| 1 |
commit: d698ea3073a464e1fb241721bdb254f42bf68346 |
| 2 |
Author: Stephen Smalley <sds <AT> tycho <DOT> nsa <DOT> gov> |
| 3 |
AuthorDate: Thu Jan 12 15:42:28 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Jan 23 12:55:22 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d698ea30 |
| 7 |
|
| 8 |
refpolicy: drop unused socket security classes |
| 9 |
|
| 10 |
A few of the socket classes added by commit 09ebf2b59a7255 ("refpolicy: |
| 11 |
Define extended_socket_class policy capability and socket classes") are |
| 12 |
never used because sockets can never be created with the associated |
| 13 |
address family. Remove these unused socket security classes. |
| 14 |
The removed classes are bridge_socket for PF_BRIDGE, ib_socket for PF_IB, |
| 15 |
and mpls_socket for PF_MPLS. |
| 16 |
|
| 17 |
Signed-off-by: Stephen Smalley <sds <AT> tycho.nsa.gov> |
| 18 |
|
| 19 |
policy/flask/access_vectors | 9 --------- |
| 20 |
policy/flask/security_classes | 3 --- |
| 21 |
policy/policy_capabilities | 3 --- |
| 22 |
policy/support/obj_perm_sets.spt | 2 +- |
| 23 |
4 files changed, 1 insertion(+), 16 deletions(-) |
| 24 |
|
| 25 |
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors |
| 26 |
index ffe6ca0..69f69af 100644 |
| 27 |
--- a/policy/flask/access_vectors |
| 28 |
+++ b/policy/flask/access_vectors |
| 29 |
@@ -990,9 +990,6 @@ inherits socket |
| 30 |
class netrom_socket |
| 31 |
inherits socket |
| 32 |
|
| 33 |
-class bridge_socket |
| 34 |
-inherits socket |
| 35 |
- |
| 36 |
class atmpvc_socket |
| 37 |
inherits socket |
| 38 |
|
| 39 |
@@ -1020,12 +1017,6 @@ inherits socket |
| 40 |
class llc_socket |
| 41 |
inherits socket |
| 42 |
|
| 43 |
-class ib_socket |
| 44 |
-inherits socket |
| 45 |
- |
| 46 |
-class mpls_socket |
| 47 |
-inherits socket |
| 48 |
- |
| 49 |
class can_socket |
| 50 |
inherits socket |
| 51 |
|
| 52 |
|
| 53 |
diff --git a/policy/flask/security_classes b/policy/flask/security_classes |
| 54 |
index be94e9a..18f18fd 100644 |
| 55 |
--- a/policy/flask/security_classes |
| 56 |
+++ b/policy/flask/security_classes |
| 57 |
@@ -159,7 +159,6 @@ class icmp_socket |
| 58 |
class ax25_socket |
| 59 |
class ipx_socket |
| 60 |
class netrom_socket |
| 61 |
-class bridge_socket |
| 62 |
class atmpvc_socket |
| 63 |
class x25_socket |
| 64 |
class rose_socket |
| 65 |
@@ -169,8 +168,6 @@ class rds_socket |
| 66 |
class irda_socket |
| 67 |
class pppox_socket |
| 68 |
class llc_socket |
| 69 |
-class ib_socket |
| 70 |
-class mpls_socket |
| 71 |
class can_socket |
| 72 |
class tipc_socket |
| 73 |
class bluetooth_socket |
| 74 |
|
| 75 |
diff --git a/policy/policy_capabilities b/policy/policy_capabilities |
| 76 |
index 103420e..39e3930 100644 |
| 77 |
--- a/policy/policy_capabilities |
| 78 |
+++ b/policy/policy_capabilities |
| 79 |
@@ -54,7 +54,6 @@ policycap open_perms; |
| 80 |
# ax25_socket |
| 81 |
# ipx_socket |
| 82 |
# netrom_socket |
| 83 |
-# bridge_socket |
| 84 |
# atmpvc_socket |
| 85 |
# x25_socket |
| 86 |
# rose_socket |
| 87 |
@@ -64,8 +63,6 @@ policycap open_perms; |
| 88 |
# irda_socket |
| 89 |
# pppox_socket |
| 90 |
# llc_socket |
| 91 |
-# ib_socket |
| 92 |
-# mpls_socket |
| 93 |
# can_socket |
| 94 |
# tipc_socket |
| 95 |
# bluetooth_socket |
| 96 |
|
| 97 |
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt |
| 98 |
index 2b746b6..df50b44 100644 |
| 99 |
--- a/policy/support/obj_perm_sets.spt |
| 100 |
+++ b/policy/support/obj_perm_sets.spt |
| 101 |
@@ -34,7 +34,7 @@ define(`devfile_class_set', `{ blk_file chr_file }') |
| 102 |
# |
| 103 |
# All socket classes. |
| 104 |
# |
| 105 |
-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket bridge_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket ib_socket mpls_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}') |
| 106 |
+define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket}') |
| 107 |
|
| 108 |
# |
| 109 |
# Datagram socket classes. |
Archives