* [PATCH 0/1] NetLabel changes from yesterday's discussion
@ 2006-10-05 22:28 ` paul.moore
0 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw)
To: netdev, selinux; +Cc: jmorris
In case you missed it (har har) there was a pretty good discussion about
labeled networking yesterday. One of the results of the dicussion was the
realization that the way NetLabel determines what to use for the SELinux TE
portion of the packet's label was not the best choice. This patch should
address the issue.
This patch does not rely on the secid patches currently in progress and should
be considered a bugfix against the current net-2.6 tree.
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 0/1] NetLabel changes from yesterday's discussion
@ 2006-10-05 22:28 ` paul.moore
0 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw)
To: netdev, selinux; +Cc: jmorris
In case you missed it (har har) there was a pretty good discussion about
labeled networking yesterday. One of the results of the dicussion was the
realization that the way NetLabel determines what to use for the SELinux TE
portion of the packet's label was not the best choice. This patch should
address the issue.
This patch does not rely on the secid patches currently in progress and should
be considered a bugfix against the current net-2.6 tree.
--
paul moore
linux security @ hp
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID
2006-10-05 22:28 ` paul.moore
@ 2006-10-05 22:28 ` paul.moore
-1 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw)
To: netdev, selinux; +Cc: jmorris, Paul Moore
This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
SELinux type information when generating a NetLabel context.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
security/selinux/ss/services.c | 29 +++++++++--------------------
1 files changed, 9 insertions(+), 20 deletions(-)
Index: net-2.6_bugfix/security/selinux/ss/services.c
===================================================================
--- net-2.6_bugfix.orig/security/selinux/ss/services.c
+++ net-2.6_bugfix/security/selinux/ss/services.c
@@ -2336,7 +2336,7 @@ static int selinux_netlbl_secattr_to_sid
selinux_netlbl_cache_add(skb, &ctx_new);
ebitmap_destroy(&ctx_new.range.level[0].cat);
} else {
- *sid = SECINITSID_UNLABELED;
+ *sid = SECSID_NULL;
rc = 0;
}
@@ -2519,7 +2519,7 @@ void selinux_netlbl_sock_graft(struct so
if (netlbl_sock_getattr(sk, &secattr) == 0 &&
selinux_netlbl_secattr_to_sid(NULL,
&secattr,
- sksec->sid,
+ SECINITSID_UNLABELED,
&nlbl_peer_sid) == 0)
sksec->peer_sid = nlbl_peer_sid;
netlbl_secattr_destroy(&secattr);
@@ -2552,9 +2552,6 @@ u32 selinux_netlbl_inet_conn_request(str
if (rc != 0)
return SECSID_NULL;
- if (peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
return peer_sid;
}
@@ -2616,11 +2613,13 @@ int selinux_netlbl_sock_rcv_skb(struct s
u32 netlbl_sid;
u32 recv_perm;
- rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+ rc = selinux_netlbl_skbuff_getsid(skb,
+ SECINITSID_UNLABELED,
+ &netlbl_sid);
if (rc != 0)
return rc;
- if (netlbl_sid == SECINITSID_UNLABELED)
+ if (netlbl_sid == SECSID_NULL)
return 0;
switch (sksec->sclass) {
@@ -2658,10 +2657,6 @@ int selinux_netlbl_sock_rcv_skb(struct s
u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
{
struct sk_security_struct *sksec = sock->sk->sk_security;
-
- if (sksec->peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
return sksec->peer_sid;
}
@@ -2677,16 +2672,10 @@ u32 selinux_netlbl_socket_getpeersec_str
u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
{
int peer_sid;
- struct sock *sk = skb->sk;
- struct inode_security_struct *isec;
-
- if (sk == NULL || sk->sk_socket == NULL)
- return SECSID_NULL;
- isec = SOCK_INODE(sk->sk_socket)->i_security;
- if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
- return SECSID_NULL;
- if (peer_sid == SECINITSID_UNLABELED)
+ if (selinux_netlbl_skbuff_getsid(skb,
+ SECINITSID_UNLABELED,
+ &peer_sid) != 0)
return SECSID_NULL;
return peer_sid;
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID
@ 2006-10-05 22:28 ` paul.moore
0 siblings, 0 replies; 6+ messages in thread
From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw)
To: netdev, selinux; +Cc: jmorris, Paul Moore
[-- Attachment #1: netlabel-permchange_unlbl --]
[-- Type: text/plain, Size: 2641 bytes --]
This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
SELinux type information when generating a NetLabel context.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
security/selinux/ss/services.c | 29 +++++++++--------------------
1 files changed, 9 insertions(+), 20 deletions(-)
Index: net-2.6_bugfix/security/selinux/ss/services.c
===================================================================
--- net-2.6_bugfix.orig/security/selinux/ss/services.c
+++ net-2.6_bugfix/security/selinux/ss/services.c
@@ -2336,7 +2336,7 @@ static int selinux_netlbl_secattr_to_sid
selinux_netlbl_cache_add(skb, &ctx_new);
ebitmap_destroy(&ctx_new.range.level[0].cat);
} else {
- *sid = SECINITSID_UNLABELED;
+ *sid = SECSID_NULL;
rc = 0;
}
@@ -2519,7 +2519,7 @@ void selinux_netlbl_sock_graft(struct so
if (netlbl_sock_getattr(sk, &secattr) == 0 &&
selinux_netlbl_secattr_to_sid(NULL,
&secattr,
- sksec->sid,
+ SECINITSID_UNLABELED,
&nlbl_peer_sid) == 0)
sksec->peer_sid = nlbl_peer_sid;
netlbl_secattr_destroy(&secattr);
@@ -2552,9 +2552,6 @@ u32 selinux_netlbl_inet_conn_request(str
if (rc != 0)
return SECSID_NULL;
- if (peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
return peer_sid;
}
@@ -2616,11 +2613,13 @@ int selinux_netlbl_sock_rcv_skb(struct s
u32 netlbl_sid;
u32 recv_perm;
- rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid);
+ rc = selinux_netlbl_skbuff_getsid(skb,
+ SECINITSID_UNLABELED,
+ &netlbl_sid);
if (rc != 0)
return rc;
- if (netlbl_sid == SECINITSID_UNLABELED)
+ if (netlbl_sid == SECSID_NULL)
return 0;
switch (sksec->sclass) {
@@ -2658,10 +2657,6 @@ int selinux_netlbl_sock_rcv_skb(struct s
u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock)
{
struct sk_security_struct *sksec = sock->sk->sk_security;
-
- if (sksec->peer_sid == SECINITSID_UNLABELED)
- return SECSID_NULL;
-
return sksec->peer_sid;
}
@@ -2677,16 +2672,10 @@ u32 selinux_netlbl_socket_getpeersec_str
u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb)
{
int peer_sid;
- struct sock *sk = skb->sk;
- struct inode_security_struct *isec;
-
- if (sk == NULL || sk->sk_socket == NULL)
- return SECSID_NULL;
- isec = SOCK_INODE(sk->sk_socket)->i_security;
- if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0)
- return SECSID_NULL;
- if (peer_sid == SECINITSID_UNLABELED)
+ if (selinux_netlbl_skbuff_getsid(skb,
+ SECINITSID_UNLABELED,
+ &peer_sid) != 0)
return SECSID_NULL;
return peer_sid;
--
paul moore
linux security @ hp
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID
2006-10-05 22:28 ` paul.moore
@ 2006-10-06 1:46 ` James Morris
-1 siblings, 0 replies; 6+ messages in thread
From: James Morris @ 2006-10-06 1:46 UTC (permalink / raw)
To: Paul Moore; +Cc: netdev, selinux
On Thu, 5 Oct 2006, paul.moore@hp.com wrote:
> This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
> SELinux type information when generating a NetLabel context.
Applied.
Git:
git://git.infradead.org/~jmorris/selinux-2.6.git
Web:
http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary
--
James Morris
<jmorris@namei.org>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID
@ 2006-10-06 1:46 ` James Morris
0 siblings, 0 replies; 6+ messages in thread
From: James Morris @ 2006-10-06 1:46 UTC (permalink / raw)
To: Paul Moore; +Cc: netdev, selinux
On Thu, 5 Oct 2006, paul.moore@hp.com wrote:
> This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of
> SELinux type information when generating a NetLabel context.
Applied.
Git:
git://git.infradead.org/~jmorris/selinux-2.6.git
Web:
http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-10-06 1:46 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-05 22:28 [PATCH 0/1] NetLabel changes from yesterday's discussion paul.moore
2006-10-05 22:28 ` paul.moore
2006-10-05 22:28 ` [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID paul.moore
2006-10-05 22:28 ` paul.moore
2006-10-06 1:46 ` James Morris
2006-10-06 1:46 ` James Morris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.