From 47ac19ea429aee561f66e9cd05b908e8ffbc498a Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Fri, 25 Feb 2011 15:39:20 -0500
Subject: selinux: drop unused packet flow permissions
These permissions are not used and can be dropped in the kernel
definitions.
Suggested-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
---
security/selinux/include/classmap.h | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
(limited to 'security/selinux/include/classmap.h')
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 7ed3663332ec..4227e5fa7861 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -132,8 +132,7 @@ struct security_class_mapping secclass_map[] = {
{ "appletalk_socket",
{ COMMON_SOCK_PERMS, NULL } },
{ "packet",
- { "send", "recv", "relabelto", "flow_in", "flow_out",
- "forward_in", "forward_out", NULL } },
+ { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
{ "key",
{ "view", "read", "write", "search", "link", "setattr", "create",
NULL } },
--
cgit v1.2.3
From 4bc6c2d5d8386800fde23a8e78cd4f04a0ade0ad Mon Sep 17 00:00:00 2001
From: Harry Ciao <qingtao.cao@windriver.com>
Date: Wed, 2 Mar 2011 13:46:08 +0800
Subject: SELinux: Auto-generate security_is_socket_class
The security_is_socket_class() is auto-generated by genheaders based
on classmap.h to reduce maintenance effort when a new class is defined
in SELinux kernel. The name for any socket class should be suffixed by
"socket" and doesn't contain more than one substr of "socket".
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
---
scripts/selinux/genheaders/genheaders.c | 20 ++++++++++++++++++++
security/selinux/include/classmap.h | 4 ++++
2 files changed, 24 insertions(+)
(limited to 'security/selinux/include/classmap.h')
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
index 58a12c278706..539855ff31f9 100644
--- a/scripts/selinux/genheaders/genheaders.c
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -43,6 +43,8 @@ int main(int argc, char *argv[])
int i, j, k;
int isids_len;
FILE *fout;
+ const char *needle = "SOCKET";
+ char *substr;
progname = argv[0];
@@ -88,6 +90,24 @@ int main(int argc, char *argv[])
fprintf(fout, "%2d\n", i);
}
fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+ fprintf(fout, "\nstatic inline bool security_is_socket_class(u16 kern_tclass)\n");
+ fprintf(fout, "{\n");
+ fprintf(fout, "\tbool sock = false;\n\n");
+ fprintf(fout, "\tswitch (kern_tclass) {\n");
+ for (i = 0; secclass_map[i].name; i++) {
+ struct security_class_mapping *map = &secclass_map[i];
+ substr = strstr(map->name, needle);
+ if (substr && strcmp(substr, needle) == 0)
+ fprintf(fout, "\tcase SECCLASS_%s:\n", map->name);
+ }
+ fprintf(fout, "\t\tsock = true;\n");
+ fprintf(fout, "\t\tbreak;\n");
+ fprintf(fout, "\tdefault:\n");
+ fprintf(fout, "\t\tbreak;\n");
+ fprintf(fout, "\t}\n\n");
+ fprintf(fout, "\treturn sock;\n");
+ fprintf(fout, "}\n");
+
fprintf(fout, "\n#endif\n");
fclose(fout);
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 4227e5fa7861..b8c53723e09b 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -12,6 +12,10 @@
#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
"write", "associate", "unix_read", "unix_write"
+/*
+ * Note: The name for any socket class should be suffixed by "socket",
+ * and doesn't contain more than one substr of "socket".
+ */
struct security_class_mapping secclass_map[] = {
{ "security",
{ "compute_av", "compute_create", "compute_member",
--
cgit v1.2.3