652800"; d="scan'208";a="16783968"
Received: from authsmtp31.register.it (HELO authsmtp.register.it)
	([81.88.54.72])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES128-SHA;
	20 Aug 2016 16:18:15 +0000
Received: from vortex.lan ([151.76.82.60]) by paganini32 with
	id ZUJ71t0071J5JUf01UJDri; Sat, 20 Aug 2016 18:18:14 +0200
X-Rid: guido@trentalancia.net@151.76.82.60
Message-ID: <1471709886.22998.1.camel@trentalancia.net>
Subject: [PATCH] Differentiate between Unix Stream Socket and Sequential
	Packet Socket
From: Guido Trentalancia <guido@trentalancia.net>
To: selinux@tycho.nsa.gov
Date: Sat, 20 Aug 2016 18:18:06 +0200
X-Mailer: Evolution 3.20.3 
Mime-Version: 1.0
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Modify the SELinux kernel code so that it is able to differentiate between
a unix_stream_socket and a sequential_packet_socket.

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    3 ++-
 security/selinux/include/classmap.h |    2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

--- linux-4.7.1-orig/security/selinux/include/classmap.h	2016-08-18 17:39:50.639133429 +0200
+++ linux-4.7.1/security/selinux/include/classmap.h	2016-08-18 17:52:25.921420278 +0200
@@ -86,6 +86,8 @@ struct security_class_mapping secclass_m
 	  { "ingress", "egress", NULL } },
 	{ "netlink_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "sequential_packet_socket",
+	  { COMMON_SOCK_PERMS, "connectto", NULL } },
 	{ "packet_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "key_socket",
--- linux-4.7.1-orig/security/selinux/hooks.c	2016-08-18 21:47:32.204199470 +0200
+++ linux-4.7.1/security/selinux/hooks.c	2016-08-18 22:52:53.099296513 +0200
@@ -1246,8 +1246,9 @@ static inline u16 socket_type_to_securit
 	switch (family) {
 	case PF_UNIX:
 		switch (type) {
-		case SOCK_STREAM:
 		case SOCK_SEQPACKET:
+			return SECCLASS_SEQUENTIAL_PACKET_SOCKET;
+		case SOCK_STREAM:
 			return SECCLASS_UNIX_STREAM_SOCKET;
 		case SOCK_DGRAM:
 			return SECCLASS_UNIX_DGRAM_SOCKET;