summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2017-01-09 16:07:31 +0100
committerPaul Moore <paul@paul-moore.com>2017-01-09 16:07:31 +0100
commitef37979a2cfa3905adbf0c2a681ce16c0aaea92d (patch)
tree0616c8df6684b739648d9b4e38eab11ec7b1c1fd /security
parentselinux: add security in-core xattr support for tracefs (diff)
downloadlinux-ef37979a2cfa3905adbf0c2a681ce16c0aaea92d.tar.xz
linux-ef37979a2cfa3905adbf0c2a681ce16c0aaea92d.zip
selinux: handle ICMPv6 consistently with ICMP
commit 79c8b348f215 ("selinux: support distinctions among all network address families") mapped datagram ICMP sockets to the new icmp_socket security class, but left ICMPv6 sockets unchanged. This change fixes that oversight to handle both kinds of sockets consistently. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/hooks.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 5ce633aabce6..e4b953f760dd 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1295,7 +1295,8 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc
case SOCK_DGRAM:
if (default_protocol_dgram(protocol))
return SECCLASS_UDP_SOCKET;
- else if (extsockclass && protocol == IPPROTO_ICMP)
+ else if (extsockclass && (protocol == IPPROTO_ICMP ||
+ protocol == IPPROTO_ICMPV6))
return SECCLASS_ICMP_SOCKET;
else
return SECCLASS_RAWIP_SOCKET;