[PATCH external/sepolicy] Add iptables script to policy

[PATCH external/sepolicy] Add iptables script to policy

[Joshua Brindle]

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 Android.mk          |   13 +++++++++++++
 iptables-selinux.sh |   18 ++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100755 iptables-selinux.sh

diff --git a/Android.mk b/Android.mk
index 68f4c69..0b744b0 100644
--- a/Android.mk
+++ b/Android.mk
@@ -85,4 +85,17 @@ $(property_contexts): $(LOCAL_PATH)/property_contexts $(LOCAL_POLICY_PC)
 property_contexts :=
 ##################################
 
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := iptables-selinux.sh
+LOCAL_SRC_FILES := $(LOCAL_MODULE)
+LOCAL_MODULE_CLASS := EXECUTABLES
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_EXECUTABLES)
+
+include $(BUILD_PREBUILT)
+
+##################################
+
 endif #ifeq ($(HAVE_SELINUX),true)
diff --git a/iptables-selinux.sh b/iptables-selinux.sh
new file mode 100755
index 0000000..e9ac7d1
--- /dev/null
+++ b/iptables-selinux.sh
@@ -0,0 +1,18 @@
+#!/system/bin/sh
+
+IPTABLES="/system/bin/iptables"
+
+#$IPTABLES -t mangle -A INPUT -i wlan0 -j SECMARK --selctx u:object_r:packet:s0
+#$IPTABLES -t mangle -A INPUT -i lo -j SECMARK --selctx u:object_r:lo_packet:s0
+#$IPTABLES -t mangle -A INPUT -i ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0
+#$IPTABLES -t mangle -A INPUT -i ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0
+#$IPTABLES -t mangle -A INPUT -i ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0
+#$IPTABLES -t mangle -A INPUT -i ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0
+
+#$IPTABLES -t mangle -A OUTPUT -o wlan0 -j SECMARK --selctx u:object_r:packet:s0
+#$IPTABLES -t mangle -A OUTPUT -o lo -j SECMARK --selctx u:object_r:lo_packet:s0
+#$IPTABLES -t mangle -A OUTPUT -o ppp0 -j SECMARK --selctx u:object_r:ppp0_packet:s0
+#$IPTABLES -t mangle -A OUTPUT -o ppp1 -j SECMARK --selctx u:object_r:ppp1_packet:s0
+#$IPTABLES -t mangle -A OUTPUT -o ppp2 -j SECMARK --selctx u:object_r:ppp2_packet:s0
+#$IPTABLES -t mangle -A OUTPUT -o ppp3 -j SECMARK --selctx u:object_r:ppp3_packet:s0
+
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH build] add iptables-selinux.sh to SELINUX_DEPENDS

[Joshua Brindle]

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 core/Makefile |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/Makefile b/core/Makefile
index 146d56e..ade39ae 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -343,7 +343,7 @@ INTERNAL_RAMDISK_FILES := $(filter $(TARGET_ROOT_OUT)/%, \
 BUILT_RAMDISK_TARGET := $(PRODUCT_OUT)/ramdisk.img
 
 ifeq ($(HAVE_SELINUX),true)
-SELINUX_DEPENDS := sepolicy file_contexts seapp_contexts property_contexts
+SELINUX_DEPENDS := sepolicy file_contexts seapp_contexts property_contexts iptables-selinux.sh
 endif
 
 #ifeq ($(HAVE_MAC),true)
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH system/core] add iptables secmark labeling script to startup

[Joshua Brindle]

Change-Id: I47100243b04d9629d44c8962eafeacabdcd0e6d2

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 rootdir/init.rc |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 7131095..bd4bc81 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -372,6 +372,10 @@ service console /system/bin/sh
     user shell
     group log
 
+service netlabels /system/bin/iptables-selinux.sh
+    class core
+    oneshot
+
 on property:ro.debuggable=1
     start console
 
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH system/core] add iptables secmark labeling script to startup

[Paul Moore]

On Saturday, June 16, 2012 02:56:36 PM Joshua Brindle wrote:
> Change-Id: I47100243b04d9629d44c8962eafeacabdcd0e6d2
> 
> Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
> ---
>  rootdir/init.rc |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/rootdir/init.rc b/rootdir/init.rc
> index 7131095..bd4bc81 100644
> --- a/rootdir/init.rc
> +++ b/rootdir/init.rc
> @@ -372,6 +372,10 @@ service console /system/bin/sh
>      user shell
>      group log
> 
> +service netlabels /system/bin/iptables-selinux.sh
> +    class core
> +    oneshot

I don't know much about Android development or the boot process, but I wonder 
if it would make sense to either change the name of the service or the script 
it executes.  While the script seems aptly named for its current 
functionality, the service name might become a problem if an Android user ever 
needs to enable NetLabel support.

I would suggest either changing the service name to reflect the 
secmark/iptables nature of the script or changing the name of the script to 
something more generic, e.g. selinux-network.sh, so that it is less awkward if 
the script grows at some point to contain secmark labeling rules, NetLabel 
configuration, labeled IPsec, etc.

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH system/core] add iptables secmark labeling script to startup

[Joshua Brindle]

Paul Moore wrote:
> On Saturday, June 16, 2012 02:56:36 PM Joshua Brindle wrote:
>> Change-Id: I47100243b04d9629d44c8962eafeacabdcd0e6d2
>>
>> Signed-off-by: Joshua Brindle<jbrindle@tresys.com>
>> ---
>>   rootdir/init.rc |    4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/rootdir/init.rc b/rootdir/init.rc
>> index 7131095..bd4bc81 100644
>> --- a/rootdir/init.rc
>> +++ b/rootdir/init.rc
>> @@ -372,6 +372,10 @@ service console /system/bin/sh
>>       user shell
>>       group log
>>
>> +service netlabels /system/bin/iptables-selinux.sh
>> +    class core
>> +    oneshot
>
> I don't know much about Android development or the boot process, but I wonder
> if it would make sense to either change the name of the service or the script
> it executes.  While the script seems aptly named for its current
> functionality, the service name might become a problem if an Android user ever
> needs to enable NetLabel support.
>
> I would suggest either changing the service name to reflect the
> secmark/iptables nature of the script or changing the name of the script to
> something more generic, e.g. selinux-network.sh, so that it is less awkward if
> the script grows at some point to contain secmark labeling rules, NetLabel
> configuration, labeled IPsec, etc.
>

That is fine. This script generally should just be the initial network state. I 
fully expect that VPN apps, etc would have to do runtime label changes, both 
using secmark and labeled ipsec.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH system/core] add iptables secmark labeling script to startup

[Stephen Smalley]

On Mon, 2012-06-18 at 11:23 -0400, Joshua Brindle wrote:
> Paul Moore wrote:
> > On Saturday, June 16, 2012 02:56:36 PM Joshua Brindle wrote:
> >> Change-Id: I47100243b04d9629d44c8962eafeacabdcd0e6d2
> >>
> >> Signed-off-by: Joshua Brindle<jbrindle@tresys.com>
> >> ---
> >>   rootdir/init.rc |    4 ++++
> >>   1 file changed, 4 insertions(+)
> >>
> >> diff --git a/rootdir/init.rc b/rootdir/init.rc
> >> index 7131095..bd4bc81 100644
> >> --- a/rootdir/init.rc
> >> +++ b/rootdir/init.rc
> >> @@ -372,6 +372,10 @@ service console /system/bin/sh
> >>       user shell
> >>       group log
> >>
> >> +service netlabels /system/bin/iptables-selinux.sh
> >> +    class core
> >> +    oneshot
> >
> > I don't know much about Android development or the boot process, but I wonder
> > if it would make sense to either change the name of the service or the script
> > it executes.  While the script seems aptly named for its current
> > functionality, the service name might become a problem if an Android user ever
> > needs to enable NetLabel support.
> >
> > I would suggest either changing the service name to reflect the
> > secmark/iptables nature of the script or changing the name of the script to
> > something more generic, e.g. selinux-network.sh, so that it is less awkward if
> > the script grows at some point to contain secmark labeling rules, NetLabel
> > configuration, labeled IPsec, etc.
> >
> 
> That is fine. This script generally should just be the initial network state. I 
> fully expect that VPN apps, etc would have to do runtime label changes, both 
> using secmark and labeled ipsec.

Up to you but if you want the script to cover general selinux network
configuration, you'll want to rename it and re-spin all of the userspace
patches.  Or you can leave it specific to iptables and just change the
name of the service in this one patch to fit that purpose.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH system/core] add iptables secmark labeling script to startup

[Joshua Brindle]

On Tue, 2012-06-19 at 08:24 -0400, Stephen Smalley wrote:
> On Mon, 2012-06-18 at 11:23 -0400, Joshua Brindle wrote:
> > Paul Moore wrote:
> > > On Saturday, June 16, 2012 02:56:36 PM Joshua Brindle wrote:
> > >> Change-Id: I47100243b04d9629d44c8962eafeacabdcd0e6d2
> > >>
> > >> Signed-off-by: Joshua Brindle<jbrindle@tresys.com>
> > >> ---
> > >>   rootdir/init.rc |    4 ++++
> > >>   1 file changed, 4 insertions(+)
> > >>
> > >> diff --git a/rootdir/init.rc b/rootdir/init.rc
> > >> index 7131095..bd4bc81 100644
> > >> --- a/rootdir/init.rc
> > >> +++ b/rootdir/init.rc
> > >> @@ -372,6 +372,10 @@ service console /system/bin/sh
> > >>       user shell
> > >>       group log
> > >>
> > >> +service netlabels /system/bin/iptables-selinux.sh
> > >> +    class core
> > >> +    oneshot
> > >
> > > I don't know much about Android development or the boot process, but I wonder
> > > if it would make sense to either change the name of the service or the script
> > > it executes.  While the script seems aptly named for its current
> > > functionality, the service name might become a problem if an Android user ever
> > > needs to enable NetLabel support.
> > >
> > > I would suggest either changing the service name to reflect the
> > > secmark/iptables nature of the script or changing the name of the script to
> > > something more generic, e.g. selinux-network.sh, so that it is less awkward if
> > > the script grows at some point to contain secmark labeling rules, NetLabel
> > > configuration, labeled IPsec, etc.
> > >
> > 
> > That is fine. This script generally should just be the initial network state. I 
> > fully expect that VPN apps, etc would have to do runtime label changes, both 
> > using secmark and labeled ipsec.
> 
> Up to you but if you want the script to cover general selinux network
> configuration, you'll want to rename it and re-spin all of the userspace
> patches.  Or you can leave it specific to iptables and just change the
> name of the service in this one patch to fit that purpose.
> 


It makes sense to me to merge 1 service that does selinux network config
instead of trying to merge in one for every aspect of it. I'll respin
all the patches since other changes are necessary anyway. 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH kernel/tegra] enable secmark labeling for SE Android network access controls

[Joshua Brindle]

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 arch/arm/configs/stingray_defconfig |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm/configs/stingray_defconfig b/arch/arm/configs/stingray_defconfig
index e67e4d5..9fe1fdd 100644
--- a/arch/arm/configs/stingray_defconfig
+++ b/arch/arm/configs/stingray_defconfig
@@ -459,3 +459,7 @@ CONFIG_SECURITY=y
 CONFIG_LSM_MMAP_MIN_ADDR=4096
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH kernel/tegra] enable secmark labeling for SE Android network access controls

[Stephen Smalley]

On Sat, 2012-06-16 at 14:56 -0400, Joshua Brindle wrote:
> Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
> ---
>  arch/arm/configs/stingray_defconfig |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/arm/configs/stingray_defconfig b/arch/arm/configs/stingray_defconfig
> index e67e4d5..9fe1fdd 100644
> --- a/arch/arm/configs/stingray_defconfig
> +++ b/arch/arm/configs/stingray_defconfig
> @@ -459,3 +459,7 @@ CONFIG_SECURITY=y
>  CONFIG_LSM_MMAP_MIN_ADDR=4096
>  CONFIG_SECURITY_NETWORK=y
>  CONFIG_SECURITY_SELINUX=y
> +CONFIG_NETWORK_SECMARK=y
> +CONFIG_NF_CONNTRACK_SECMARK=y
> +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
> +CONFIG_NETFILTER_XT_TARGET_SECMARK=y

Thanks, merged.

No samsung kernel patch?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH kernel/tegra] enable secmark labeling for SE Android network access controls

[Joshua Brindle]

Stephen Smalley wrote:
> On Sat, 2012-06-16 at 14:56 -0400, Joshua Brindle wrote:
>> Signed-off-by: Joshua Brindle<jbrindle@tresys.com>
>> ---
>>   arch/arm/configs/stingray_defconfig |    4 ++++
>>   1 file changed, 4 insertions(+)
>>
>> diff --git a/arch/arm/configs/stingray_defconfig b/arch/arm/configs/stingray_defconfig
>> index e67e4d5..9fe1fdd 100644
>> --- a/arch/arm/configs/stingray_defconfig
>> +++ b/arch/arm/configs/stingray_defconfig
>> @@ -459,3 +459,7 @@ CONFIG_SECURITY=y
>>   CONFIG_LSM_MMAP_MIN_ADDR=4096
>>   CONFIG_SECURITY_NETWORK=y
>>   CONFIG_SECURITY_SELINUX=y
>> +CONFIG_NETWORK_SECMARK=y
>> +CONFIG_NF_CONNTRACK_SECMARK=y
>> +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
>> +CONFIG_NETFILTER_XT_TARGET_SECMARK=y
>
> Thanks, merged.
>
> No samsung kernel patch?
>

We are only using AOSP devices, Galaxy Nexus is Omap and Xoom is Tegra. I'll add 
the secmark configs to the other kernels but I have no way of testing them.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH kernel/tegra] enable secmark labeling for SE Android network access controls

[Joshua Brindle]

Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Sat, 2012-06-16 at 14:56 -0400, Joshua Brindle wrote:
>>> Signed-off-by: Joshua Brindle<jbrindle@tresys.com>
>>> ---
>>> arch/arm/configs/stingray_defconfig | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/arch/arm/configs/stingray_defconfig
>>> b/arch/arm/configs/stingray_defconfig
>>> index e67e4d5..9fe1fdd 100644
>>> --- a/arch/arm/configs/stingray_defconfig
>>> +++ b/arch/arm/configs/stingray_defconfig
>>> @@ -459,3 +459,7 @@ CONFIG_SECURITY=y
>>> CONFIG_LSM_MMAP_MIN_ADDR=4096
>>> CONFIG_SECURITY_NETWORK=y
>>> CONFIG_SECURITY_SELINUX=y
>>> +CONFIG_NETWORK_SECMARK=y
>>> +CONFIG_NF_CONNTRACK_SECMARK=y
>>> +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
>>> +CONFIG_NETFILTER_XT_TARGET_SECMARK=y
>>
>> Thanks, merged.
>>
>> No samsung kernel patch?
>>
>
> We are only using AOSP devices, Galaxy Nexus is Omap and Xoom is Tegra. I'll add
> the secmark configs to the other kernels but I have no way of testing them.
>

And I forgot that the Nexus S uses the Samsung kernel. I still don't have one 
but I'll do the patch and let you test on yours :)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH kernel/omap] enable secmark labeling for SE Android network access controls

[Joshua Brindle]

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 arch/arm/configs/tuna_defconfig |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/arm/configs/tuna_defconfig b/arch/arm/configs/tuna_defconfig
index b7d903b..775e34b 100644
--- a/arch/arm/configs/tuna_defconfig
+++ b/arch/arm/configs/tuna_defconfig
@@ -435,4 +435,8 @@ CONFIG_SECURITY=y
 CONFIG_LSM_MMAP_MIN_ADDR=4096
 CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_SELINUX=y
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
 
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH kernel/omap] enable secmark labeling for SE Android network access controls

[Stephen Smalley]

On Sat, 2012-06-16 at 14:56 -0400, Joshua Brindle wrote:
> Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
> ---
>  arch/arm/configs/tuna_defconfig |    4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/arch/arm/configs/tuna_defconfig b/arch/arm/configs/tuna_defconfig
> index b7d903b..775e34b 100644
> --- a/arch/arm/configs/tuna_defconfig
> +++ b/arch/arm/configs/tuna_defconfig
> @@ -435,4 +435,8 @@ CONFIG_SECURITY=y
>  CONFIG_LSM_MMAP_MIN_ADDR=4096
>  CONFIG_SECURITY_NETWORK=y
>  CONFIG_SECURITY_SELINUX=y
> +CONFIG_NETWORK_SECMARK=y
> +CONFIG_NF_CONNTRACK_SECMARK=y
> +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
> +CONFIG_NETFILTER_XT_TARGET_SECMARK=y

Thanks, merged.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH kernel/goldfish] enable secmark labeling for SE Android network access controls

[Joshua Brindle]

Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
---
 arch/x86/configs/i386_defconfig |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
index edba00d..09db997 100644
--- a/arch/x86/configs/i386_defconfig
+++ b/arch/x86/configs/i386_defconfig
@@ -2128,6 +2128,10 @@ CONFIG_SECURITY_NETWORK=y
 CONFIG_SECURITY_FILE_CAPABILITIES=y
 # CONFIG_SECURITY_ROOTPLUG is not set
 CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
+CONFIG_NETWORK_SECMARK=y
+CONFIG_NF_CONNTRACK_SECMARK=y
+CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
+CONFIG_NETFILTER_XT_TARGET_SECMARK=y
 CONFIG_SECURITY_SELINUX=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM=y
 CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
-- 
1.7.9.5


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH kernel/goldfish] enable secmark labeling for SE Android network access controls

[Stephen Smalley]

On Sat, 2012-06-16 at 14:56 -0400, Joshua Brindle wrote:
> Signed-off-by: Joshua Brindle <jbrindle@tresys.com>
> ---
>  arch/x86/configs/i386_defconfig |    4 ++++
>  1 file changed, 4 insertions(+)

I would have expected these changes to go into
arch/x86/configs/goldfish_defconfig,
arch/arm/configs/goldfish_defconfig, and
arch/arm/configs/goldfish_armv7_defconfig.

> 
> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
> index edba00d..09db997 100644
> --- a/arch/x86/configs/i386_defconfig
> +++ b/arch/x86/configs/i386_defconfig
> @@ -2128,6 +2128,10 @@ CONFIG_SECURITY_NETWORK=y
>  CONFIG_SECURITY_FILE_CAPABILITIES=y
>  # CONFIG_SECURITY_ROOTPLUG is not set
>  CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
> +CONFIG_NETWORK_SECMARK=y
> +CONFIG_NF_CONNTRACK_SECMARK=y
> +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
> +CONFIG_NETFILTER_XT_TARGET_SECMARK=y
>  CONFIG_SECURITY_SELINUX=y
>  CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>  CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH kernel/goldfish] enable secmark labeling for SE Android network access controls

[Joshua Brindle]

Stephen Smalley wrote:
> On Sat, 2012-06-16 at 14:56 -0400, Joshua Brindle wrote:
>> Signed-off-by: Joshua Brindle<jbrindle@tresys.com>
>> ---
>>   arch/x86/configs/i386_defconfig |    4 ++++
>>   1 file changed, 4 insertions(+)
>
> I would have expected these changes to go into
> arch/x86/configs/goldfish_defconfig,
> arch/arm/configs/goldfish_defconfig, and
> arch/arm/configs/goldfish_armv7_defconfig.
>

Wondering why this worked (since it is obviously the wrong config) I looked at 
the above files. It appears that the x86 goldfish_defconfig already had it (I 
didn't test on an ARM emulator):

android/kernel/goldfish/arch/x86/configs$ git blame goldfish_defconfig | grep 
SECMARK
b2069ffd (Jun Nakajima         2011-03-06 23:12:13 -0800  453) 
CONFIG_NETWORK_SECMARK=y
b2069ffd (Jun Nakajima         2011-03-06 23:12:13 -0800  464) 
CONFIG_NF_CONNTRACK_SECMARK=y
b2069ffd (Jun Nakajima         2011-03-06 23:12:13 -0800  470) 
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
b2069ffd (Jun Nakajima         2011-03-06 23:12:13 -0800  473) 
CONFIG_NETFILTER_XT_TARGET_SECMARK=y


I'll apply it to the arm configs and resubmit.



>> diff --git a/arch/x86/configs/i386_defconfig b/arch/x86/configs/i386_defconfig
>> index edba00d..09db997 100644
>> --- a/arch/x86/configs/i386_defconfig
>> +++ b/arch/x86/configs/i386_defconfig
>> @@ -2128,6 +2128,10 @@ CONFIG_SECURITY_NETWORK=y
>>   CONFIG_SECURITY_FILE_CAPABILITIES=y
>>   # CONFIG_SECURITY_ROOTPLUG is not set
>>   CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
>> +CONFIG_NETWORK_SECMARK=y
>> +CONFIG_NF_CONNTRACK_SECMARK=y
>> +CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
>> +CONFIG_NETFILTER_XT_TARGET_SECMARK=y
>>   CONFIG_SECURITY_SELINUX=y
>>   CONFIG_SECURITY_SELINUX_BOOTPARAM=y
>>   CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH external/sepolicy] Add iptables script to policy

[Paul Moore]

On Saturday, June 16, 2012 02:56:34 PM Joshua Brindle wrote:
> diff --git a/iptables-selinux.sh b/iptables-selinux.sh
> new file mode 100755
> index 0000000..e9ac7d1
> --- /dev/null
> +++ b/iptables-selinux.sh
> @@ -0,0 +1,18 @@
> +#!/system/bin/sh
> +
> +IPTABLES="/system/bin/iptables"
> +
> +#$IPTABLES -t mangle -A INPUT -i wlan0 -j SECMARK --selctx ...

Perhaps we should use the security table instead of the mangle table?

-- 
paul moore
www.paul-moore.com


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH external/sepolicy] Add iptables script to policy

[Stephen Smalley]

On Mon, 2012-06-18 at 11:25 -0400, Paul Moore wrote:
> On Saturday, June 16, 2012 02:56:34 PM Joshua Brindle wrote:
> > diff --git a/iptables-selinux.sh b/iptables-selinux.sh
> > new file mode 100755
> > index 0000000..e9ac7d1
> > --- /dev/null
> > +++ b/iptables-selinux.sh
> > @@ -0,0 +1,18 @@
> > +#!/system/bin/sh
> > +
> > +IPTABLES="/system/bin/iptables"
> > +
> > +#$IPTABLES -t mangle -A INPUT -i wlan0 -j SECMARK --selctx ...
> 
> Perhaps we should use the security table instead of the mangle table?

Yes, assuming that it is supported by the Android iptables.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.