From: Harald Welte <laforge@gnumonks.org>
To: Richard Haines <richard_c_haines@btinternet.com>
Cc: selinux@vger.kernel.org, linux-security-module@vger.kernel.org,
osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org,
stephen.smalley.work@gmail.com, paul@paul-moore.com,
pablo@netfilter.org, jmorris@namei.org
Subject: Re: [PATCH 3/3] selinux: Add SELinux GTP support
Date: Wed, 30 Sep 2020 13:01:53 +0200 [thread overview]
Message-ID: <20200930110153.GT3871@nataraja> (raw)
In-Reply-To: <20200930094934.32144-4-richard_c_haines@btinternet.com>
Hi Richard,
I don't fully understand in which context you need / use those SELinux GTP hooks,
however one comment from the point of view of somebody who is working on GGSN/P-GW
software using the GTP kernel module:
On Wed, Sep 30, 2020 at 10:49:34AM +0100, Richard Haines wrote:
> +selinux_gtp_dev_cmd()
> +~~~~~~~~~~~~~~~~~~~~~
> +Validate if the caller (current SID) and the GTP device SID have the required
> +permission to perform the operation. The GTP/SELinux permission map is
> +as follow::
> +
> + GTP_CMD_NEWPDP = gtp { add }
> + GTP_CMD_DELPDP = gtp { del }
> + GTP_CMD_GETPDP = gtp { get }
Wouldn't it make sense to differentiate between:
a) add/del/get on the GTP netdev
b) add/del/get on the indivudual PDP wihin the GTP netdev
'a' is typically only created once at startup of a GGSN/P-GW software, or is
done even at system stat-up time.
'b' is performed frequently during runtime as the GGSN/P-GW function runs, as
subscribers attach to / detach from the cellular network.
By differentiating between those two, one could further constrain the permissions
required at runtime.
--
- Harald Welte <laforge@gnumonks.org> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
next prev parent reply other threads:[~2020-09-30 11:22 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-30 9:49 [PATCH 0/3] Add LSM/SELinux support for GPRS Tunneling Protocol (GTP) Richard Haines
2020-09-30 9:49 ` [PATCH 1/3] security: Add GPRS Tunneling Protocol (GTP) security hooks Richard Haines
2020-09-30 9:49 ` [PATCH 2/3] gtp: Add LSM hooks to GPRS Tunneling Protocol (GTP) Richard Haines
2020-09-30 9:49 ` [PATCH 3/3] selinux: Add SELinux GTP support Richard Haines
2020-09-30 11:01 ` Harald Welte [this message]
2020-09-30 12:25 ` Richard Haines
2020-09-30 13:38 ` Harald Welte
2020-10-12 2:09 ` Paul Moore
2020-10-12 9:38 ` Harald Welte
2020-10-13 13:55 ` Paul Moore
2020-10-13 16:38 ` Richard Haines
2020-10-13 20:42 ` Harald Welte
2020-09-30 10:17 ` [PATCH 0/3] Add LSM/SELinux support for GPRS Tunneling Protocol (GTP) Pablo Neira Ayuso
2020-09-30 12:20 ` Richard Haines
2020-09-30 12:30 ` Pablo Neira Ayuso
2020-09-30 15:56 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200930110153.GT3871@nataraja \
--to=laforge@gnumonks.org \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=osmocom-net-gprs@lists.osmocom.org \
--cc=pablo@netfilter.org \
--cc=paul@paul-moore.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.