From: jamal <hadi@cyberus.ca>
To: Thomas Graf <tgraf@suug.ch>
Cc: James Morris <jmorris@namei.org>,
Evgeniy Polyakov <johnpol@2ka.mipt.ru>,
netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: Re: Refactor Netlink connector?
Date: Wed, 31 May 2006 09:22:32 -0400 [thread overview]
Message-ID: <1149081752.5462.98.camel@jzny2> (raw)
In-Reply-To: <20060531130649.GD7844@postel.suug.ch>
On Wed, 2006-31-05 at 15:06 +0200, Thomas Graf wrote:
> * jamal <hadi@cyberus.ca> 2006-05-31 08:20
> > The challenge is how to inform SELinux of these permissions.
> > The access limit could be done by putting a SELinux hook at the time the
> > skb gets to the generic netlink code?
> > Note: There's actually two things that can be classified for access
> > control, the genl family as well as the ops.
>
> We already have the flag GENL_ADMIN_PERM which when set for a
> struct genl_ops calls security_netlink_recv(). It's not as
> fine grained as it could be though.
To also answer your other email:
Look at security/selinux/nlmsgtab.c for example for NETLINK_ROUTE
and compare with NETLINK_GENERIC to see the hole. I was suggesting if
we started by just adding checks for NETLINK_GENERIC first in those
tables (currently lacking), that would be a good start.
> The point is that adding
> fine grained SELinux support is no problem and even easier than
> for casual netlink families.
>
indeed. And it would be the first to check for a lot more fine graining
than exists today.
If you look at security/selinux/nlmsgtab.c (after we add checks for
NETLINK_GENERIC) then it seems hard to just "hardcode" all commands and
families/ids in there because the idea is people could even be doing
this via modules. Not sure if that made sense.
> the important point is that for genetlink we already have
> a point where we peek at the attributes and adding a hook is
> trivial unlike for other netlink families where they'd have to be
> spread in the code.
nod.
cheers,
jamal
next prev parent reply other threads:[~2006-05-31 13:22 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-26 20:04 Refactor Netlink connector? James Morris
2006-05-26 23:06 ` Patrick McHardy
2006-05-27 13:46 ` Evgeniy Polyakov
2006-05-27 16:45 ` James Morris
2006-05-27 17:21 ` James Morris
2006-05-28 15:33 ` Evgeniy Polyakov
2006-05-29 6:36 ` David Miller
2006-05-29 12:11 ` jamal
2006-05-30 14:22 ` James Morris
2006-05-31 12:00 ` jamal
2006-05-31 13:09 ` Thomas Graf
2006-05-30 14:18 ` James Morris
2006-05-30 18:03 ` Evgeniy Polyakov
2006-05-30 18:58 ` James Morris
2006-05-30 19:09 ` Evgeniy Polyakov
2006-05-31 3:00 ` Thomas Graf
2006-05-31 12:20 ` jamal
2006-05-31 13:06 ` Thomas Graf
2006-05-31 13:22 ` jamal [this message]
2006-05-31 15:42 ` James Morris
2006-06-01 10:45 ` Thomas Graf
2006-06-01 14:24 ` James Morris
2006-06-14 12:36 ` jamal
2006-06-14 15:19 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1149081752.5462.98.camel@jzny2 \
--to=hadi@cyberus.ca \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=johnpol@2ka.mipt.ru \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).