From: James Morris <jmorris@namei.org>
To: Patrick McHardy <kaber@trash.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>, Paul Moore <paul.moore@hp.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: [PATCH 3/4] add support for modifying secmark via ctnetlink
Date: Wed, 21 May 2008 21:42:19 +1000 (EST) [thread overview]
Message-ID: <Xine.LNX.4.64.0805212129150.19104@us.intercode.com.au> (raw)
In-Reply-To: <48340438.5020106@trash.net>
On Wed, 21 May 2008, Patrick McHardy wrote:
> Pablo Neira Ayuso wrote:
> > As for now we only support dumping. This patch adds support to change
> > the secmark from ctnetlink.
> >
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> >
> > Index: net-2.6.git/net/netfilter/nf_conntrack_netlink.c
> > ===================================================================
> > --- net-2.6.git.orig/net/netfilter/nf_conntrack_netlink.c 2008-05-20
> > 22:10:31.000000000 +0200
> > +++ net-2.6.git/net/netfilter/nf_conntrack_netlink.c 2008-05-20
> > 22:10:56.000000000 +0200
> > @@ -1121,6 +1121,11 @@ ctnetlink_change_conntrack(struct nf_con
> > ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
> > #endif
> >
> > +#if defined(CONFIG_NF_CONNTRACK_SECMARK)
> > + if (cda[CTA_SECMARK])
> > + ct->secmark = ntohl(nla_get_be32(cda[CTA_SECMARK]));
> > +#endif
> > +
> > #ifdef CONFIG_NF_NAT_NEEDED
> > if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
> > err = ctnetlink_change_nat_seq_adj(ct, cda);
>
> I'm wondering whether this isn't subverting the intent of
> secmark since AFAIK SELinux doesn't have finegrained
> controls for netlink messages. OTOH, it also doesn't have
> finegrained control over iptables rulesets.
>
> James, does this patch look OK to you?
There is some fine-grained netlink coverage, but it is incomplete (the
various generic netlink layers likely need to be consolidated first).
Currently, the SECMARK and CONNSECMARK targets call out to
selinux_secmark_relabel_packet_permission() when SELinux is active to
obtain a permission check. So, detection of the current security model
would need to be similarly performed.
The bigger issue perhaps is whether there's really a need to set secmark
via ctnetlink.
- James
--
James Morris
<jmorris@namei.org>
next prev parent reply other threads:[~2008-05-21 11:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-20 22:29 [PATCH 3/4] add support for modifying secmark via ctnetlink Pablo Neira Ayuso
2008-05-21 11:15 ` Patrick McHardy
2008-05-21 11:42 ` James Morris [this message]
2008-05-21 12:00 ` Patrick McHardy
2008-05-21 16:46 ` Paul Moore
2008-05-21 16:54 ` Stephen Smalley
2008-05-21 17:13 ` Patrick McHardy
2008-05-22 18:11 ` Stephen Smalley
2008-05-22 19:08 ` Patrick McHardy
2008-05-21 17:41 ` Paul Moore
2008-05-21 17:11 ` Patrick McHardy
2008-05-21 17:51 ` Paul Moore
2008-05-21 17:55 ` Stephen Smalley
2008-05-21 19:03 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Xine.LNX.4.64.0805212129150.19104@us.intercode.com.au \
--to=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.