From patchwork Sun Aug 21 17:17:29 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Guido Trentalancia <guido@trentalancia.net>
X-Patchwork-Id: 9292619
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	3BD60607FF for <patchwork-selinux@patchwork.kernel.org>;
	Sun, 21 Aug 2016 17:18:55 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1128A286A7
	for <patchwork-selinux@patchwork.kernel.org>;
	Sun, 21 Aug 2016 17:18:55 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id E36F128731; Sun, 21 Aug 2016 17:18:54 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham
	version=3.3.1
Received: from emsm-gh1-uea10.nsa.gov (emsm-gh1-uea10.nsa.gov [8.44.101.8])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 997CE286A7
	for <patchwork-selinux@patchwork.kernel.org>;
	Sun, 21 Aug 2016 17:18:53 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.28,556,1464652800"; d="scan'208";a="16790696"
IronPort-PHdr: =?us-ascii?q?9a23=3AtdDKMhBEM4HVIKsl41vmUyQJP3N1i/DPJgcQr6Af?=
	=?us-ascii?q?oPdwSP/+p8bcNUDSrc9gkEXOFd2CrakV0qyM4uu5ATxIoc7Y9itTKNoUD15NoP?=
	=?us-ascii?q?5VtjRoONSCB0z/IayiRA0BN+MGamVY+WqmO1NeAsf0ag6aiHSz6TkPBke3blIt?=
	=?us-ascii?q?dazLE4Lfx/66y/q1s8WKJV4Z3XznMPgrdEX+7V2I8JJH2c06cud54yCKi0MAQ/?=
	=?us-ascii?q?5Ry2JsKADbtDfHzeD0wqRe9T9Nsekq7c9KXPayVa05SbtFEGZuaDhtt4XD/CPO?=
	=?us-ascii?q?RgqX53YaTn5e0l8RW1CEvyriV5LRvyL2u/BT2SSeMYXWQLk4VC7q1KxsUh7uh2?=
	=?us-ascii?q?9HbGZ4o1zNjoRMqI4T4Ff4/10si7LTNbmcKf42W6TaZ95SEXJIQ8J5TyVcBsa5?=
	=?us-ascii?q?aIwVAqwKOuMO/KfnoF5bgga/CQ7kOPnizCNBgnbw1qwzm7AuDADK2yQ8Bd8IrH?=
	=?us-ascii?q?3QpdP+Na5UV+2pmvqbhQ7fZu9bjG+uoLPDdQos9LTcBb8=3D?=
X-IPAS-Result: =?us-ascii?q?A2H6BADm4blX/wHyM5BeHAEBgyaBUrlmJYcwTAEBAQEBAQE?=
	=?us-ascii?q?CAQJbJ4IyBAETghUCBAECNxQgCwMDCQEBFycCCAgDAS0MCREGCAsFGASIEAS8E?=
	=?us-ascii?q?gEwjwoRAYV3BZlIkAaJCYVgjD+DeFSCRYE3boVFgTYBAQE?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea10.nsa.gov with ESMTP; 21 Aug 2016 17:18:50 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7LHHp6i016348;
	Sun, 21 Aug 2016 13:18:01 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u7LHHmSI078754 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Sun, 21 Aug 2016 13:17:48 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u7LHHlKn016346
	for <selinux@tycho.nsa.gov>; Sun, 21 Aug 2016 13:17:47 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1A0AQDm4blXhzUwWFFeHIR6pEGRJYQMhh0CgXYBAQEBAQEBAhMBAQEKCwkJGYUOAgEDI0sLECUCGA4CAj0aBhOINaw5j1kBAQEBBgIBJIECkTeCWgWZSJAGjmmMP4N4gncigTduhnsBAQE
X-IPAS-Result: 
 A1A0AQDm4blXhzUwWFFeHIR6pEGRJYQMhh0CgXYBAQEBAQEBAhMBAQEKCwkJGYUOAgEDI0sLECUCGA4CAj0aBhOINaw5j1kBAQEBBgIBJIECkTeCWgWZSJAGjmmMP4N4gncigTduhnsBAQE
X-IronPort-AV: E=Sophos;i="5.28,556,1464667200"; d="scan'208";a="5656805"
Received: from emsm-gh1-uea10.corp.nsa.gov (HELO emsm-gh1-uea10.nsa.gov)
	([10.208.41.36])
	by goalie.tycho.ncsc.mil with ESMTP; 21 Aug 2016 13:17:42 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AGersFxTPHtjg6h9A+g/kT77KTNpsv+yvbD5Q0YIu?=
	=?us-ascii?q?jvd0So/mwa65ZxKN2/xhgRfzUJnB7Loc0qyN4vmmAz1LuM7R+DBaKdoXBkdD0Z?=
	=?us-ascii?q?1X1yUbQ+e9QXXhK/DrayFoVO9jb3RCu0+BDE5OBczlbEfTqHDhpRQbGxH4KBYn?=
	=?us-ascii?q?br+tQt2asc272qiI9oHJZE0Q3XzmMOo0dkT99F2B/olO2M05e/53kkOI6lJzOM?=
	=?us-ascii?q?1ujVtyIlySmxuuruyRx7VEtxpqhvQ66sRbWr/7dalrBZZRDTAhLnxnrJaz7UqL?=
	=?us-ascii?q?ZUK163AdSmQblAZTS0iAtUmiH8TKqiL/lud01CSAE8z7Sbx8eTmr46pxACTjjz?=
	=?us-ascii?q?0GMTFxsDqPy584sKUOmBu8o1RaxInObcnBLPNjeovFdM4eAG9GWdxcESdGB9Xv?=
	=?us-ascii?q?QZEICr8uIOdUqMHBvVYIsRK6DA+nBeqnnjBVh3Px9bEg3uI9GAXP2gchFpQIvW?=
	=?us-ascii?q?iC/4a9D7sbTe3glPqA9j7Edf4DnGil5Q=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FSAQDm4blXhzUwWFFeHIR6pEGRJYQMh?=
	=?us-ascii?q?h0CgXYBAQEBAQEBAgECEAEBAQoLCQkZL4IyBAETghUCAQMjSwsQJQIYDgICPRo?=
	=?us-ascii?q?GE4g1rDmPWQEBAQEGAgEkgQKRN4JaBZlIkAaOaYw/g3iCdyKBN26GewEBAQ?=
X-IPAS-Result: =?us-ascii?q?A0FSAQDm4blXhzUwWFFeHIR6pEGRJYQMhh0CgXYBAQEBAQE?=
	=?us-ascii?q?BAgECEAEBAQoLCQkZL4IyBAETghUCAQMjSwsQJQIYDgICPRoGE4g1rDmPWQEBA?=
	=?us-ascii?q?QEGAgEkgQKRN4JaBZlIkAaOaYw/g3iCdyKBN26GewEBAQ?=
X-IronPort-AV: E=Sophos;i="5.28,556,1464652800"; d="scan'208";a="16790689"
Received: from authsmtp03.register.it (HELO authsmtp.register.it)
	([81.88.48.53])
	by emsm-gh1-uea10.nsa.gov with ESMTP/TLS/DHE-RSA-AES128-SHA;
	21 Aug 2016 17:17:37 +0000
Received: from vortex.lan ([151.76.82.60]) by paganini31 with
	id ZtHV1t0051J5JUf01tHaHK; Sun, 21 Aug 2016 19:17:35 +0200
X-Rid: guido@trentalancia.net@151.76.82.60
Message-ID: <1471799849.2544.2.camel@trentalancia.net>
Subject: [PATCH v2] Differentiate between Unix Stream Socket and Sequential
	Packet Socket
From: Guido Trentalancia <guido@trentalancia.net>
To: Paul Moore <paul@paul-moore.com>
Date: Sun, 21 Aug 2016 19:17:29 +0200
In-Reply-To: 
 <CAHC9VhQOTQNsNT7T53qE5g1pK8BN270ZAFyUJ0xAnzsbPg57YA@mail.gmail.com>
References: <1471709886.22998.1.camel@trentalancia.net>
	<CAHC9VhRouoqqrq_Vn1A3wh7kwvodUK-j7xR3=uwep7t0Ktdh3w@mail.gmail.com>
	<89E5C3EA-9794-4496-A195-1C997A5BBF44@trentalancia.net>
	<CAGH-KguvJZVLAUYQP_iFk2KG7DDFe9kGADWK_dkbGPHuStjpcQ@mail.gmail.com>
	<43BE5B4F-9AE4-4EDB-825A-F1C15042B385@trentalancia.net>
	<CAHC9VhQOTQNsNT7T53qE5g1pK8BN270ZAFyUJ0xAnzsbPg57YA@mail.gmail.com>
X-Mailer: Evolution 3.20.5 
Mime-Version: 1.0
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Cc: selinux@tycho.nsa.gov
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Modify the SELinux kernel code so that it is able to classify sockets with
the new AF_ALG namespace (used for the user-space interface to the kernel
Crypto API).

A companion patch has been created for the Reference Policy and it will be
posted to its mailing list, once this patch is merged.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 security/selinux/hooks.c            |    5 +++--
 security/selinux/include/classmap.h |    2 ++
 2 files changed, 5 insertions(+), 2 deletions(-)

--- linux-4.7.1-orig/security/selinux/hooks.c	2016-08-21 18:20:52.788066467 +0200
+++ linux-4.7.1/security/selinux/hooks.c	2016-08-21 18:23:48.603479911 +0200
@@ -1316,6 +1315,8 @@ static inline u16 socket_type_to_securit
 		return SECCLASS_KEY_SOCKET;
 	case PF_APPLETALK:
 		return SECCLASS_APPLETALK_SOCKET;
+	case PF_ALG:
+		return SECCLASS_ALG_SOCKET;
 	}
 
 	return SECCLASS_SOCKET;
--- linux-4.7.1-orig/security/selinux/include/classmap.h	2016-08-18 17:39:50.639133429 +0200
+++ linux-4.7.1/security/selinux/include/classmap.h	2016-08-21 18:30:00.306088371 +0200
@@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
 	  { COMMON_SOCK_PERMS, NULL } },
 	{ "appletalk_socket",
 	  { COMMON_SOCK_PERMS, NULL } },
+	{ "alg_socket",
+	  { COMMON_SOCK_PERMS, "connectto", NULL } },
 	{ "packet",
 	  { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
 	{ "key",