From: Stephen Smalley <sds@tycho.nsa.gov>
To: Rongqing Li <rongqing.li@windriver.com>
Cc: "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
Eric Paris <eparis@parisplace.org>,
"Christopher J. PeBenito" <cpebenito@tresys.com>
Subject: Re: "netstat -Z" reimplementation
Date: Wed, 27 Jul 2011 08:09:25 -0400 [thread overview]
Message-ID: <1311768565.23346.11.camel@moss-pluto> (raw)
In-Reply-To: <4E2FDA3A.5040408@windriver.com>
On Wed, 2011-07-27 at 17:28 +0800, Rongqing Li wrote:
> SELinux folks, Stephen:
>
> I have some thoughts about reimplementation of 'netstat -Z', but I do
> not know if it is valuable, or if there are other risks. Could you
> evaluate my implementation, or give me your valuable advice?
>
> 1. From kernel, print the socket labels to tcp, udp, raw, unix
> files under /proc/net/.
>
> Now the /proc/net/tcp /proc/net/udp ... include many socket's
> information, like local address, remote address, inode, I think we can
> put the socket's security context to these files.
>
> To avoid to expose these information to non-privileged users, security
> checking should be done when expose the socket security context to procfs.
We can already control the ability to read /proc/net files by labeling
them via genfscon statements and then writing policy accordingly. Do we
think exposing the (raw) security context is any more of a concern than
the rest of the information in the file?
Can we add a field to those files without breaking compatibility with
existing userspace?
> 2. reimplementation the "netstat -Z", "netstat -Z" will first parse the
> security context from procfs's tcp, udp, raw files, and get the security
> context, if this step fails, "netstat -Z" will try as legacy method.
It should only fall back to the legacy method if the context is not
present in the file; if there is any other reason for failure (e.g.
permission denied to /proc/net/tcp), then we presumably want netstat -Z
to fail rather than report a possibly incorrect result.
> If this implementation could be accepted by mainstream, netstat could
> print the correct socket label even if the type_transition has been
> happen on socket, or application changes socket labels by setting
> /proc/self/attr/sockcreate.
>
>
> Do you think it is valuable?
Yes, I think it would be useful.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-07-27 12:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-27 9:28 "netstat -Z" reimplementation Rongqing Li
2011-07-27 10:51 ` Martin Christian
2011-07-27 12:09 ` Stephen Smalley [this message]
2011-07-27 12:19 ` Daniel J Walsh
2011-07-27 13:37 ` Eric Paris
2011-07-27 13:40 ` Stephen Smalley
2011-07-28 3:00 ` Rongqing Li
2011-07-28 2:58 ` Rongqing Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1311768565.23346.11.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=cpebenito@tresys.com \
--cc=eparis@parisplace.org \
--cc=rongqing.li@windriver.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.