From: Paul Moore <paul.moore@hp.com>
To: Patrick McHardy <kaber@trash.net>
Cc: James Morris <jmorris@namei.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH 3/4] add support for modifying secmark via ctnetlink
Date: Wed, 21 May 2008 13:51:08 -0400 [thread overview]
Message-ID: <200805211351.08499.paul.moore@hp.com> (raw)
In-Reply-To: <483457DF.3070702@trash.net>
On Wednesday 21 May 2008 1:11:59 pm Patrick McHardy wrote:
> Paul Moore wrote:
> > Sorry, I don't subscribe to netfilter-devel so I missed the
> > original discussion; I'm subscribed now.
> >
> > I agree with James that we need to perform some access check before
> > setting the ct->secmark field, however, I don't think it is as
> > simple as calling selinux_secmark_relabel_packet_permission(). The
> > problem is that the selinux_secmark_relabel_packet_permission()
> > function checks to see if the currently running task can relabel
> > packets; in this case we don't want to check the currently running
> > task we want to check the sender of the netlink message which we
> > can't really do currently. The next best thing is to provide
> > access control around the individual netlink message types which we
> > can currently do.
>
> Actually in the current kernel netlink message processing is
> done synchronously in the context of the sending process
> (commit cd40b7d3: [NET]: make netlink user -> kernel interface
> synchronious). So this check should be easy to add.
Thanks, that is definitely handy.
> > From what I can tell (I'm no netfilter expert), we need to ensure
> > that only privileged process have the ability to send netlink
> > messages with type (NFNL_SUBSYS_CTNETLINK | IPCTNL_MSG_CT_NEW)
> > which should be possible using the code in
> > security/selinux/nlmsgtab.c. You would need to create a
> > NETLINK_NETFILTER nlmsg_perm struct first like the others for
> > routing, XFRM, audit, etc.
>
> So far nfnetlink is restricted to CAP_NET_ADMIN and uses
> security_netlink_recv() for permission checks. I'll add
> a nlmsg_perm struct for nfnetlink, I guess this makes
> sense independant of this patch. Will send over for review
> once its ready.
Thanks. When developing the patch keep in mind that the new permissions
will probably need to made conditional on the SELinux policy
capabilitity to preserve backwards compability. Look for the
selinux_policycap_{netpeer,openperm} under security/selinux for
examples. I can lend a hand if you have any questions.
--
paul moore
linux @ hp
next prev parent reply other threads:[~2008-05-21 17:51 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-20 22:29 [PATCH 3/4] add support for modifying secmark via ctnetlink Pablo Neira Ayuso
2008-05-21 11:15 ` Patrick McHardy
2008-05-21 11:42 ` James Morris
2008-05-21 12:00 ` Patrick McHardy
2008-05-21 16:46 ` Paul Moore
2008-05-21 16:54 ` Stephen Smalley
2008-05-21 17:13 ` Patrick McHardy
2008-05-22 18:11 ` Stephen Smalley
2008-05-22 19:08 ` Patrick McHardy
2008-05-21 17:41 ` Paul Moore
2008-05-21 17:11 ` Patrick McHardy
2008-05-21 17:51 ` Paul Moore [this message]
2008-05-21 17:55 ` Stephen Smalley
2008-05-21 19:03 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200805211351.08499.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.