[RFC] [PATCH 1/4] Label-based flow control of traffic

All of lore.kernel.org
 help / color / mirror / Atom feed

* [RFC] [PATCH 1/4] Label-based flow control of traffic
@ 2007-09-18 17:31 Venkat Yekkirala
  2007-09-21 19:19 ` Paul Moore
  0 siblings, 1 reply; 2+ messages in thread
From: Venkat Yekkirala @ 2007-09-18 17:31 UTC (permalink / raw)
  To: selinux, paul.moore, sds, jmorris

This patch set implements network traffic flow control
based on the extenal/fallback label of the packet and
label of the interfaces/nodes involved.

This patch set provides an outline for how it could
work using labeled xfrms. This needs to be augmented
with NetLabel and fallback labels for packets and
potentially a combined interface/network label for
interfaces/nodes.

Locally destined packets are flow-controlled in the existing
rcv_skb LSM hook. Forwarded packets are flow-controlled on
the way in, using a new forward netfilter hook in the LSM.
All traffic is flow-controlled on the way out using a new
skb_flow_out LSM hook.

The first patch defines flow_in/flow_out perms for
the netif and node class since netifs and nodes are
labeled and flow-controlled-against separately in
this patch set.

diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 049bf69..40f14c7 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -37,6 +37,8 @@
    S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
    S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
    S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NODE, NODE__FLOW_IN, "flow_in")
+   S_(SECCLASS_NODE, NODE__FLOW_OUT, "flow_out")
    S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
    S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
    S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
@@ -45,6 +47,8 @@
    S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
    S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
    S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
+   S_(SECCLASS_NETIF, NETIF__FLOW_IN, "flow_in")
+   S_(SECCLASS_NETIF, NETIF__FLOW_OUT, "flow_out")
    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO, "connectto")
    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN, "newconn")
    S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM, "acceptfrom")
diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h
index eda89a2..44188a2 100644
--- a/security/selinux/include/av_permissions.h
+++ b/security/selinux/include/av_permissions.h
@@ -292,6 +292,8 @@
 #define NODE__ENFORCE_DEST                        0x00000040UL
 #define NODE__DCCP_RECV                           0x00000080UL
 #define NODE__DCCP_SEND                           0x00000100UL
+#define NODE__FLOW_IN                             0x00000200UL
+#define NODE__FLOW_OUT                            0x00000400UL
 #define NETIF__TCP_RECV                           0x00000001UL
 #define NETIF__TCP_SEND                           0x00000002UL
 #define NETIF__UDP_RECV                           0x00000004UL
@@ -300,6 +302,8 @@
 #define NETIF__RAWIP_SEND                         0x00000020UL
 #define NETIF__DCCP_RECV                          0x00000040UL
 #define NETIF__DCCP_SEND                          0x00000080UL
+#define NETIF__FLOW_IN                            0x00000100UL
+#define NETIF__FLOW_OUT                           0x00000200UL
 #define NETLINK_SOCKET__IOCTL                     0x00000001UL
 #define NETLINK_SOCKET__READ                      0x00000002UL
 #define NETLINK_SOCKET__WRITE                     0x00000004UL

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [RFC] [PATCH 1/4] Label-based flow control of traffic
  2007-09-18 17:31 [RFC] [PATCH 1/4] Label-based flow control of traffic Venkat Yekkirala
@ 2007-09-21 19:19 ` Paul Moore
  0 siblings, 0 replies; 2+ messages in thread
From: Paul Moore @ 2007-09-21 19:19 UTC (permalink / raw)
  To: Venkat Yekkirala; +Cc: selinux, sds, jmorris

On Tuesday, September 18 2007 1:31:41 pm Venkat Yekkirala wrote:
> diff --git a/security/selinux/include/av_perm_to_string.h
> b/security/selinux/include/av_perm_to_string.h index 049bf69..40f14c7
> 100644
> --- a/security/selinux/include/av_perm_to_string.h
> +++ b/security/selinux/include/av_perm_to_string.h
> @@ -37,6 +37,8 @@
>     S_(SECCLASS_NODE, NODE__ENFORCE_DEST, "enforce_dest")
>     S_(SECCLASS_NODE, NODE__DCCP_RECV, "dccp_recv")
>     S_(SECCLASS_NODE, NODE__DCCP_SEND, "dccp_send")
> +   S_(SECCLASS_NODE, NODE__FLOW_IN, "flow_in")
> +   S_(SECCLASS_NODE, NODE__FLOW_OUT, "flow_out")
>     S_(SECCLASS_NETIF, NETIF__TCP_RECV, "tcp_recv")
>     S_(SECCLASS_NETIF, NETIF__TCP_SEND, "tcp_send")
>     S_(SECCLASS_NETIF, NETIF__UDP_RECV, "udp_recv")
> @@ -45,6 +47,8 @@
>     S_(SECCLASS_NETIF, NETIF__RAWIP_SEND, "rawip_send")
>     S_(SECCLASS_NETIF, NETIF__DCCP_RECV, "dccp_recv")
>     S_(SECCLASS_NETIF, NETIF__DCCP_SEND, "dccp_send")
> +   S_(SECCLASS_NETIF, NETIF__FLOW_IN, "flow_in")
> +   S_(SECCLASS_NETIF, NETIF__FLOW_OUT, "flow_out")
>     S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__CONNECTTO,
> "connectto") S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__NEWCONN,
> "newconn") S_(SECCLASS_UNIX_STREAM_SOCKET, UNIX_STREAM_SOCKET__ACCEPTFROM,
> "acceptfrom") diff --git a/security/selinux/include/av_permissions.h
> b/security/selinux/include/av_permissions.h index eda89a2..44188a2 100644
> --- a/security/selinux/include/av_permissions.h
> +++ b/security/selinux/include/av_permissions.h
> @@ -292,6 +292,8 @@
>  #define NODE__ENFORCE_DEST                        0x00000040UL
>  #define NODE__DCCP_RECV                           0x00000080UL
>  #define NODE__DCCP_SEND                           0x00000100UL
> +#define NODE__FLOW_IN                             0x00000200UL
> +#define NODE__FLOW_OUT                            0x00000400UL
>  #define NETIF__TCP_RECV                           0x00000001UL
>  #define NETIF__TCP_SEND                           0x00000002UL
>  #define NETIF__UDP_RECV                           0x00000004UL
> @@ -300,6 +302,8 @@
>  #define NETIF__RAWIP_SEND                         0x00000020UL
>  #define NETIF__DCCP_RECV                          0x00000040UL
>  #define NETIF__DCCP_SEND                          0x00000080UL
> +#define NETIF__FLOW_IN                            0x00000100UL
> +#define NETIF__FLOW_OUT                           0x00000200UL
>  #define NETLINK_SOCKET__IOCTL                     0x00000001UL
>  #define NETLINK_SOCKET__READ                      0x00000002UL
>  #define NETLINK_SOCKET__WRITE                     0x00000004UL

I'm sure this was assumed as a given when you sent this, but just so it's out 
there and we are all clear on the issue - before any kernel patches are 
pushed upstream I want to make sure the related policy changes (if any) are 
have been accepted by Chris into the refpolicy svn tree.

I believe the changes here should be pretty minimal: updates to the flask 
definitions and some new unlabled_t allow rules in the network interfaces ...

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2007-09-21 19:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-09-18 17:31 [RFC] [PATCH 1/4] Label-based flow control of traffic Venkat Yekkirala
2007-09-21 19:19 ` Paul Moore

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.