* [PATCH 0/1] NetLabel changes from yesterday's discussion @ 2006-10-05 22:28 ` paul.moore 0 siblings, 0 replies; 6+ messages in thread From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw) To: netdev, selinux; +Cc: jmorris In case you missed it (har har) there was a pretty good discussion about labeled networking yesterday. One of the results of the dicussion was the realization that the way NetLabel determines what to use for the SELinux TE portion of the packet's label was not the best choice. This patch should address the issue. This patch does not rely on the secid patches currently in progress and should be considered a bugfix against the current net-2.6 tree. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 0/1] NetLabel changes from yesterday's discussion @ 2006-10-05 22:28 ` paul.moore 0 siblings, 0 replies; 6+ messages in thread From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw) To: netdev, selinux; +Cc: jmorris In case you missed it (har har) there was a pretty good discussion about labeled networking yesterday. One of the results of the dicussion was the realization that the way NetLabel determines what to use for the SELinux TE portion of the packet's label was not the best choice. This patch should address the issue. This patch does not rely on the secid patches currently in progress and should be considered a bugfix against the current net-2.6 tree. -- paul moore linux security @ hp ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID 2006-10-05 22:28 ` paul.moore @ 2006-10-05 22:28 ` paul.moore -1 siblings, 0 replies; 6+ messages in thread From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw) To: netdev, selinux; +Cc: jmorris, Paul Moore This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of SELinux type information when generating a NetLabel context. Signed-off-by: Paul Moore <paul.moore@hp.com> --- security/selinux/ss/services.c | 29 +++++++++-------------------- 1 files changed, 9 insertions(+), 20 deletions(-) Index: net-2.6_bugfix/security/selinux/ss/services.c =================================================================== --- net-2.6_bugfix.orig/security/selinux/ss/services.c +++ net-2.6_bugfix/security/selinux/ss/services.c @@ -2336,7 +2336,7 @@ static int selinux_netlbl_secattr_to_sid selinux_netlbl_cache_add(skb, &ctx_new); ebitmap_destroy(&ctx_new.range.level[0].cat); } else { - *sid = SECINITSID_UNLABELED; + *sid = SECSID_NULL; rc = 0; } @@ -2519,7 +2519,7 @@ void selinux_netlbl_sock_graft(struct so if (netlbl_sock_getattr(sk, &secattr) == 0 && selinux_netlbl_secattr_to_sid(NULL, &secattr, - sksec->sid, + SECINITSID_UNLABELED, &nlbl_peer_sid) == 0) sksec->peer_sid = nlbl_peer_sid; netlbl_secattr_destroy(&secattr); @@ -2552,9 +2552,6 @@ u32 selinux_netlbl_inet_conn_request(str if (rc != 0) return SECSID_NULL; - if (peer_sid == SECINITSID_UNLABELED) - return SECSID_NULL; - return peer_sid; } @@ -2616,11 +2613,13 @@ int selinux_netlbl_sock_rcv_skb(struct s u32 netlbl_sid; u32 recv_perm; - rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid); + rc = selinux_netlbl_skbuff_getsid(skb, + SECINITSID_UNLABELED, + &netlbl_sid); if (rc != 0) return rc; - if (netlbl_sid == SECINITSID_UNLABELED) + if (netlbl_sid == SECSID_NULL) return 0; switch (sksec->sclass) { @@ -2658,10 +2657,6 @@ int selinux_netlbl_sock_rcv_skb(struct s u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock) { struct sk_security_struct *sksec = sock->sk->sk_security; - - if (sksec->peer_sid == SECINITSID_UNLABELED) - return SECSID_NULL; - return sksec->peer_sid; } @@ -2677,16 +2672,10 @@ u32 selinux_netlbl_socket_getpeersec_str u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb) { int peer_sid; - struct sock *sk = skb->sk; - struct inode_security_struct *isec; - - if (sk == NULL || sk->sk_socket == NULL) - return SECSID_NULL; - isec = SOCK_INODE(sk->sk_socket)->i_security; - if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0) - return SECSID_NULL; - if (peer_sid == SECINITSID_UNLABELED) + if (selinux_netlbl_skbuff_getsid(skb, + SECINITSID_UNLABELED, + &peer_sid) != 0) return SECSID_NULL; return peer_sid; -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID @ 2006-10-05 22:28 ` paul.moore 0 siblings, 0 replies; 6+ messages in thread From: paul.moore @ 2006-10-05 22:28 UTC (permalink / raw) To: netdev, selinux; +Cc: jmorris, Paul Moore [-- Attachment #1: netlabel-permchange_unlbl --] [-- Type: text/plain, Size: 2641 bytes --] This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of SELinux type information when generating a NetLabel context. Signed-off-by: Paul Moore <paul.moore@hp.com> --- security/selinux/ss/services.c | 29 +++++++++-------------------- 1 files changed, 9 insertions(+), 20 deletions(-) Index: net-2.6_bugfix/security/selinux/ss/services.c =================================================================== --- net-2.6_bugfix.orig/security/selinux/ss/services.c +++ net-2.6_bugfix/security/selinux/ss/services.c @@ -2336,7 +2336,7 @@ static int selinux_netlbl_secattr_to_sid selinux_netlbl_cache_add(skb, &ctx_new); ebitmap_destroy(&ctx_new.range.level[0].cat); } else { - *sid = SECINITSID_UNLABELED; + *sid = SECSID_NULL; rc = 0; } @@ -2519,7 +2519,7 @@ void selinux_netlbl_sock_graft(struct so if (netlbl_sock_getattr(sk, &secattr) == 0 && selinux_netlbl_secattr_to_sid(NULL, &secattr, - sksec->sid, + SECINITSID_UNLABELED, &nlbl_peer_sid) == 0) sksec->peer_sid = nlbl_peer_sid; netlbl_secattr_destroy(&secattr); @@ -2552,9 +2552,6 @@ u32 selinux_netlbl_inet_conn_request(str if (rc != 0) return SECSID_NULL; - if (peer_sid == SECINITSID_UNLABELED) - return SECSID_NULL; - return peer_sid; } @@ -2616,11 +2613,13 @@ int selinux_netlbl_sock_rcv_skb(struct s u32 netlbl_sid; u32 recv_perm; - rc = selinux_netlbl_skbuff_getsid(skb, SECINITSID_NETMSG, &netlbl_sid); + rc = selinux_netlbl_skbuff_getsid(skb, + SECINITSID_UNLABELED, + &netlbl_sid); if (rc != 0) return rc; - if (netlbl_sid == SECINITSID_UNLABELED) + if (netlbl_sid == SECSID_NULL) return 0; switch (sksec->sclass) { @@ -2658,10 +2657,6 @@ int selinux_netlbl_sock_rcv_skb(struct s u32 selinux_netlbl_socket_getpeersec_stream(struct socket *sock) { struct sk_security_struct *sksec = sock->sk->sk_security; - - if (sksec->peer_sid == SECINITSID_UNLABELED) - return SECSID_NULL; - return sksec->peer_sid; } @@ -2677,16 +2672,10 @@ u32 selinux_netlbl_socket_getpeersec_str u32 selinux_netlbl_socket_getpeersec_dgram(struct sk_buff *skb) { int peer_sid; - struct sock *sk = skb->sk; - struct inode_security_struct *isec; - - if (sk == NULL || sk->sk_socket == NULL) - return SECSID_NULL; - isec = SOCK_INODE(sk->sk_socket)->i_security; - if (selinux_netlbl_skbuff_getsid(skb, isec->sid, &peer_sid) != 0) - return SECSID_NULL; - if (peer_sid == SECINITSID_UNLABELED) + if (selinux_netlbl_skbuff_getsid(skb, + SECINITSID_UNLABELED, + &peer_sid) != 0) return SECSID_NULL; return peer_sid; -- paul moore linux security @ hp ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID 2006-10-05 22:28 ` paul.moore @ 2006-10-06 1:46 ` James Morris -1 siblings, 0 replies; 6+ messages in thread From: James Morris @ 2006-10-06 1:46 UTC (permalink / raw) To: Paul Moore; +Cc: netdev, selinux On Thu, 5 Oct 2006, paul.moore@hp.com wrote: > This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of > SELinux type information when generating a NetLabel context. Applied. Git: git://git.infradead.org/~jmorris/selinux-2.6.git Web: http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary -- James Morris <jmorris@namei.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID @ 2006-10-06 1:46 ` James Morris 0 siblings, 0 replies; 6+ messages in thread From: James Morris @ 2006-10-06 1:46 UTC (permalink / raw) To: Paul Moore; +Cc: netdev, selinux On Thu, 5 Oct 2006, paul.moore@hp.com wrote: > This patch changes NetLabel to use SECINITSID_UNLABLELED as it's source of > SELinux type information when generating a NetLabel context. Applied. Git: git://git.infradead.org/~jmorris/selinux-2.6.git Web: http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary -- James Morris <jmorris@namei.org> ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-10-06 1:46 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-10-05 22:28 [PATCH 0/1] NetLabel changes from yesterday's discussion paul.moore 2006-10-05 22:28 ` paul.moore 2006-10-05 22:28 ` [PATCH 1/1] NetLabel: use SECINITSID_UNLABELED for a base SID paul.moore 2006-10-05 22:28 ` paul.moore 2006-10-06 1:46 ` James Morris 2006-10-06 1:46 ` James Morris
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.