Add key_socket class to socket_class_set macro. Allow system to trigger...

Add key_socket class to socket_class_set macro. Allow system to trigger module auto-loading and to write to sockets created under /dev.

Add key_socket class to socket_class_set macro. Allow system to trigger...
Add key_socket class to socket_class_set macro. Allow system to trigger module auto-loading and to write to sockets created under /dev.
60e4f114 · Stephen Smalley · 965f2ff1 · 60e4f114 · 60e4f114
Commit 60e4f114 authored 12 years ago by Stephen Smalley
--- a/global_macros
+++ b/global_macros
@@ -8,7 +8,7 @@ define(`file_class_set', `{ file lnk_file sock_file fifo_file chr_file blk_file
 define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
 define(`devfile_class_set', `{ chr_file blk_file }')

-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
 define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
 define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
 define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')

--- a/system.te
+++ b/system.te
@@ -72,6 +72,9 @@ bluetooth_domain(system)
 # XXX See if we can remove some of these.
 allow system self:capability { kill net_bind_service net_broadcast net_admin net_raw sys_module sys_boot sys_nice sys_resource sys_time sys_tty_config };

+# Trigger module auto-load.
+allow system kernel:system module_request;
+
 # Use netlink uevent sockets.
 allow system self:netlink_kobject_uevent_socket *;

@@ -133,6 +136,7 @@ allow system sysfs_nfc_power_writable:file rw_file_perms;
 # Access devices.
 allow system device:dir r_dir_perms;
 allow system device:chr_file rw_file_perms;
+allow system device:sock_file rw_file_perms;
 allow system akm_device:chr_file rw_file_perms;
 allow system accelerometer_device:chr_file rw_file_perms;
 allow system alarm_device:chr_file rw_file_perms;