From: Paul Moore <paul.moore@hp.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH v2 1/2] lsm: Add hooks to the TUN driver
Date: Wed, 12 Aug 2009 15:43:15 -0400 [thread overview]
Message-ID: <200908121543.15419.paul.moore@hp.com> (raw)
In-Reply-To: <20090812192840.GA13135@us.ibm.com>
On Wednesday 12 August 2009 03:28:40 pm Serge E. Hallyn wrote:
> Quoting Paul Moore (paul.moore@hp.com):
> > The TUN driver lacks any LSM hooks which makes it difficult for LSM
> > modules, such as SELinux, to enforce access controls on network traffic
> > generated by TUN users; this is particularly problematic for
> > virtualization apps such as QEMU and KVM. This patch adds three new LSM
> > hooks designed to control the creation and attachment of TUN devices, the
> > hooks are:
> >
> > * security_tun_dev_create()
> > Provides access control for the creation of new TUN devices
> >
> > * security_tun_dev_post_create()
> > Provides the ability to create the necessary socket LSM state for
> > newly created TUN devices
> >
> > * security_tun_dev_attach()
> > Provides access control for attaching to existing, persistent TUN
> > devices and the ability to update the TUN device's socket LSM state as
> > necessary ---
>
> Acked-by: Serge Hallyn <serue@us.ibm.com>
Thanks.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org,
selinux@tycho.nsa.gov
Subject: Re: [RFC PATCH v2 1/2] lsm: Add hooks to the TUN driver
Date: Wed, 12 Aug 2009 15:43:15 -0400 [thread overview]
Message-ID: <200908121543.15419.paul.moore@hp.com> (raw)
In-Reply-To: <20090812192840.GA13135@us.ibm.com>
On Wednesday 12 August 2009 03:28:40 pm Serge E. Hallyn wrote:
> Quoting Paul Moore (paul.moore@hp.com):
> > The TUN driver lacks any LSM hooks which makes it difficult for LSM
> > modules, such as SELinux, to enforce access controls on network traffic
> > generated by TUN users; this is particularly problematic for
> > virtualization apps such as QEMU and KVM. This patch adds three new LSM
> > hooks designed to control the creation and attachment of TUN devices, the
> > hooks are:
> >
> > * security_tun_dev_create()
> > Provides access control for the creation of new TUN devices
> >
> > * security_tun_dev_post_create()
> > Provides the ability to create the necessary socket LSM state for
> > newly created TUN devices
> >
> > * security_tun_dev_attach()
> > Provides access control for attaching to existing, persistent TUN
> > devices and the ability to update the TUN device's socket LSM state as
> > necessary ---
>
> Acked-by: Serge Hallyn <serue@us.ibm.com>
Thanks.
--
paul moore
linux @ hp
next prev parent reply other threads:[~2009-08-12 19:43 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-10 17:28 [RFC PATCH v2 0/2] New LSM hooks for the TUN driver Paul Moore
2009-08-10 17:28 ` Paul Moore
2009-08-10 17:28 ` [RFC PATCH v2 1/2] lsm: Add hooks to " Paul Moore
2009-08-10 17:28 ` Paul Moore
2009-08-11 20:34 ` Eric Paris
2009-08-11 20:34 ` Eric Paris
2009-08-12 19:28 ` Serge E. Hallyn
2009-08-12 19:28 ` Serge E. Hallyn
2009-08-12 19:43 ` Paul Moore [this message]
2009-08-12 19:43 ` Paul Moore
2009-08-10 17:28 ` [RFC PATCH v2 2/2] selinux: Support for the new TUN LSM hooks Paul Moore
2009-08-10 17:28 ` Paul Moore
2009-08-11 20:36 ` Eric Paris
2009-08-11 20:36 ` Eric Paris
2009-08-12 14:59 ` Paul Moore
2009-08-12 14:59 ` Paul Moore
2009-08-12 22:14 ` Serge E. Hallyn
2009-08-12 22:14 ` Serge E. Hallyn
2009-08-12 22:55 ` Paul Moore
2009-08-12 22:55 ` Paul Moore
2009-08-12 23:07 ` Serge E. Hallyn
2009-08-12 23:07 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200908121543.15419.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.