From: Steffen Klassert <steffen.klassert@secunet.com>
To: Joy Latten <latten@austin.ibm.com>
Cc: Paul Moore <paul.moore@hp.com>,
linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCH 05/10] selinux: selinux_xfrm_decode_session check for socket sid
Date: Mon, 28 Feb 2011 11:25:42 +0100 [thread overview]
Message-ID: <20110228102542.GD26510@secunet.com> (raw)
In-Reply-To: <1298661665.2715.136.camel@faith.austin.ibm.com>
On Fri, Feb 25, 2011 at 01:21:05PM -0600, Joy Latten wrote:
> > >
> > > I think that's not possible too. The security_xfrm_decode_session()
> > > hook is used from within xfrm_decode_session(). This function
> > > is used in codepaths that are used for both, inbound and outbound
> > > processing (xfrm_lookup, xfrm_policy_check etc.).
> >
> > This makes me wonder if the LSM hook is even in the right place.
>
> I am unable to find the original email to get a full understanding of
> the context of this particular patch so am responding via Paul's email.
> If my comments seem incorrect due to lack of context... please let me
> know.
>
> I believe xfrm_decode_session is for inbound processing.
> I could not readily find anything suggesting that xfrm_lookup()
> results in __xfrm_decode_session() getting called. If I have missed
> it, please let me know. I was looking at kernel code for 2.6.35.7.
Well, xfrm_decode_session() called in the forwarding path from
__xfrm_route_forward() to construct the flow that is passed to
xfrm_lookup().
Also it is called from the netfilter functions ip_route_me_harder()
on output, and ip_xfrm_me_harder() from the local out and the
postrouting hook.
Further, security_xfrm_decode_session() is called via selinux_skb_xfrm_sid()
from selinux_skb_peerlbl_sid() which is called from input, output and
forwaring codepaths.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2011-02-28 10:25 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110214131651.GA15640@secunet.com>
2011-02-14 16:59 ` [PATCHSET RFC] selinux: rework labeled IPsec networking Paul Moore
[not found] ` <20110215121900.GA25769@secunet.com>
2011-02-16 0:02 ` Paul Moore
[not found] ` <20110221115403.GA20852@secunet.com>
2011-02-21 15:28 ` Paul Moore
[not found] ` <20110214131739.GB15640@secunet.com>
2011-02-16 19:18 ` [PATCH 01/10] selinux: Fix check for xfrm selinux context algorithm Paul Moore
[not found] ` <20110214131815.GC15640@secunet.com>
2011-02-16 19:34 ` [PATCH 02/10] selinux: Perform postroute access control checks after IPsec transfomations Paul Moore
[not found] ` <20110222112334.GB20852@secunet.com>
2011-02-23 21:02 ` Paul Moore
2011-02-28 7:29 ` Steffen Klassert
[not found] ` <20110214131855.GD15640@secunet.com>
2011-02-16 19:39 ` [PATCH 03/10] selinux: Remove checks for xfrm transformations from selinux_xfrm_postroute_last Paul Moore
[not found] ` <20110214131934.GE15640@secunet.com>
2011-02-16 19:46 ` [PATCH 04/10] selinux: Fix wrong checks for selinux_policycap_netpeer Paul Moore
[not found] ` <20110214132009.GF15640@secunet.com>
2011-02-16 20:11 ` [PATCH 05/10] selinux: selinux_xfrm_decode_session check for socket sid Paul Moore
[not found] ` <20110222121143.GC20852@secunet.com>
2011-02-23 21:16 ` Paul Moore
2011-02-25 19:21 ` Joy Latten
2011-02-28 10:25 ` Steffen Klassert [this message]
2011-02-28 8:51 ` Steffen Klassert
[not found] ` <20110214132049.GG15640@secunet.com>
2011-02-16 20:19 ` [PATCH 06/10] selinux: Fix packet forwarding checks on postrouting Paul Moore
[not found] ` <20110214132122.GH15640@secunet.com>
2011-02-16 20:32 ` [PATCH 07/10] selinux: Check receiving against sending interface on packet forwarding Paul Moore
[not found] ` <20110222130409.GD20852@secunet.com>
2011-02-23 21:34 ` Paul Moore
2011-02-28 9:10 ` Steffen Klassert
[not found] ` <20110214132157.GI15640@secunet.com>
2011-02-16 20:57 ` [PATCH 08/10] selinux: Fix handling of kernel generated packets on labeled IPsec Paul Moore
[not found] ` <20110222133150.GE20852@secunet.com>
2011-02-23 21:45 ` Paul Moore
2011-02-25 20:50 ` Joy Latten
2011-02-28 10:33 ` Steffen Klassert
2011-03-01 18:41 ` Paul Moore
[not found] ` <20110214132312.GK15640@secunet.com>
2011-02-16 21:08 ` [PATCH 10/10] selinux: Perform xfrm checks for unlabeled access in any case Paul Moore
[not found] ` <20110222135217.GF20852@secunet.com>
2011-02-23 21:59 ` Paul Moore
2011-02-28 11:34 ` Steffen Klassert
2011-03-01 18:42 ` Paul Moore
[not found] ` <20110214132234.GJ15640@secunet.com>
[not found] ` <1297889991.25079.46.camel@sifl>
2011-02-16 22:08 ` [PATCH 09/10] selinux: xfrm - notify users on dropped packets James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110228102542.GD26510@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=latten@austin.ibm.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.