diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2015-07-10 17:19:57 -0400 |
|---|---|---|
| committer | Paul Moore <pmoore@redhat.com> | 2015-07-13 13:31:59 -0400 |
| commit | 5dee25d08eac01472904b0ab32ce35edee5c0518 (patch) | |
| tree | 41dc3bcb96fa1ceaf73de869ffdf8d2d30e8a3b9 /security | |
| parent | 9629d04ae06812f217846b69728c969afee690b4 (diff) | |
| download | op-kernel-dev-5dee25d08eac01472904b0ab32ce35edee5c0518.zip op-kernel-dev-5dee25d08eac01472904b0ab32ce35edee5c0518.tar.gz | |
selinux: initialize sock security class to default value
Initialize the security class of sock security structures
to the generic socket class. This is similar to what is
already done in inode_alloc_security for files. Generally
the sclass field will later by set by socket_post_create
or sk_clone or sock_graft, but for protocol implementations
that fail to call any of these for newly accepted sockets,
we want some sane default that will yield a legitimate
avc denied message with non-garbage values for class and
permission.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/hooks.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4de09f0..ef310f8 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4559,6 +4559,7 @@ static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority sksec->peer_sid = SECINITSID_UNLABELED; sksec->sid = SECINITSID_UNLABELED; + sksec->sclass = SECCLASS_SOCKET; selinux_netlbl_sk_security_reset(sksec); sk->sk_security = sksec; |
