* SECMARK: implementation question
@ 2009-10-11 4:27 Jacques Thomas
2009-10-12 22:46 ` Paul Moore
0 siblings, 1 reply; 3+ messages in thread
From: Jacques Thomas @ 2009-10-11 4:27 UTC (permalink / raw)
To: SE Linux
Dear All,
If I understand correctly, the permission check for inbound packet (the
"packet recv" operation) is performed by selinux_socket_sock_recv_skb,
which hooks into the socket_sock_recv_skb hook.
Does anybody remember the rationale for doing the check there instead of
the NF_INET_LOCAL_IN hook ?
I am asking that because the permission for outbound packets ("packet
send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
should be a good reason for this asymetry, but I don't get it.
Thanks for your time,
Jacques Thomas
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: SECMARK: implementation question
2009-10-11 4:27 SECMARK: implementation question Jacques Thomas
@ 2009-10-12 22:46 ` Paul Moore
2009-10-12 23:47 ` Jacques Thomas
0 siblings, 1 reply; 3+ messages in thread
From: Paul Moore @ 2009-10-12 22:46 UTC (permalink / raw)
To: Jacques Thomas; +Cc: SE Linux
On Sunday 11 October 2009 12:27:14 am Jacques Thomas wrote:
> Dear All,
>
> If I understand correctly, the permission check for inbound packet (the
> "packet recv" operation) is performed by selinux_socket_sock_recv_skb,
> which hooks into the socket_sock_recv_skb hook.
>
> Does anybody remember the rationale for doing the check there instead of
> the NF_INET_LOCAL_IN hook ?
When performing the "packet recv" access control the Secmark label needs to be
compared against the receiving socket's label, to the best of my understanding
this is not possible with the current netfilter hooks. At one point there was
some discussion of implementing socket level netfilter hooks but I don't
believe they ever went anywhere.
> I am asking that because the permission for outbound packets ("packet
> send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
> should be a good reason for this asymetry, but I don't get it.
The NF_INET_LOCAL_OUT hook, selinux_ip_output(), doesn't actually perform any
access control, it only handles labeling packets generated from disconnected
sockets when NetLabel is in use. There is outbound Secmark based access
control (amongst others) in the NF_INET_POST_ROUTING hook, but it is possible
there because the packet (struct sk_buff) has a back pointer to the socket
where it originated from enabling us to perform the access check at this point
in the stack.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: SECMARK: implementation question
2009-10-12 22:46 ` Paul Moore
@ 2009-10-12 23:47 ` Jacques Thomas
0 siblings, 0 replies; 3+ messages in thread
From: Jacques Thomas @ 2009-10-12 23:47 UTC (permalink / raw)
To: Paul Moore; +Cc: SE Linux
Paul Moore wrote:
> On Sunday 11 October 2009 12:27:14 am Jacques Thomas wrote:
>
>> Dear All,
>>
>> If I understand correctly, the permission check for inbound packet (the
>> "packet recv" operation) is performed by selinux_socket_sock_recv_skb,
>> which hooks into the socket_sock_recv_skb hook.
>>
>> Does anybody remember the rationale for doing the check there instead of
>> the NF_INET_LOCAL_IN hook ?
>>
>
> When performing the "packet recv" access control the Secmark label needs to be
> compared against the receiving socket's label, to the best of my understanding
> this is not possible with the current netfilter hooks. At one point there was
> some discussion of implementing socket level netfilter hooks but I don't
> believe they ever went anywhere.
>
>
>> I am asking that because the permission for outbound packets ("packet
>> send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
>> should be a good reason for this asymetry, but I don't get it.
>>
>
> The NF_INET_LOCAL_OUT hook, selinux_ip_output(), doesn't actually perform any
> access control, it only handles labeling packets generated from disconnected
> sockets when NetLabel is in use. There is outbound Secmark based access
> control (amongst others) in the NF_INET_POST_ROUTING hook, but it is possible
> there because the packet (struct sk_buff) has a back pointer to the socket
> where it originated from enabling us to perform the access check at this point
> in the stack.
>
>
This makes sense to me to me now. Thank you for the explanation.
Regards,
Jacques Thomas
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-10-12 23:47 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-11 4:27 SECMARK: implementation question Jacques Thomas
2009-10-12 22:46 ` Paul Moore
2009-10-12 23:47 ` Jacques Thomas
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.