SECMARK: implementation question

All of lore.kernel.org
 help / color / mirror / Atom feed

* SECMARK: implementation question
@ 2009-10-11  4:27 Jacques Thomas
  2009-10-12 22:46 ` Paul Moore
  0 siblings, 1 reply; 3+ messages in thread
From: Jacques Thomas @ 2009-10-11  4:27 UTC (permalink / raw)
  To: SE Linux

Dear All,

If I understand correctly, the permission check for inbound packet (the 
"packet recv" operation) is performed by selinux_socket_sock_recv_skb, 
which hooks into the socket_sock_recv_skb hook.

Does anybody remember the rationale for doing the check there instead of 
the NF_INET_LOCAL_IN hook ?

I am asking that because the permission for outbound packets ("packet 
send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there 
should be a good reason for this asymetry, but I don't get it.

Thanks for your time,
Jacques Thomas

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: SECMARK: implementation question
  2009-10-11  4:27 SECMARK: implementation question Jacques Thomas
@ 2009-10-12 22:46 ` Paul Moore
  2009-10-12 23:47   ` Jacques Thomas
  0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2009-10-12 22:46 UTC (permalink / raw)
  To: Jacques Thomas; +Cc: SE Linux

On Sunday 11 October 2009 12:27:14 am Jacques Thomas wrote:
> Dear All,
> 
> If I understand correctly, the permission check for inbound packet (the
> "packet recv" operation) is performed by selinux_socket_sock_recv_skb,
> which hooks into the socket_sock_recv_skb hook.
> 
> Does anybody remember the rationale for doing the check there instead of
> the NF_INET_LOCAL_IN hook ?

When performing the "packet recv" access control the Secmark label needs to be 
compared against the receiving socket's label, to the best of my understanding 
this is not possible with the current netfilter hooks.  At one point there was 
some discussion of implementing socket level netfilter hooks but I don't 
believe they ever went anywhere.

> I am asking that because the permission for outbound packets ("packet
> send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
> should be a good reason for this asymetry, but I don't get it.

The NF_INET_LOCAL_OUT hook, selinux_ip_output(), doesn't actually perform any 
access control, it only handles labeling packets generated from disconnected 
sockets when NetLabel is in use.  There is outbound Secmark based access 
control (amongst others) in the NF_INET_POST_ROUTING hook, but it is possible 
there because the packet (struct sk_buff) has a back pointer to the socket 
where it originated from enabling us to perform the access check at this point 
in the stack.

-- 
paul moore
linux @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: SECMARK: implementation question
  2009-10-12 22:46 ` Paul Moore
@ 2009-10-12 23:47   ` Jacques Thomas
  0 siblings, 0 replies; 3+ messages in thread
From: Jacques Thomas @ 2009-10-12 23:47 UTC (permalink / raw)
  To: Paul Moore; +Cc: SE Linux

Paul Moore wrote:
> On Sunday 11 October 2009 12:27:14 am Jacques Thomas wrote:
>   
>> Dear All,
>>
>> If I understand correctly, the permission check for inbound packet (the
>> "packet recv" operation) is performed by selinux_socket_sock_recv_skb,
>> which hooks into the socket_sock_recv_skb hook.
>>
>> Does anybody remember the rationale for doing the check there instead of
>> the NF_INET_LOCAL_IN hook ?
>>     
>
> When performing the "packet recv" access control the Secmark label needs to be 
> compared against the receiving socket's label, to the best of my understanding 
> this is not possible with the current netfilter hooks.  At one point there was 
> some discussion of implementing socket level netfilter hooks but I don't 
> believe they ever went anywhere.
>  
>   
>> I am asking that because the permission for outbound packets ("packet
>> send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
>> should be a good reason for this asymetry, but I don't get it.
>>     
>
> The NF_INET_LOCAL_OUT hook, selinux_ip_output(), doesn't actually perform any 
> access control, it only handles labeling packets generated from disconnected 
> sockets when NetLabel is in use.  There is outbound Secmark based access 
> control (amongst others) in the NF_INET_POST_ROUTING hook, but it is possible 
> there because the packet (struct sk_buff) has a back pointer to the socket 
> where it originated from enabling us to perform the access check at this point 
> in the stack.
>
>   

This makes sense to me to me now. Thank you for the explanation.

Regards,
Jacques Thomas

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-10-12 23:47 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-11  4:27 SECMARK: implementation question Jacques Thomas
2009-10-12 22:46 ` Paul Moore
2009-10-12 23:47   ` Jacques Thomas

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.