From: Stephen Smalley <sds@tycho.nsa.gov>
To: rongqing.li@windriver.com
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 2/2] Add a netlink attribute INET_DIAG_SECCTX
Date: Wed, 31 Aug 2011 08:08:30 -0400 [thread overview]
Message-ID: <1314792510.6850.7.camel@moss-pluto> (raw)
In-Reply-To: <1314779777-12669-3-git-send-email-rongqing.li@windriver.com>
On Wed, 2011-08-31 at 16:36 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
>
> Add a new netlink attribute INET_DIAG_SECCTX to dump the security
> context of TCP sockets.
>
> The element sk_security of struct sock represents the socket
> security context ID, which is inherited from the parent process
> when the socket is created.
>
> but when SELinux type_transition rule is applied to socket, or
> application sets /proc/xxx/attr/createsock, the socket security
> context would be different from the creating process. For these
> conditions, the "netstat -Z" will return wrong value, since
> "netstat -Z" only returns the process security context as socket
> process security.
>
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
> include/linux/inet_diag.h | 3 ++-
> net/ipv4/inet_diag.c | 38 +++++++++++++++++++++++++++++++++-----
> 2 files changed, 35 insertions(+), 6 deletions(-)
> diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
> index 389a2e6..1faf752 100644
> --- a/net/ipv4/inet_diag.c
> +++ b/net/ipv4/inet_diag.c
> @@ -34,6 +34,8 @@
>
> #include <linux/inet_diag.h>
>
> +#define MAX_SECCTX_LEN 128
We don't impose such a (low) limit on other interfaces for reporting
security contexts. Can you just size the buffer appropriately for the
actual secctx length?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Stephen Smalley <sds@tycho.nsa.gov>
To: rongqing.li@windriver.com
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 2/2] Add a netlink attribute INET_DIAG_SECCTX
Date: Wed, 31 Aug 2011 08:08:30 -0400 [thread overview]
Message-ID: <1314792510.6850.7.camel@moss-pluto> (raw)
In-Reply-To: <1314779777-12669-3-git-send-email-rongqing.li@windriver.com>
On Wed, 2011-08-31 at 16:36 +0800, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
>
> Add a new netlink attribute INET_DIAG_SECCTX to dump the security
> context of TCP sockets.
>
> The element sk_security of struct sock represents the socket
> security context ID, which is inherited from the parent process
> when the socket is created.
>
> but when SELinux type_transition rule is applied to socket, or
> application sets /proc/xxx/attr/createsock, the socket security
> context would be different from the creating process. For these
> conditions, the "netstat -Z" will return wrong value, since
> "netstat -Z" only returns the process security context as socket
> process security.
>
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
> include/linux/inet_diag.h | 3 ++-
> net/ipv4/inet_diag.c | 38 +++++++++++++++++++++++++++++++++-----
> 2 files changed, 35 insertions(+), 6 deletions(-)
> diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
> index 389a2e6..1faf752 100644
> --- a/net/ipv4/inet_diag.c
> +++ b/net/ipv4/inet_diag.c
> @@ -34,6 +34,8 @@
>
> #include <linux/inet_diag.h>
>
> +#define MAX_SECCTX_LEN 128
We don't impose such a (low) limit on other interfaces for reporting
security contexts. Can you just size the buffer appropriately for the
actual secctx length?
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2011-08-31 12:08 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-31 8:36 [PATCH 0/2] Dump the sock's security context rongqing.li
2011-08-31 8:36 ` rongqing.li
2011-08-31 8:36 ` [PATCH 1/2] Define security_sk_getsecctx rongqing.li
2011-08-31 8:36 ` rongqing.li
2011-08-31 15:43 ` Casey Schaufler
2011-08-31 15:43 ` Casey Schaufler
2011-08-31 18:46 ` Stephen Smalley
2011-08-31 18:46 ` Stephen Smalley
2011-08-31 20:49 ` Casey Schaufler
2011-08-31 20:49 ` Casey Schaufler
2011-08-31 8:36 ` [PATCH 2/2] Add a netlink attribute INET_DIAG_SECCTX rongqing.li
2011-08-31 8:36 ` rongqing.li
2011-08-31 12:08 ` Stephen Smalley [this message]
2011-08-31 12:08 ` Stephen Smalley
2011-08-31 21:18 ` Paul Moore
2011-08-31 21:18 ` Paul Moore
2011-09-01 9:33 ` Rongqing Li
2011-09-01 9:33 ` Rongqing Li
2011-09-01 12:28 ` Paul Moore
2011-09-01 12:28 ` Paul Moore
2011-09-05 0:32 ` Rongqing Li
2011-09-05 0:32 ` Rongqing Li
2011-08-31 8:38 ` [PATCH 0/2] Dump the sock's security context Rongqing Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1314792510.6850.7.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rongqing.li@windriver.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.