kernel-ark/security
Eric Paris 42c3e03ef6 [PATCH] SELinux: Add sockcreate node to procattr API
Below is a patch to add a new /proc/self/attr/sockcreate A process may write a
context into this interface and all subsequent sockets created will be labeled
with that context.  This is the same idea as the fscreate interface where a
process can specify the label of a file about to be created.  At this time one
envisioned user of this will be xinetd.  It will be able to better label
sockets for the actual services.  At this time all sockets take the label of
the creating process, so all xinitd sockets would just be labeled the same.

I tested this by creating a tcp sender and listener.  The sender was able to
write to this new proc file and then create sockets with the specified label.
I am able to be sure the new label was used since the avc denial messages
kicked out by the kernel included both the new security permission
setsockcreate and all the socket denials were for the new label, not the label
of the running process.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 09:58:26 -07:00
..
keys [PATCH] keys: restrict contents of /proc/keys to Viewable keys 2006-06-26 09:58:18 -07:00
selinux [PATCH] SELinux: Add sockcreate node to procattr API 2006-06-26 09:58:26 -07:00
capability.c
commoncap.c
dummy.c
inode.c
Kconfig [PATCH] keys: restrict contents of /proc/keys to Viewable keys 2006-06-26 09:58:18 -07:00
Makefile
root_plug.c
seclvl.c
security.c