Commit 5dee25d0 authored by Stephen Smalley's avatar Stephen Smalley Committed by Paul Moore
Browse files

selinux: initialize sock security class to default value 



Initialize the security class of sock security structures
to the generic socket class.  This is similar to what is
already done in inode_alloc_security for files.  Generally
the sclass field will later by set by socket_post_create
or sk_clone or sock_graft, but for protocol implementations
that fail to call any of these for newly accepted sockets,
we want some sane default that will yield a legitimate
avc denied message with non-garbage values for class and
permission.

Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
parent 9629d04a

security/selinux/hooks.c

+1 −0
Original line number Diff line number Diff line
@@ -4559,6 +4559,7 @@ static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority 


	sksec->peer_sid = SECINITSID_UNLABELED;

	sksec->sid = SECINITSID_UNLABELED;

	sksec->sclass = SECCLASS_SOCKET;

	selinux_netlbl_sk_security_reset(sksec);

	sk->sk_security = sksec;

CRA Git | Maintained and supported by SUSTech CRA and CCSE