[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux_socket_bind hook



On Thu, 2005-04-28 at 12:32 -0400, Steve Brueckner wrote:
> In trying to segment networking into two domains I seem to have overlooked
> that name_bind doesn't get enforced for ports within the machine's local
> port range (i.e. ports assigned by the kernel).  I suppose I could try to
> hack the LSM selinux_socket_bind hook to enforce name_bind for all ports;
> would that be possible?  I'd rather not, though, since I've never ventured
> deeper than SELinux policy, and delving into the mechanism scares me.  Is it
> possible to somehow implement a boolean that would toggle whether name_bind
> was enforced for all ports or just for ports outside the local port range?

That hook is only applied for explicit bind(2) calls by applications.
auto-binding of unbound sockets by the kernel (e.g. when sending on an
unbound socket) will never hit that hook at all.  You would need to
modify udp_v4_get_port and tcp_v4_get_port to check permission and keep
scanning for another available port until one is allowed.  Not likely to
make much headway upstream.

-- 
Stephen Smalley <sds tycho nsa gov>
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]