From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: James Morris <jmorris@namei.org>,
netdev@vger.kernel.org, selinux@tycho.nsa.gov,
Stephen Smalley <sds@tycho.nsa.gov>,
Chad Hanson <chanson@TrustedCS.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 0/3] secid reconciliation-v01: Repost patchset with up dates
Date: Thu, 31 Aug 2006 10:45:09 -0400 [thread overview]
Message-ID: <44F6F5F5.5000408@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C061859201512B64@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>My main concern with these patches is that moving the
>>NetLabel check out
>>of selinux_socket_sock_rcv_skb() and into
>>selinux_skb_policy_check() (as
>>it is currently written) would force us to compare a packet's NetLabel
>>with either the IPsec label or the secmark label
>
> Yes you would do these checks (while using a netlabel based off of the
> secmark at that point) to enforce flow control and when they succeed,
> you will copy netlabel into secmark.
>
>>and not the socket's
>>label.
>
> The socket Vs. secmark check that happens later in rcv_skb will in fact be
> looking at the cipso label that is by then a part of the secmark context.
So what you envison is that when an MLS label is found on a packet using
NetLabel the MLS label from the packet is attached to the secmark
context (replacing the existing MLS label, if any) and the resulting
context would be checked for a "flow_in" permission, yes?
Assuming the permission is granted the packet's secmark is replaced with
the updated context. This updated secmark context would then be used in
sock_rcv_skb() to make an access decision, yes?
>> The ability to make access decisions based on the process
>>consuming the data and the data itself it one of the nicer
>>qualities of
>>NetLabel in my opinion.
>
> This nicer quality ends up being preserved as explained above :)
It wasn't clear to me from your patch or the "master plan" what you
intended to do with the NetLabel context. I thought the "/* See if
CIPSO can flow in thru the current secmark here */" comment in your
patch was rather cryptic.
> We just need to get out of the mindset of viewing netlabel separately
> once we are past the reconciliation point.
Agreed. Although to be honest, I think the NetLabel context can be
reconciled with the secmark and XFRM contexts just as easily using the
existing sock_rcv_skb() hook. I guess I need to see where the
xfrm[4|6]_policy_check() hooks are called from in the stack to better
understand ...
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: James Morris <jmorris@namei.org>,
netdev@vger.kernel.org, selinux@tycho.nsa.gov,
Stephen Smalley <sds@tycho.nsa.gov>,
Chad Hanson <chanson@TrustedCS.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 0/3] secid reconciliation-v01: Repost patchset with up dates
Date: Thu, 31 Aug 2006 10:45:09 -0400 [thread overview]
Message-ID: <44F6F5F5.5000408@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C061859201512B64@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>My main concern with these patches is that moving the
>>NetLabel check out
>>of selinux_socket_sock_rcv_skb() and into
>>selinux_skb_policy_check() (as
>>it is currently written) would force us to compare a packet's NetLabel
>>with either the IPsec label or the secmark label
>
> Yes you would do these checks (while using a netlabel based off of the
> secmark at that point) to enforce flow control and when they succeed,
> you will copy netlabel into secmark.
>
>>and not the socket's
>>label.
>
> The socket Vs. secmark check that happens later in rcv_skb will in fact be
> looking at the cipso label that is by then a part of the secmark context.
So what you envison is that when an MLS label is found on a packet using
NetLabel the MLS label from the packet is attached to the secmark
context (replacing the existing MLS label, if any) and the resulting
context would be checked for a "flow_in" permission, yes?
Assuming the permission is granted the packet's secmark is replaced with
the updated context. This updated secmark context would then be used in
sock_rcv_skb() to make an access decision, yes?
>> The ability to make access decisions based on the process
>>consuming the data and the data itself it one of the nicer
>>qualities of
>>NetLabel in my opinion.
>
> This nicer quality ends up being preserved as explained above :)
It wasn't clear to me from your patch or the "master plan" what you
intended to do with the NetLabel context. I thought the "/* See if
CIPSO can flow in thru the current secmark here */" comment in your
patch was rather cryptic.
> We just need to get out of the mindset of viewing netlabel separately
> once we are past the reconciliation point.
Agreed. Although to be honest, I think the NetLabel context can be
reconciled with the secmark and XFRM contexts just as easily using the
existing sock_rcv_skb() hook. I guess I need to see where the
xfrm[4|6]_policy_check() hooks are called from in the stack to better
understand ...
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-08-31 14:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-31 14:08 [PATCH 0/3] secid reconciliation-v01: Repost patchset with up dates Venkat Yekkirala
2006-08-31 14:08 ` Venkat Yekkirala
2006-08-31 14:45 ` Paul Moore [this message]
2006-08-31 14:45 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2006-08-31 15:13 Venkat Yekkirala
2006-08-31 15:13 ` Venkat Yekkirala
2006-08-25 13:30 Venkat Yekkirala
2006-08-25 13:30 ` Venkat Yekkirala
2006-08-25 14:26 ` James Morris
2006-08-25 14:26 ` James Morris
2006-08-30 20:21 ` Paul Moore
2006-08-30 20:21 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44F6F5F5.5000408@hp.com \
--to=paul.moore@hp.com \
--cc=chanson@TrustedCS.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.