diff mbox

selinux: handle ICMPv6 consistently with ICMP

Message ID 1481233436-18410-1-git-send-email-sds@tycho.nsa.gov (mailing list archive)
State Accepted
Headers show

Commit Message

Stephen Smalley Dec. 8, 2016, 9:43 p.m. UTC 
commit 79c8b348f215 ("selinux: support distinctions among all network
address families") mapped datagram ICMP sockets to the new icmp_socket
security class, but left ICMPv6 sockets unchanged.  This change fixes
that oversight to handle both kinds of sockets consistently.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 security/selinux/hooks.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Paul Moore Dec. 9, 2016, 11:54 p.m. UTC | #1 
On Thu, Dec 8, 2016 at 4:43 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> commit 79c8b348f215 ("selinux: support distinctions among all network
> address families") mapped datagram ICMP sockets to the new icmp_socket
> security class, but left ICMPv6 sockets unchanged.  This change fixes
> that oversight to handle both kinds of sockets consistently.
>
> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
> ---
>  security/selinux/hooks.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Merged, thanks for fixing this.

> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 8a90a0b..b508a5a 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1295,7 +1295,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
>                 case SOCK_DGRAM:
>                         if (default_protocol_dgram(protocol))
>                                 return SECCLASS_UDP_SOCKET;
> -                       else if (extsockclass && protocol == IPPROTO_ICMP)
> +                       else if (extsockclass && (protocol == IPPROTO_ICMP ||
> +                                                 protocol == IPPROTO_ICMPV6))
>                                 return SECCLASS_ICMP_SOCKET;
>                         else
>                                 return SECCLASS_RAWIP_SOCKET;
> --
> 2.7.4
>
diff mbox

Patch

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 8a90a0b..b508a5a 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1295,7 +1295,8 @@  static inline u16 socket_type_to_security_class(int family, int type, int protoc
 		case SOCK_DGRAM:
 			if (default_protocol_dgram(protocol))
 				return SECCLASS_UDP_SOCKET;
-			else if (extsockclass && protocol == IPPROTO_ICMP)
+			else if (extsockclass && (protocol == IPPROTO_ICMP ||
+						  protocol == IPPROTO_ICMPV6))
 				return SECCLASS_ICMP_SOCKET;
 			else
 				return SECCLASS_RAWIP_SOCKET;