Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751937AbdFTUBh (ORCPT ); Tue, 20 Jun 2017 16:01:37 -0400 Received: from emsm-gh1-uea10.nsa.gov ([8.44.101.8]:56173 "EHLO emsm-gh1-uea10.nsa.gov" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751029AbdFTUBf (ORCPT ); Tue, 20 Jun 2017 16:01:35 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AMuGVFB3DqOD/mF4ZsmDT+DRfVm0co7zxezQtwd8Z?= =?us-ascii?q?sesXKvjxwZ3uMQTl6Ol3ixeRBMOAuq0C27qd6vqxEUU7or+5+EgYd5JNUxJXwe?= =?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRp?= =?us-ascii?q?OOv1BpTSj8Oq3Oyu5pHfeQtFiT6/bL9oLxi7rgrdutQIjYZmN6081gbHrnxUdu?= =?us-ascii?q?pM2GhmP0iTnxHy5sex+J5s7SFdsO8/+sBDTKv3Yb02QaRXAzo6PW814tbrtQTY?= =?us-ascii?q?QguU+nQcSGQWnQFWDAXD8Rr3Q43+sir+tup6xSmaIcj7Rq06VDi+86tmTgLjhT?= =?us-ascii?q?wZPDAl7m7Yls1wjLpaoB2/oRx/35XUa5yROPZnY6/RYc8WSW9HU8lfTSxBBp63?= =?us-ascii?q?YZUJAeQPIO1Uq5Dxq0USoRe7AwSnGeHhxSJShnLu3qM0zuQvHx/I0gMiEdIOt2?= =?us-ascii?q?jbotL6O6kdSu210KrFwC/fY/5MxTvw6o7FeQ0hr/GWWrJwdNLcx1QzFwzbllWQ?= =?us-ascii?q?qZLqPzWI3eoQtmiU9e5gVeaxhG8ntgp8pSOvydo3ioTSmoIUykzL9SV+wIovI9?= =?us-ascii?q?24U1R0bcSrEJtXqSGXLo17Sd4hTWFwoCs217ILtJGhcCUK1Zgr3QDTZvOZf4SS?= =?us-ascii?q?/x7uUvuaLy1ii3J/Yr2/gg6/8U2nyuLhSMa5yE1Kri9ZktnUsXANygDT5tCHSv?= =?us-ascii?q?Rj+keh3i6C1xzJ5eFeIEA0iLHbJ4Q9wr8wipUTsUPDEjXwmErql6+Zal8o+u2p?= =?us-ascii?q?6+Tjernmp5mcOJFoigzmL6gjlcOyDf44PwQTRWSX5+ux2KP58UHkWLlKi+c5kq?= =?us-ascii?q?jdsJDUP8Qboau5DhdO0ok+8BayFCum0dQEknkHK1JJYhSHj5PzNF3UL/D4Cum/?= =?us-ascii?q?j0y2kDh33/DGIqHhApLVI3jHkbfhe6t96kFFxAoo099Q+49UCqsAIPLvWk79rd?= =?us-ascii?q?nYDhgkPAypx+boFs5w1p0RWW2RGK+VKqDSvkGS5uIpPeaMYJUZuDHnK/gq//Tu?= =?us-ascii?q?l2M2mUcBfam12psacHS4HvVgI0WEbnvgm9QBHnkQvgo4UuPqjEaPUSBcZ3msRa?= =?us-ascii?q?Iw/DI7B5y8DYfFWI+thKaN3CChHp1ZfmpGEEyDEW/0d4WYXPcBcCCSLdVkkjMa?= =?us-ascii?q?TritUYsh2QurtA/90bpnNOvU+jYDuJLkzth6/fHclRUs+jBuE8ud1GSNRXlunm?= =?us-ascii?q?wUXz82wLx/oUtlx1iZy6h3mfpYGsJJ6P5SSAg6NJHdwPZ6C9zoRw3OYM+DSEy6?= =?us-ascii?q?TdW+HTExUtUxzscWY0lnBtWiigvO3zKwDL8Ik7yHHZk08qXb33jrOclx0WrJ1K?= =?us-ascii?q?4kjwpufswaDWS7guZa8A/JCsadi0yEk46yfLkYmSvK832Oi2GJuRccGCptUL6N?= =?us-ascii?q?Z30EfUbS5YDw/ErEQraGALU3OwsHxcPUeYVQbdi8tklLXPfuPpzlZmu1n2qhTU?= =?us-ascii?q?KTyqikcJvhe2Jb2j7UTkcDjVZArj69KQEiC3L58CrlBzt0GAeqOhm0/A=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2FgAgACfklZ/wHyM5BdGgEBAQECAQEBAQgBAQEBFQEBAQE?= =?us-ascii?q?CAQEBAQgBAQEBgwIrgW+DbJpqBoEomAmGJAKCZ1cBAQEBAQEBAQIBAmgogjMkA?= =?us-ascii?q?YJAAQEBAQIBIw8BRhAJAg0LAgImAgJXBgESiAuCFAUIjhydYYImJQKLNgEBAQE?= =?us-ascii?q?BAQQBAQEBAQEigQuFGoVLh3uCYQEEnmGTYosyhlxIlEVYgQonCQIfCCEPh3QkN?= =?us-ascii?q?olZAQEB?= Message-ID: <1497989063.12069.18.camel@tycho.nsa.gov> Subject: Re: [PATCH] selinux: Assign proper class to PF_UNIX/SOCK_RAW sockets From: Stephen Smalley To: Paul Moore , Luis Ressel Cc: James Morris , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Date: Tue, 20 Jun 2017 16:04:23 -0400 In-Reply-To: References: <20170619213348.2970-1-aranea@aixah.de> Organization: National Security Agency Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-2.fc25) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1740 Lines: 41 On Tue, 2017-06-20 at 15:49 -0400, Paul Moore wrote: > On Mon, Jun 19, 2017 at 5:33 PM, Luis Ressel wrote: > > For PF_UNIX, SOCK_RAW is synonymous with SOCK_DGRAM (cf. > > net/unix/af_unix.c). This is a tad obscure, but libpcap uses it. > > > > Signed-off-by: Luis Ressel > > Acked-by: Stephen Smalley > > --- > >  security/selinux/hooks.c | 1 + > >  1 file changed, 1 insertion(+) > > My only concern is what effect this will have on existing policy. > Prior to this patch PF_UNIX/SOCK_RAW will result in the generic > "socket" class where after this patch it will result in the > "unix_dgram_socket".  I believe this is the right change, but it > seems > like this should be wrapped by a policy capability, yes? I doubt it is worth a policy capability. Permission to create/use socket tends to be far rarer than permission to create/use unix_dgram_socket; looks like we never allow the former without the latter in Fedora, for example. > > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > > index 819fd6858b49..1a331fba4a3c 100644 > > --- a/security/selinux/hooks.c > > +++ b/security/selinux/hooks.c > > @@ -1275,6 +1275,7 @@ static inline u16 > > socket_type_to_security_class(int family, int type, int protoc > >                 case SOCK_SEQPACKET: > >                         return SECCLASS_UNIX_STREAM_SOCKET; > >                 case SOCK_DGRAM: > > +               case SOCK_RAW: > >                         return SECCLASS_UNIX_DGRAM_SOCKET; > >                 } > >                 break; > > -- > > 2.13.1 > >