[SELinux]: Add support for DCCP

This patch implements SELinux kernel support for DCCP (http://linux-net.osdl.org/index.php/DCCP), which is similar in operation to TCP in terms of connected state between peers. The SELinux support for DCCP is thus modeled on existing handling of TCP. A new DCCP socket class is introduced, to allow protocol differentation. The permissions for this class inherit all of the socket permissions, as well as the current TCP permissions (node_bind, name_bind etc). IPv4 and IPv6 are supported, although labeled networking is not, at this stage. Patches for SELinux userspace are at: http://people.redhat.com/jmorris/selinux/dccp/user/ I've performed some basic testing, and it seems to be working as expected. Adding policy support is similar to TCP, the only real difference being that it's a different protocol. Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: James Morris <jmorris@namei.org> 2006-11-13 19:09:01 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:22:24 -0500
commit: 2ee92d46c6cabedd50edf6f273fa8cf84f707618 (patch)
tree: bdf7c64514a5063ba4ef41915f9efb6f803fc38a /security/selinux/include/av_permissions.h
parent: 90833aa4f496d69ca374af6acef7d1614c8693ff (diff)
1 files changed, 32 insertions, 0 deletions
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index 81f4f526c8b1..2de4b5fe3aa1 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -312,6 +312,8 @@
 #define NODE__RAWIP_RECV                          0x00000010UL
 #define NODE__RAWIP_SEND                          0x00000020UL
 #define NODE__ENFORCE_DEST                        0x00000040UL
+#define NODE__DCCP_RECV                           0x00000080UL
+#define NODE__DCCP_SEND                           0x00000100UL
 #define NETIF__TCP_RECV                           0x00000001UL
 #define NETIF__TCP_SEND                           0x00000002UL
@@ -319,6 +321,8 @@
 #define NETIF__UDP_SEND                           0x00000008UL
 #define NETIF__RAWIP_RECV                         0x00000010UL
 #define NETIF__RAWIP_SEND                         0x00000020UL
+#define NETIF__DCCP_RECV                          0x00000040UL
+#define NETIF__DCCP_SEND                          0x00000080UL
 #define NETLINK_SOCKET__IOCTL                     0x00000001UL
 #define NETLINK_SOCKET__READ                      0x00000002UL
@@ -970,3 +974,31 @@
 #define KEY__LINK                                 0x00000010UL
 #define KEY__SETATTR                              0x00000020UL
 #define KEY__CREATE                               0x00000040UL
+#define CONTEXT__TRANSLATE                        0x00000001UL
+#define CONTEXT__CONTAINS                         0x00000002UL
+#define DCCP_SOCKET__IOCTL                        0x00000001UL
+#define DCCP_SOCKET__READ                         0x00000002UL
+#define DCCP_SOCKET__WRITE                        0x00000004UL
+#define DCCP_SOCKET__CREATE                       0x00000008UL
+#define DCCP_SOCKET__GETATTR                      0x00000010UL
+#define DCCP_SOCKET__SETATTR                      0x00000020UL
+#define DCCP_SOCKET__LOCK                         0x00000040UL
+#define DCCP_SOCKET__RELABELFROM                  0x00000080UL
+#define DCCP_SOCKET__RELABELTO                    0x00000100UL
+#define DCCP_SOCKET__APPEND                       0x00000200UL
+#define DCCP_SOCKET__BIND                         0x00000400UL
+#define DCCP_SOCKET__CONNECT                      0x00000800UL
+#define DCCP_SOCKET__LISTEN                       0x00001000UL
+#define DCCP_SOCKET__ACCEPT                       0x00002000UL
+#define DCCP_SOCKET__GETOPT                       0x00004000UL
+#define DCCP_SOCKET__SETOPT                       0x00008000UL
+#define DCCP_SOCKET__SHUTDOWN                     0x00010000UL
+#define DCCP_SOCKET__RECVFROM                     0x00020000UL
+#define DCCP_SOCKET__SENDTO                       0x00040000UL
+#define DCCP_SOCKET__RECV_MSG                     0x00080000UL
+#define DCCP_SOCKET__SEND_MSG                     0x00100000UL
+#define DCCP_SOCKET__NAME_BIND                    0x00200000UL
+#define DCCP_SOCKET__NODE_BIND                    0x00400000UL
+#define DCCP_SOCKET__NAME_CONNECT                 0x00800000UL
author	James Morris <jmorris@namei.org>	2006-11-13 19:09:01 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:22:24 -0500
commit	2ee92d46c6cabedd50edf6f273fa8cf84f707618 (patch)
tree	bdf7c64514a5063ba4ef41915f9efb6f803fc38a /security/selinux/include/av_permissions.h
parent	90833aa4f496d69ca374af6acef7d1614c8693ff (diff)

diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 81f4f526c8b1..2de4b5fe3aa1 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h
@@ -312,6 +312,8 @@
312	#define NODE__RAWIP_RECV 0x00000010UL	312	#define NODE__RAWIP_RECV 0x00000010UL
313	#define NODE__RAWIP_SEND 0x00000020UL	313	#define NODE__RAWIP_SEND 0x00000020UL
314	#define NODE__ENFORCE_DEST 0x00000040UL	314	#define NODE__ENFORCE_DEST 0x00000040UL
		315	#define NODE__DCCP_RECV 0x00000080UL
		316	#define NODE__DCCP_SEND 0x00000100UL
315		317
316	#define NETIF__TCP_RECV 0x00000001UL	318	#define NETIF__TCP_RECV 0x00000001UL
317	#define NETIF__TCP_SEND 0x00000002UL	319	#define NETIF__TCP_SEND 0x00000002UL
@@ -319,6 +321,8 @@
319	#define NETIF__UDP_SEND 0x00000008UL	321	#define NETIF__UDP_SEND 0x00000008UL
320	#define NETIF__RAWIP_RECV 0x00000010UL	322	#define NETIF__RAWIP_RECV 0x00000010UL
321	#define NETIF__RAWIP_SEND 0x00000020UL	323	#define NETIF__RAWIP_SEND 0x00000020UL
		324	#define NETIF__DCCP_RECV 0x00000040UL
		325	#define NETIF__DCCP_SEND 0x00000080UL
322		326
323	#define NETLINK_SOCKET__IOCTL 0x00000001UL	327	#define NETLINK_SOCKET__IOCTL 0x00000001UL
324	#define NETLINK_SOCKET__READ 0x00000002UL	328	#define NETLINK_SOCKET__READ 0x00000002UL
@@ -970,3 +974,31 @@
970	#define KEY__LINK 0x00000010UL	974	#define KEY__LINK 0x00000010UL
971	#define KEY__SETATTR 0x00000020UL	975	#define KEY__SETATTR 0x00000020UL
972	#define KEY__CREATE 0x00000040UL	976	#define KEY__CREATE 0x00000040UL
		977
		978	#define CONTEXT__TRANSLATE 0x00000001UL
		979	#define CONTEXT__CONTAINS 0x00000002UL
		980
		981	#define DCCP_SOCKET__IOCTL 0x00000001UL
		982	#define DCCP_SOCKET__READ 0x00000002UL
		983	#define DCCP_SOCKET__WRITE 0x00000004UL
		984	#define DCCP_SOCKET__CREATE 0x00000008UL
		985	#define DCCP_SOCKET__GETATTR 0x00000010UL
		986	#define DCCP_SOCKET__SETATTR 0x00000020UL
		987	#define DCCP_SOCKET__LOCK 0x00000040UL
		988	#define DCCP_SOCKET__RELABELFROM 0x00000080UL
		989	#define DCCP_SOCKET__RELABELTO 0x00000100UL
		990	#define DCCP_SOCKET__APPEND 0x00000200UL
		991	#define DCCP_SOCKET__BIND 0x00000400UL
		992	#define DCCP_SOCKET__CONNECT 0x00000800UL
		993	#define DCCP_SOCKET__LISTEN 0x00001000UL
		994	#define DCCP_SOCKET__ACCEPT 0x00002000UL
		995	#define DCCP_SOCKET__GETOPT 0x00004000UL
		996	#define DCCP_SOCKET__SETOPT 0x00008000UL
		997	#define DCCP_SOCKET__SHUTDOWN 0x00010000UL
		998	#define DCCP_SOCKET__RECVFROM 0x00020000UL
		999	#define DCCP_SOCKET__SENDTO 0x00040000UL
		1000	#define DCCP_SOCKET__RECV_MSG 0x00080000UL
		1001	#define DCCP_SOCKET__SEND_MSG 0x00100000UL
		1002	#define DCCP_SOCKET__NAME_BIND 0x00200000UL
		1003	#define DCCP_SOCKET__NODE_BIND 0x00400000UL
		1004	#define DCCP_SOCKET__NAME_CONNECT 0x00800000UL