Re: SECMARK: implementation question

[Paul Moore <paul.moore@hp.com>]

On Sunday 11 October 2009 12:27:14 am Jacques Thomas wrote:
> Dear All,
> 
> If I understand correctly, the permission check for inbound packet (the
> "packet recv" operation) is performed by selinux_socket_sock_recv_skb,
> which hooks into the socket_sock_recv_skb hook.
> 
> Does anybody remember the rationale for doing the check there instead of
> the NF_INET_LOCAL_IN hook ?

When performing the "packet recv" access control the Secmark label needs to be 
compared against the receiving socket's label, to the best of my understanding 
this is not possible with the current netfilter hooks.  At one point there was 
some discussion of implementing socket level netfilter hooks but I don't 
believe they ever went anywhere.
 
> I am asking that because the permission for outbound packets ("packet
> send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
> should be a good reason for this asymetry, but I don't get it.

The NF_INET_LOCAL_OUT hook, selinux_ip_output(), doesn't actually perform any 
access control, it only handles labeling packets generated from disconnected 
sockets when NetLabel is in use.  There is outbound Secmark based access 
control (amongst others) in the NF_INET_POST_ROUTING hook, but it is possible 
there because the packet (struct sk_buff) has a back pointer to the socket 
where it originated from enabling us to perform the access check at this point 
in the stack.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.