[prev in list] [next in list] [prev in thread] [next in thread] 

List:       seandroid-list
Subject:    Re: Context for abstract namespace scoket
From:       Stephen Smalley <sds () tycho ! nsa ! gov>
Date:       2015-02-24 22:13:52
Message-ID: 54ECF7A0.5030205 () tycho ! nsa ! gov
[Download RAW message or body]

On 02/24/2015 05:02 PM, Tai Nguyen (tainguye) wrote:
> What is the default context for abstract namespace socket (e.g..
> @socketname) ? And how do we check ?

In the case of a local socket in the abstract namespace, there is only
one kernel object, the socket, which is labeled with the creating
process' security context.  Unless the application was instrumented to
call setsockcreatecon() prior to creating the socket (and is allowed by
policy to set its sockcreate context and to create a socket with another
context).

In comparison, with a local socket in the file namespace, there are two
kernel objects, the socket and the socket file, where the socket is
likewise labeled with the creating process' security context but the
file is labeled in the usual manner, typically inheriting from the
parent directory or following a type_transition rule if defined.  So the
socket objects are always labeled consistently; it is merely a question
of whether this is an associated file object or not.





_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to Seandroid-list-leave@tycho.nsa.gov.
To get help, send an email containing "help" to Seandroid-list-request@tycho.nsa.gov.
[prev in list] [next in list] [prev in thread] [next in thread]