From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from msux-gh1-uea01.nsa.gov (msux-gh1-uea01.nsa.gov [63.239.67.1]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id n7CJhHxu019144 for ; Wed, 12 Aug 2009 15:43:17 -0400 Received: from g5t0007.atlanta.hp.com (localhost [127.0.0.1]) by msux-gh1-uea01.nsa.gov (8.12.10/8.12.10) with ESMTP id n7CJgmiO015207 for ; Wed, 12 Aug 2009 19:42:48 GMT From: Paul Moore To: "Serge E. Hallyn" Subject: Re: [RFC PATCH v2 1/2] lsm: Add hooks to the TUN driver Date: Wed, 12 Aug 2009 15:43:15 -0400 Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org, selinux@tycho.nsa.gov References: <20090810172238.7946.34247.stgit@flek.lan> <20090810172844.7946.43287.stgit@flek.lan> <20090812192840.GA13135@us.ibm.com> In-Reply-To: <20090812192840.GA13135@us.ibm.com> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Message-Id: <200908121543.15419.paul.moore@hp.com> Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Wednesday 12 August 2009 03:28:40 pm Serge E. Hallyn wrote: > Quoting Paul Moore (paul.moore@hp.com): > > The TUN driver lacks any LSM hooks which makes it difficult for LSM > > modules, such as SELinux, to enforce access controls on network traffic > > generated by TUN users; this is particularly problematic for > > virtualization apps such as QEMU and KVM. This patch adds three new LSM > > hooks designed to control the creation and attachment of TUN devices, the > > hooks are: > > > > * security_tun_dev_create() > > Provides access control for the creation of new TUN devices > > > > * security_tun_dev_post_create() > > Provides the ability to create the necessary socket LSM state for > > newly created TUN devices > > > > * security_tun_dev_attach() > > Provides access control for attaching to existing, persistent TUN > > devices and the ability to update the TUN device's socket LSM state as > > necessary --- > > Acked-by: Serge Hallyn Thanks. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [RFC PATCH v2 1/2] lsm: Add hooks to the TUN driver Date: Wed, 12 Aug 2009 15:43:15 -0400 Message-ID: <200908121543.15419.paul.moore@hp.com> References: <20090810172238.7946.34247.stgit@flek.lan> <20090810172844.7946.43287.stgit@flek.lan> <20090812192840.GA13135@us.ibm.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org, selinux@tycho.nsa.gov To: "Serge E. Hallyn" Return-path: In-Reply-To: <20090812192840.GA13135@us.ibm.com> Content-Disposition: inline Sender: linux-security-module-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Wednesday 12 August 2009 03:28:40 pm Serge E. Hallyn wrote: > Quoting Paul Moore (paul.moore@hp.com): > > The TUN driver lacks any LSM hooks which makes it difficult for LSM > > modules, such as SELinux, to enforce access controls on network traffic > > generated by TUN users; this is particularly problematic for > > virtualization apps such as QEMU and KVM. This patch adds three new LSM > > hooks designed to control the creation and attachment of TUN devices, the > > hooks are: > > > > * security_tun_dev_create() > > Provides access control for the creation of new TUN devices > > > > * security_tun_dev_post_create() > > Provides the ability to create the necessary socket LSM state for > > newly created TUN devices > > > > * security_tun_dev_attach() > > Provides access control for attaching to existing, persistent TUN > > devices and the ability to update the TUN device's socket LSM state as > > necessary --- > > Acked-by: Serge Hallyn Thanks. -- paul moore linux @ hp