From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
netfilter-devel@vger.kernel.org, jmorris@namei.org,
sds@tycho.nsa.gov, jengelh@medozas.de, paul.moore@hp.com,
casey@schaufler-ca.com, linux-security-module@vger.kernel.org,
netfilter@vger.kernel.org, mr.dash.four@googlemail.com
Subject: Re: [PATCH 2/6] secmark: make secmark object handling generic
Date: Sat, 25 Sep 2010 10:39:40 +0200 [thread overview]
Message-ID: <4C9DB54C.4010100@netfilter.org> (raw)
In-Reply-To: <20100924204524.28355.87206.stgit@paris.rdu.redhat.com>
On 24/09/10 22:45, Eric Paris wrote:
> Right now secmark has lots of direct selinux calls. Use all LSM calls and
> remove all SELinux specific knowledge. The only SELinux specific knowledge
> we leave is the mode. The only point is to make sure that other LSMs at
> least test this generic code before they assume it works. (They may also
> have to make changes if they do not represent labels as strings)
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
>
> include/linux/netfilter/xt_SECMARK.h | 14 ++------
> include/linux/security.h | 25 +++++++++++++
> include/linux/selinux.h | 63 ----------------------------------
> net/netfilter/xt_CT.c | 1 -
> net/netfilter/xt_SECMARK.c | 57 +++++++++++++++----------------
> security/capability.c | 17 +++++++++
> security/security.c | 18 ++++++++++
> security/selinux/exports.c | 49 --------------------------
> security/selinux/hooks.c | 24 +++++++++++++
> security/selinux/include/security.h | 1 +
> 10 files changed, 116 insertions(+), 153 deletions(-)
>
> diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
> index 6fcd344..b8d55c4 100644
> --- a/include/linux/netfilter/xt_SECMARK.h
> +++ b/include/linux/netfilter/xt_SECMARK.h
> @@ -10,19 +10,13 @@
> * 'mode' refers to the specific security subsystem which the
> * packets are being marked for.
> */
> -#define SECMARK_MODE_SEL 0x01 /* SELinux */
> -#define SECMARK_SELCTX_MAX 256
> -
> -struct xt_secmark_target_selinux_info {
> - __u32 selsid;
> - char selctx[SECMARK_SELCTX_MAX];
> -};
> +#define SECMARK_MODE_SELINUX 0x01 /* SELinux */
> +#define SECMARK_SECCTX_MAX 256
The SECMARK_MODE_SEL is exposed to user-space, even if we have a copy of
it in the internal iptables tree, I'm not sure if it's a good policy to
change it.
next prev parent reply other threads:[~2010-09-25 8:39 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-24 20:45 [PATCH 1/6] secmark: do not return early if there was no error Eric Paris
2010-09-24 20:45 ` Eric Paris
2010-09-24 20:45 ` [PATCH 2/6] secmark: make secmark object handling generic Eric Paris
2010-09-24 20:45 ` Eric Paris
2010-09-25 8:39 ` Pablo Neira Ayuso [this message]
2010-09-27 16:47 ` Eric Paris
2010-09-27 16:47 ` Eric Paris
2010-09-24 20:45 ` [PATCH 3/6] secmark: export binary yes/no rather than kernel internal secid Eric Paris
2010-09-24 20:45 ` Eric Paris
2010-09-25 8:41 ` Pablo Neira Ayuso
2010-09-27 16:44 ` Eric Paris
2010-09-27 16:44 ` Eric Paris
2010-09-27 0:50 ` James Morris
2010-09-27 0:50 ` James Morris
2010-09-27 17:01 ` Eric Paris
2010-09-27 17:01 ` Eric Paris
2010-09-27 18:29 ` Paul Moore
2010-09-27 18:29 ` Paul Moore
2010-09-27 19:25 ` Eric Paris
2010-09-27 19:25 ` Eric Paris
2010-09-27 19:45 ` Paul Moore
2010-09-27 19:45 ` Paul Moore
2010-09-27 22:48 ` Pablo Neira Ayuso
2010-09-28 0:00 ` Jan Engelhardt
2010-09-28 8:45 ` Mr Dash Four
2010-09-27 23:45 ` James Morris
2010-09-27 23:45 ` James Morris
2010-09-28 12:32 ` Casey Schaufler
2010-09-28 12:32 ` Casey Schaufler
2010-09-24 20:45 ` [PATCH 4/6] security: secid_to_secctx returns len when data is NULL Eric Paris
2010-09-24 20:45 ` Eric Paris
2010-09-27 13:49 ` Casey Schaufler
2010-09-27 13:49 ` Casey Schaufler
2010-09-24 20:45 ` [PATCH 5/6] conntrack: export lsm context rather than internal secid via netlink Eric Paris
2010-09-24 20:45 ` Eric Paris
2010-09-24 21:08 ` Jan Engelhardt
2010-09-27 11:01 ` Pablo Neira Ayuso
2010-09-27 16:51 ` Eric Paris
2010-09-27 16:51 ` Eric Paris
2010-09-24 20:45 ` [PATCH 6/6] secmark: export secctx, drop secmark in procfs Eric Paris
2010-09-24 20:45 ` Eric Paris
2010-09-24 21:01 ` [PATCH 1/6] secmark: do not return early if there was no error Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C9DB54C.4010100@netfilter.org \
--to=pablo@netfilter.org \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=jengelh@medozas.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mr.dash.four@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.