From: marcelo.leitner@gmail.com (Marcelo Ricardo Leitner)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v3 0/4] Add SELinux SCTP protocol support
Date: Fri, 22 Dec 2017 11:05:15 -0200 [thread overview]
Message-ID: <cover.1513940757.git.marcelo.leitner@gmail.com> (raw)
Posting on behalf of Richard Haines. Patchset is based on
selinux-tree/next. Some small conflicts are expected when merging with
current net-next due to I-Data patches, including one at
include/uapi/linux/sctp.h, on which the fix is to update the define
SCTP_SENDMSG_CONNECT to a higher number.
Below is the original cover letter from Richard, and the changes from
v2->v3.
The kernel patches have been built on Fedora 27 with kernel 4.13.12 plus
the following userspace patches to enable testing:
1) Updates to libsepol 2.7 to support the sctp portcon statement.
The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
selinux-Add-support-for-the-SCTP-portcon-keyword.patch
2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
selinux-testsuite/README.sctp for details. The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
selinux-testsuite-Add-SCTP-test-support.patch
3) Updates to lksctp-tools that show SELinux info in sctp_darn and
sctp_test. It also contains a minor patch for test_1_to_1_connect.c
as when CIPSO/CALIPSO configured, NetLabel returns a different error
code for illegal addresses in test 5. The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests
The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..
Changes since RFC Patch:
Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
as re-engineered. However this patchset will require the NetLabel
patch at [1] to fully run the SCTP selinux-testsuite.
PATCH 1/4
Remove unused parameter from security_sctp_assoc_request().
Reformat and update LSM-sctp.rst documentation.
PATCH 2/4
Add variables and RCU locks as requested in [2] to support IP options.
PATCH 3/4
Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
and sctp_sf_do_5_2_4_dupcook().
Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
no longer required.
PATCH 4/4
Reformat and update SELinux-sctp.rst documentation.
Remove bindx and connectx permissions.
Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
utilise helpers for code reuse.
Add spinlock to selinux_sctp_assoc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family == AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.
Changes since v2 post by Richard:
Updated sctp_frag_point() to also consider the ip options len.
[1] https://marc.info/?l=selinux&m=151061619115945&w=2
[2] https://marc.info/?l=selinux&m=150962470215797&w=2
Richard Haines (4):
security: Add support for SCTP security hooks
sctp: Add ip option support
sctp: Add LSM hooks
selinux: Add SCTP support
Documentation/security/LSM-sctp.rst | 194 ++++++++++++++++++++++
Documentation/security/SELinux-sctp.rst | 104 ++++++++++++
include/linux/lsm_hooks.h | 35 ++++
include/linux/security.h | 25 +++
include/net/sctp/sctp.h | 4 +-
include/net/sctp/structs.h | 12 ++
include/uapi/linux/sctp.h | 1 +
net/sctp/chunk.c | 13 +-
net/sctp/ipv6.c | 42 ++++-
net/sctp/output.c | 5 +-
net/sctp/protocol.c | 36 +++++
net/sctp/sm_make_chunk.c | 12 ++
net/sctp/sm_statefuns.c | 18 +++
net/sctp/socket.c | 70 +++++++-
security/security.c | 22 +++
security/selinux/hooks.c | 278 +++++++++++++++++++++++++++++---
security/selinux/include/classmap.h | 2 +-
security/selinux/include/netlabel.h | 15 +-
security/selinux/include/objsec.h | 4 +
security/selinux/netlabel.c | 128 +++++++++++++--
20 files changed, 971 insertions(+), 49 deletions(-)
create mode 100644 Documentation/security/LSM-sctp.rst
create mode 100644 Documentation/security/SELinux-sctp.rst
--
2.14.3
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: linux-security-module@vger.kernel.org
Subject: [PATCH v3 0/4] Add SELinux SCTP protocol support
Date: Fri, 22 Dec 2017 13:05:15 +0000 [thread overview]
Message-ID: <cover.1513940757.git.marcelo.leitner@gmail.com> (raw)
Posting on behalf of Richard Haines. Patchset is based on
selinux-tree/next. Some small conflicts are expected when merging with
current net-next due to I-Data patches, including one at
include/uapi/linux/sctp.h, on which the fix is to update the define
SCTP_SENDMSG_CONNECT to a higher number.
Below is the original cover letter from Richard, and the changes from
v2->v3.
The kernel patches have been built on Fedora 27 with kernel 4.13.12 plus
the following userspace patches to enable testing:
1) Updates to libsepol 2.7 to support the sctp portcon statement.
The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
selinux-Add-support-for-the-SCTP-portcon-keyword.patch
2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
selinux-testsuite/README.sctp for details. The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
selinux-testsuite-Add-SCTP-test-support.patch
3) Updates to lksctp-tools that show SELinux info in sctp_darn and
sctp_test. It also contains a minor patch for test_1_to_1_connect.c
as when CIPSO/CALIPSO configured, NetLabel returns a different error
code for illegal addresses in test 5. The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests
The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..
Changes since RFC Patch:
Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
as re-engineered. However this patchset will require the NetLabel
patch at [1] to fully run the SCTP selinux-testsuite.
PATCH 1/4
Remove unused parameter from security_sctp_assoc_request().
Reformat and update LSM-sctp.rst documentation.
PATCH 2/4
Add variables and RCU locks as requested in [2] to support IP options.
PATCH 3/4
Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
and sctp_sf_do_5_2_4_dupcook().
Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
no longer required.
PATCH 4/4
Reformat and update SELinux-sctp.rst documentation.
Remove bindx and connectx permissions.
Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
utilise helpers for code reuse.
Add spinlock to selinux_sctp_assoc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family = AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.
Changes since v2 post by Richard:
Updated sctp_frag_point() to also consider the ip options len.
[1] https://marc.info/?l=selinux&m\x151061619115945&w=2
[2] https://marc.info/?l=selinux&m\x150962470215797&w=2
Richard Haines (4):
security: Add support for SCTP security hooks
sctp: Add ip option support
sctp: Add LSM hooks
selinux: Add SCTP support
Documentation/security/LSM-sctp.rst | 194 ++++++++++++++++++++++
Documentation/security/SELinux-sctp.rst | 104 ++++++++++++
include/linux/lsm_hooks.h | 35 ++++
include/linux/security.h | 25 +++
include/net/sctp/sctp.h | 4 +-
include/net/sctp/structs.h | 12 ++
include/uapi/linux/sctp.h | 1 +
net/sctp/chunk.c | 13 +-
net/sctp/ipv6.c | 42 ++++-
net/sctp/output.c | 5 +-
net/sctp/protocol.c | 36 +++++
net/sctp/sm_make_chunk.c | 12 ++
net/sctp/sm_statefuns.c | 18 +++
net/sctp/socket.c | 70 +++++++-
security/security.c | 22 +++
security/selinux/hooks.c | 278 +++++++++++++++++++++++++++++---
security/selinux/include/classmap.h | 2 +-
security/selinux/include/netlabel.h | 15 +-
security/selinux/include/objsec.h | 4 +
security/selinux/netlabel.c | 128 +++++++++++++--
20 files changed, 971 insertions(+), 49 deletions(-)
create mode 100644 Documentation/security/LSM-sctp.rst
create mode 100644 Documentation/security/SELinux-sctp.rst
--
2.14.3
WARNING: multiple messages have this Message-ID (diff)
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: selinux@tycho.nsa.gov, netdev@vger.kernel.org,
linux-sctp@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: paul@paul-moore.com, vyasevich@gmail.com, nhorman@tuxdriver.com,
sds@tycho.nsa.gov, eparis@parisplace.org,
marcelo.leitner@gmail.com, richard_c_haines@btinternet.com
Subject: [PATCH v3 0/4] Add SELinux SCTP protocol support
Date: Fri, 22 Dec 2017 11:05:15 -0200 [thread overview]
Message-ID: <cover.1513940757.git.marcelo.leitner@gmail.com> (raw)
Posting on behalf of Richard Haines. Patchset is based on
selinux-tree/next. Some small conflicts are expected when merging with
current net-next due to I-Data patches, including one at
include/uapi/linux/sctp.h, on which the fix is to update the define
SCTP_SENDMSG_CONNECT to a higher number.
Below is the original cover letter from Richard, and the changes from
v2->v3.
The kernel patches have been built on Fedora 27 with kernel 4.13.12 plus
the following userspace patches to enable testing:
1) Updates to libsepol 2.7 to support the sctp portcon statement.
The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
selinux-Add-support-for-the-SCTP-portcon-keyword.patch
2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
selinux-testsuite/README.sctp for details. The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
selinux-testsuite-Add-SCTP-test-support.patch
3) Updates to lksctp-tools that show SELinux info in sctp_darn and
sctp_test. It also contains a minor patch for test_1_to_1_connect.c
as when CIPSO/CALIPSO configured, NetLabel returns a different error
code for illegal addresses in test 5. The patch is available from:
http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests
The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..
Changes since RFC Patch:
Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
as re-engineered. However this patchset will require the NetLabel
patch at [1] to fully run the SCTP selinux-testsuite.
PATCH 1/4
Remove unused parameter from security_sctp_assoc_request().
Reformat and update LSM-sctp.rst documentation.
PATCH 2/4
Add variables and RCU locks as requested in [2] to support IP options.
PATCH 3/4
Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
and sctp_sf_do_5_2_4_dupcook().
Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
no longer required.
PATCH 4/4
Reformat and update SELinux-sctp.rst documentation.
Remove bindx and connectx permissions.
Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
utilise helpers for code reuse.
Add spinlock to selinux_sctp_assoc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family == AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.
Changes since v2 post by Richard:
Updated sctp_frag_point() to also consider the ip options len.
[1] https://marc.info/?l=selinux&m=151061619115945&w=2
[2] https://marc.info/?l=selinux&m=150962470215797&w=2
Richard Haines (4):
security: Add support for SCTP security hooks
sctp: Add ip option support
sctp: Add LSM hooks
selinux: Add SCTP support
Documentation/security/LSM-sctp.rst | 194 ++++++++++++++++++++++
Documentation/security/SELinux-sctp.rst | 104 ++++++++++++
include/linux/lsm_hooks.h | 35 ++++
include/linux/security.h | 25 +++
include/net/sctp/sctp.h | 4 +-
include/net/sctp/structs.h | 12 ++
include/uapi/linux/sctp.h | 1 +
net/sctp/chunk.c | 13 +-
net/sctp/ipv6.c | 42 ++++-
net/sctp/output.c | 5 +-
net/sctp/protocol.c | 36 +++++
net/sctp/sm_make_chunk.c | 12 ++
net/sctp/sm_statefuns.c | 18 +++
net/sctp/socket.c | 70 +++++++-
security/security.c | 22 +++
security/selinux/hooks.c | 278 +++++++++++++++++++++++++++++---
security/selinux/include/classmap.h | 2 +-
security/selinux/include/netlabel.h | 15 +-
security/selinux/include/objsec.h | 4 +
security/selinux/netlabel.c | 128 +++++++++++++--
20 files changed, 971 insertions(+), 49 deletions(-)
create mode 100644 Documentation/security/LSM-sctp.rst
create mode 100644 Documentation/security/SELinux-sctp.rst
--
2.14.3
next reply other threads:[~2017-12-22 13:05 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-22 13:05 Marcelo Ricardo Leitner [this message]
2017-12-22 13:05 ` [PATCH v3 0/4] Add SELinux SCTP protocol support Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 13:05 ` [PATCH v3 1/4] security: Add support for SCTP security hooks Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 17:20 ` Casey Schaufler
2017-12-22 17:20 ` Casey Schaufler
2017-12-22 17:20 ` Casey Schaufler
2017-12-22 17:45 ` Marcelo Ricardo Leitner
2017-12-22 17:45 ` Marcelo Ricardo Leitner
2017-12-22 17:45 ` Marcelo Ricardo Leitner
2017-12-27 16:22 ` Richard Haines
2017-12-27 16:22 ` Richard Haines
2017-12-27 16:22 ` Richard Haines
2017-12-27 20:35 ` Paul Moore
2017-12-27 20:35 ` Paul Moore
2017-12-27 20:35 ` Paul Moore
2017-12-22 13:05 ` [PATCH v3 2/4] sctp: Add ip option support Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 13:05 ` [PATCH v3 3/4] sctp: Add LSM hooks Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 13:05 ` [PATCH v3 4/4] selinux: Add SCTP support Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
2017-12-22 13:05 ` Marcelo Ricardo Leitner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1513940757.git.marcelo.leitner@gmail.com \
--to=marcelo.leitner@gmail.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.