Stephen Smalley wrote:
On Thu, 2005-04-28 at 12:32 -0400, Steve Brueckner wrote:
> In trying to segment networking into two domains I seem to have
> overlooked that name_bind doesn't get enforced for ports within the
> machine's local port range (i.e. ports assigned by the kernel). I
> suppose I could try to hack the LSM selinux_socket_bind hook to
> enforce name_bind for all ports; would that be possible? I'd rather
> not, though, since I've never ventured deeper than SELinux policy,
> and delving into the mechanism scares me. Is it possible to somehow
> implement a boolean that would toggle whether name_bind was enforced
> for all ports or just for ports outside the local port range?
That hook is only applied for explicit bind(2) calls by applications.
auto-binding of unbound sockets by the kernel (e.g. when sending on
an unbound socket) will never hit that hook at all. You would need
to modify udp_v4_get_port and tcp_v4_get_port to check permission and
keep scanning for another available port until one is allowed. Not
likely to make much headway upstream.
Darn. But thank you for the clarification.
- Steve Brueckner, ATC-NY