selinux: update netlink socket classes
Update the set of SELinux netlink socket class definitions to match the set of netlink protocols implemented by the kernel. The ip_queue implementation for the NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed ind16cf20e2f
, so we can remove the corresponding class definitions as this is dead code. Add new classes for NETLINK_ISCSI, NETLINK_FIB_LOOKUP, NETLINK_CONNECTOR, NETLINK_NETFILTER, NETLINK_GENERIC, NETLINK_SCSITRANSPORT, NETLINK_RDMA, and NETLINK_CRYPTO so that we can distinguish among sockets created for each of these protocols. This change does not define the finer-grained nlsmsg_read/write permissions or map specific nlmsg_type values to those permissions in the SELinux nlmsgtab; if finer-grained control of these sockets is desired/required, that can be added as a follow-on change. We do not define a SELinux class for NETLINK_ECRYPTFS as the implementation was removed in624ae52845
. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <pmoore@redhat.com>
This commit is contained in:
parent
9e7c8f8c62
commit
6c6d2e9bde
|
@ -1188,8 +1188,6 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
|
||||||
switch (protocol) {
|
switch (protocol) {
|
||||||
case NETLINK_ROUTE:
|
case NETLINK_ROUTE:
|
||||||
return SECCLASS_NETLINK_ROUTE_SOCKET;
|
return SECCLASS_NETLINK_ROUTE_SOCKET;
|
||||||
case NETLINK_FIREWALL:
|
|
||||||
return SECCLASS_NETLINK_FIREWALL_SOCKET;
|
|
||||||
case NETLINK_SOCK_DIAG:
|
case NETLINK_SOCK_DIAG:
|
||||||
return SECCLASS_NETLINK_TCPDIAG_SOCKET;
|
return SECCLASS_NETLINK_TCPDIAG_SOCKET;
|
||||||
case NETLINK_NFLOG:
|
case NETLINK_NFLOG:
|
||||||
|
@ -1198,14 +1196,28 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
|
||||||
return SECCLASS_NETLINK_XFRM_SOCKET;
|
return SECCLASS_NETLINK_XFRM_SOCKET;
|
||||||
case NETLINK_SELINUX:
|
case NETLINK_SELINUX:
|
||||||
return SECCLASS_NETLINK_SELINUX_SOCKET;
|
return SECCLASS_NETLINK_SELINUX_SOCKET;
|
||||||
|
case NETLINK_ISCSI:
|
||||||
|
return SECCLASS_NETLINK_ISCSI_SOCKET;
|
||||||
case NETLINK_AUDIT:
|
case NETLINK_AUDIT:
|
||||||
return SECCLASS_NETLINK_AUDIT_SOCKET;
|
return SECCLASS_NETLINK_AUDIT_SOCKET;
|
||||||
case NETLINK_IP6_FW:
|
case NETLINK_FIB_LOOKUP:
|
||||||
return SECCLASS_NETLINK_IP6FW_SOCKET;
|
return SECCLASS_NETLINK_FIB_LOOKUP_SOCKET;
|
||||||
|
case NETLINK_CONNECTOR:
|
||||||
|
return SECCLASS_NETLINK_CONNECTOR_SOCKET;
|
||||||
|
case NETLINK_NETFILTER:
|
||||||
|
return SECCLASS_NETLINK_NETFILTER_SOCKET;
|
||||||
case NETLINK_DNRTMSG:
|
case NETLINK_DNRTMSG:
|
||||||
return SECCLASS_NETLINK_DNRT_SOCKET;
|
return SECCLASS_NETLINK_DNRT_SOCKET;
|
||||||
case NETLINK_KOBJECT_UEVENT:
|
case NETLINK_KOBJECT_UEVENT:
|
||||||
return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
|
return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
|
||||||
|
case NETLINK_GENERIC:
|
||||||
|
return SECCLASS_NETLINK_GENERIC_SOCKET;
|
||||||
|
case NETLINK_SCSITRANSPORT:
|
||||||
|
return SECCLASS_NETLINK_SCSITRANSPORT_SOCKET;
|
||||||
|
case NETLINK_RDMA:
|
||||||
|
return SECCLASS_NETLINK_RDMA_SOCKET;
|
||||||
|
case NETLINK_CRYPTO:
|
||||||
|
return SECCLASS_NETLINK_CRYPTO_SOCKET;
|
||||||
default:
|
default:
|
||||||
return SECCLASS_NETLINK_SOCKET;
|
return SECCLASS_NETLINK_SOCKET;
|
||||||
}
|
}
|
||||||
|
|
|
@ -107,9 +107,6 @@ struct security_class_mapping secclass_map[] = {
|
||||||
{ "netlink_route_socket",
|
{ "netlink_route_socket",
|
||||||
{ COMMON_SOCK_PERMS,
|
{ COMMON_SOCK_PERMS,
|
||||||
"nlmsg_read", "nlmsg_write", NULL } },
|
"nlmsg_read", "nlmsg_write", NULL } },
|
||||||
{ "netlink_firewall_socket",
|
|
||||||
{ COMMON_SOCK_PERMS,
|
|
||||||
"nlmsg_read", "nlmsg_write", NULL } },
|
|
||||||
{ "netlink_tcpdiag_socket",
|
{ "netlink_tcpdiag_socket",
|
||||||
{ COMMON_SOCK_PERMS,
|
{ COMMON_SOCK_PERMS,
|
||||||
"nlmsg_read", "nlmsg_write", NULL } },
|
"nlmsg_read", "nlmsg_write", NULL } },
|
||||||
|
@ -120,19 +117,32 @@ struct security_class_mapping secclass_map[] = {
|
||||||
"nlmsg_read", "nlmsg_write", NULL } },
|
"nlmsg_read", "nlmsg_write", NULL } },
|
||||||
{ "netlink_selinux_socket",
|
{ "netlink_selinux_socket",
|
||||||
{ COMMON_SOCK_PERMS, NULL } },
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
|
{ "netlink_iscsi_socket",
|
||||||
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
{ "netlink_audit_socket",
|
{ "netlink_audit_socket",
|
||||||
{ COMMON_SOCK_PERMS,
|
{ COMMON_SOCK_PERMS,
|
||||||
"nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
|
"nlmsg_read", "nlmsg_write", "nlmsg_relay", "nlmsg_readpriv",
|
||||||
"nlmsg_tty_audit", NULL } },
|
"nlmsg_tty_audit", NULL } },
|
||||||
{ "netlink_ip6fw_socket",
|
{ "netlink_fib_lookup_socket",
|
||||||
{ COMMON_SOCK_PERMS,
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
"nlmsg_read", "nlmsg_write", NULL } },
|
{ "netlink_connector_socket",
|
||||||
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
|
{ "netlink_netfilter_socket",
|
||||||
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
{ "netlink_dnrt_socket",
|
{ "netlink_dnrt_socket",
|
||||||
{ COMMON_SOCK_PERMS, NULL } },
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
{ "association",
|
{ "association",
|
||||||
{ "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
|
{ "sendto", "recvfrom", "setcontext", "polmatch", NULL } },
|
||||||
{ "netlink_kobject_uevent_socket",
|
{ "netlink_kobject_uevent_socket",
|
||||||
{ COMMON_SOCK_PERMS, NULL } },
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
|
{ "netlink_generic_socket",
|
||||||
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
|
{ "netlink_scsitransport_socket",
|
||||||
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
|
{ "netlink_rdma_socket",
|
||||||
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
|
{ "netlink_crypto_socket",
|
||||||
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
{ "appletalk_socket",
|
{ "appletalk_socket",
|
||||||
{ COMMON_SOCK_PERMS, NULL } },
|
{ COMMON_SOCK_PERMS, NULL } },
|
||||||
{ "packet",
|
{ "packet",
|
||||||
|
|
Loading…
Reference in New Issue