2 files changed, 24 insertions, 0 deletions
diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c
index 58a12c278706..539855ff31f9 100644
--- a/scripts/selinux/genheaders/genheaders.c
+++ b/scripts/selinux/genheaders/genheaders.c
@@ -43,6 +43,8 @@ int main(int argc, char *argv[])
        int i, j, k;
        int isids_len;
        FILE *fout;
+        const char *needle = "SOCKET";
+        char *substr;
        progname = argv[0];
@@ -88,6 +90,24 @@ int main(int argc, char *argv[])
                fprintf(fout, "%2d\n", i);
        }
        fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
+        fprintf(fout, "\nstatic inline bool security_is_socket_class(u16 kern_tclass)\n");
+        fprintf(fout, "{\n");
+        fprintf(fout, "\tbool sock = false;\n\n");
+        fprintf(fout, "\tswitch (kern_tclass) {\n");
+        for (i = 0; secclass_map[i].name; i++) {
+                struct security_class_mapping *map = &secclass_map[i];
+                substr = strstr(map->name, needle);
+                if (substr && strcmp(substr, needle) == 0)
+                        fprintf(fout, "\tcase SECCLASS_%s:\n", map->name);
+        }
+        fprintf(fout, "\t\tsock = true;\n");
+        fprintf(fout, "\t\tbreak;\n");
+        fprintf(fout, "\tdefault:\n");
+        fprintf(fout, "\t\tbreak;\n");
+        fprintf(fout, "\t}\n\n");
+        fprintf(fout, "\treturn sock;\n");
+        fprintf(fout, "}\n");
        fprintf(fout, "\n#endif\n");
        fclose(fout);
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 4227e5fa7861..b8c53723e09b 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -12,6 +12,10 @@
 #define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
            "write", "associate", "unix_read", "unix_write"
+/*
+ * Note: The name for any socket class should be suffixed by "socket",
+ *       and doesn't contain more than one substr of "socket".
+ */
 struct security_class_mapping secclass_map[] = {
        { "security",
          { "compute_av", "compute_create", "compute_member",

diff --git a/scripts/selinux/genheaders/genheaders.c b/scripts/selinux/genheaders/genheaders.c index 58a12c278706..539855ff31f9 100644 --- a/scripts/selinux/genheaders/genheaders.c +++ b/scripts/selinux/genheaders/genheaders.c
@@ -43,6 +43,8 @@ int main(int argc, char *argv[])
43	int i, j, k;	43	int i, j, k;
44	int isids_len;	44	int isids_len;
45	FILE *fout;	45	FILE *fout;
		46	const char *needle = "SOCKET";
		47	char *substr;
46		48
47	progname = argv[0];	49	progname = argv[0];
48		50
@@ -88,6 +90,24 @@ int main(int argc, char *argv[])
88	fprintf(fout, "%2d\n", i);	90	fprintf(fout, "%2d\n", i);
89	}	91	}
90	fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);	92	fprintf(fout, "\n#define SECINITSID_NUM %d\n", i-1);
		93	fprintf(fout, "\nstatic inline bool security_is_socket_class(u16 kern_tclass)\n");
		94	fprintf(fout, "{\n");
		95	fprintf(fout, "\tbool sock = false;\n\n");
		96	fprintf(fout, "\tswitch (kern_tclass) {\n");
		97	for (i = 0; secclass_map[i].name; i++) {
		98	struct security_class_mapping *map = &secclass_map[i];
		99	substr = strstr(map->name, needle);
		100	if (substr && strcmp(substr, needle) == 0)
		101	fprintf(fout, "\tcase SECCLASS_%s:\n", map->name);
		102	}
		103	fprintf(fout, "\t\tsock = true;\n");
		104	fprintf(fout, "\t\tbreak;\n");
		105	fprintf(fout, "\tdefault:\n");
		106	fprintf(fout, "\t\tbreak;\n");
		107	fprintf(fout, "\t}\n\n");
		108	fprintf(fout, "\treturn sock;\n");
		109	fprintf(fout, "}\n");
		110
91	fprintf(fout, "\n#endif\n");	111	fprintf(fout, "\n#endif\n");
92	fclose(fout);	112	fclose(fout);
93		113


diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h index 4227e5fa7861..b8c53723e09b 100644 --- a/security/selinux/include/classmap.h +++ b/security/selinux/include/classmap.h
@@ -12,6 +12,10 @@
12	#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \	12	#define COMMON_IPC_PERMS "create", "destroy", "getattr", "setattr", "read", \
13	"write", "associate", "unix_read", "unix_write"	13	"write", "associate", "unix_read", "unix_write"
14		14
		15	/*
		16	* Note: The name for any socket class should be suffixed by "socket",
		17	* and doesn't contain more than one substr of "socket".
		18	*/
15	struct security_class_mapping secclass_map[] = {	19	struct security_class_mapping secclass_map[] = {
16	{ "security",	20	{ "security",
17	{ "compute_av", "compute_create", "compute_member",	21	{ "compute_av", "compute_create", "compute_member",