path: root/security/selinux/ss/mls.c
diff options
authorHarry Ciao <qingtao.cao@windriver.com>2011-03-02 13:32:33 +0800
committerEric Paris <eparis@redhat.com>2011-03-03 15:19:43 -0500
commit6f5317e730505d5cbc851c435a2dfe3d5a21d343 (patch)
tree02088cf519a00db5c6fbdb2cc8776402413eb662 /security/selinux/ss/mls.c
parentSELinux: Auto-generate security_is_socket_class (diff)
SELinux: Socket retains creator role and MLS attribute
The socket SID would be computed on creation and no longer inherit its creator's SID by default. Socket may have a different type but needs to retain the creator's role and MLS attribute in order not to break labeled networking and network access control. The kernel value for a class would be used to determine if the class if one of socket classes. If security_compute_sid is called from userspace the policy value for a class would be mapped to the relevant kernel value first. Signed-off-by: Harry Ciao <qingtao.cao@windriver.com> Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'security/selinux/ss/mls.c')
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/ss/mls.c b/security/selinux/ss/mls.c
index 1ef8e4e89880..e96174216bc9 100644
--- a/security/selinux/ss/mls.c
+++ b/security/selinux/ss/mls.c
@@ -512,7 +512,8 @@ int mls_compute_sid(struct context *scontext,
struct context *tcontext,
u16 tclass,
u32 specified,
- struct context *newcontext)
+ struct context *newcontext,
+ bool sock)
struct range_trans rtr;
struct mls_range *r;
@@ -531,7 +532,7 @@ int mls_compute_sid(struct context *scontext,
return mls_range_set(newcontext, r);
/* Fallthrough */
- if (tclass == policydb.process_class)
+ if ((tclass == policydb.process_class) || (sock == true))
/* Use the process MLS attributes. */
return mls_context_cpy(newcontext, scontext);