diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2015-07-11 00:19:57 +0300 |
---|---|---|
committer | Paul Moore <pmoore@redhat.com> | 2015-07-13 20:31:59 +0300 |
commit | 5dee25d08eac01472904b0ab32ce35edee5c0518 (patch) | |
tree | 41dc3bcb96fa1ceaf73de869ffdf8d2d30e8a3b9 | |
parent | 9629d04ae06812f217846b69728c969afee690b4 (diff) | |
download | linux-5dee25d08eac01472904b0ab32ce35edee5c0518.tar.xz |
selinux: initialize sock security class to default value
Initialize the security class of sock security structures
to the generic socket class. This is similar to what is
already done in inode_alloc_security for files. Generally
the sclass field will later by set by socket_post_create
or sk_clone or sock_graft, but for protocol implementations
that fail to call any of these for newly accepted sockets,
we want some sane default that will yield a legitimate
avc denied message with non-garbage values for class and
permission.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <pmoore@redhat.com>
-rw-r--r-- | security/selinux/hooks.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 4de09f0227b4..ef310f82717d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4559,6 +4559,7 @@ static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority sksec->peer_sid = SECINITSID_UNLABELED; sksec->sid = SECINITSID_UNLABELED; + sksec->sclass = SECCLASS_SOCKET; selinux_netlbl_sk_security_reset(sksec); sk->sk_security = sksec; |