[v2 PATCH 0/6] Export the sock's security context to proc

[v2 PATCH 0/6] Export the sock's security context to proc

[rongqing.li]

-------
    Any review would be much appreciated.
 
Comments:
--------
    Export the sock's security context to proc.
    
    The element sk_security of struct sock represents the socket
    security context ID, which is inheriting from the process when
    creates this socket on most of the time.
    
    but when SELinux type_transition rule is applied to socket, or
    application sets /proc/xxx/attr/createsock, the socket security
    context would be different from the creating process. on this
    condition, the "netstat -Z" will return wrong value, since
    "netstat -Z" only returns the process security context as socket
    process security.
    
    Export the raw sock's security context to proc, so that "netstat -Z"
    could be fixed by reading procfs.

Test:
--------
1. When Enable SELinux.

1.1 check the socket security context has been exported in procfs

root@qemu-host:/root> head -n 3 /proc/net/tcp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode seclabel                                            
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 4723 1 ffff88001b7f8c00 100 0 0 10 -1 system_u:system_r:initrc_t:s0-s15:c0.c1023
   1: 0100007F:024B 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 5070 1 ffff88001b7f9e00 100 0 0 10 -1 system_u:system_r:sendmail_t:s0-s15:c0.c1023
     
root@qemu-host:/root> head -n 3 /proc/net/udp 
   sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops seclabel                           
   54: 00000000:03F2 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4540 2 ffff88001ba30340 0 system_u:system_r:rpcbind_t:s0-s15:c0.c1023
  133: 00000000:B641 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 4601 2 ffff88001ba30d00 0 system_u:system_r:rpcd_t:s0-s15:c0.c1023         

root@qemu-host:/root> head -n 3 /proc/net/unix
Num       RefCount Protocol Flags    Type St Inode Path  SecLabel
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   972 @/org/kernel/udev/udevd                 system_u:system_r:udev_t:s0-s15:c0.c1023
ffff88001ea1d500: 00000002 00000000 00010000 0001 01  4371 /var/evlog/evlconfsoc                   system_u:system_r:initrc_t:s0-s15:c0.c1023
root@qemu-host:/root> 

root@qemu-host:/root> tail -n 3 /proc/net/unix
ffff88001e0e2300: 00000003 00000000 00000000 0001 03  4706  -                                      system_u:system_r:rpcd_t:s0-s15:c0.c1023
ffff88001ea1d200: 00000003 00000000 00000000 0002 01   979  -                                      system_u:system_r:udev_t:s0-s15:c0.c1023
ffff88001ea1cf00: 00000003 00000000 00000000 0002 01   978  -                                      system_u:system_r:udev_t:s0-s15:c0.c1023
root@qemu-host:/root> 

root@qemu-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops   seclabel
root@qemu-host:/root> 

1.2 check these patches do not affect the netstat, it can still work
root@qemu-host:/root> netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address               Foreign Address State      
tcp        0      0 *:1534                      *:* LISTEN      
tcp        0      0 *:56290                     *:* LISTEN      
tcp        0      0 localhost:submission        *:* LISTEN      
tcp        0      0 *:sunrpc                    *:* LISTEN
...

1.3 When syslog creates socket, and type transition has been applied on them, the security context of
socket would be syslogd_s_t, not same as its own process security context
syslogd_t, the "netstat -Z" returns wrong value, but the security context in procfs is correct

root@qemu-host:/etc> cat /proc/net/unix |grep syslog
ffff88001f856000: 00000002 00000000 00010000 0001 01  6385 /var/lib/syslog-ng/syslog-ng.ctl      system_u:system_r:syslogd_t:s15:c0.c1023
ffff88001f856300: 00000002 00000000 00000000 0002 01  6383 /dev/log                              system_u:system_r:syslogd_s_t:s15:c0.c1023
root@qemu-host:/etc> 

root@qemu-host:/etc> netstat -aZ|grep 6383
unix  2      [ ]         DGRAM                    6383   793/syslog-ng
system_u:system_r:syslogd_t:s15:c0.c1023          /dev/log
root@qemu-host:/etc> 



2. When SElinux is disabled, output - on seclabel column

root@qemu-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops  seclabel

root@qemu-host:/root> head -n 3 /proc/net/unix
Num       RefCount Protocol Flags    Type St Inode Path  SecLabel
ffff88001e118000: 0000000A 00000000 00000000 0002 01  2647 /dev/log                              -
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   897 @/org/kernel/udev/udevd               -
      

root@qemu-host:/root> head -n 3 /proc/net/tcp  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode seclabel                                            
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 2935 1 ffff88001d598c00 100 0 0 10 -1 -                   
   1: 0100007F:024B 00000000:0000 0A 00000000:00000000 00:00000000 00000000     0        0 3201 1 ffff88001d599e00 100 0 0 10 -1 -                     

root@qemu-host:/root> head -n 3 /proc/net/udp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt   uid  timeout inode ref pointer drops seclabel                           
   42: 00000000:03E6 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2754 2 ffff88001da38340 0 -                               
   56: 00000000:B5F4 00000000:0000 07 00000000:00000000 00:00000000 00000000     0        0 2810 2 ffff88001da389c0 0 -                            
root@qemu-host:/root>


3. Disable security module configuration, no compiling error.

[PATCH 1/6] Security: define security_sk_getsecid.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Define security_sk_getsecid to get the security id of a sock.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 include/linux/security.h |    6 ++++++
 security/security.c      |    6 ++++++
 2 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ebd2a53..739ac39 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -2560,6 +2560,7 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
 void security_sk_free(struct sock *sk);
 void security_sk_clone(const struct sock *sk, struct sock *newsk);
 void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
+void security_sk_getsecid(struct sock *sk, u32 *secid);
 void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
 void security_sock_graft(struct sock*sk, struct socket *parent);
 int security_inet_conn_request(struct sock *sk,
@@ -2701,6 +2702,11 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
 {
 }
 
+static inline void security_sk_getsecid(struct sock *sk, u32 *secid)
+{
+	*secid = 0;
+}
+
 static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
 {
 }
diff --git a/security/security.c b/security/security.c
index 0e4fccf..b0e0825 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1104,6 +1104,12 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
 }
 EXPORT_SYMBOL(security_sk_classify_flow);
 
+void security_sk_getsecid(struct sock *sk, u32 *secid)
+{
+	security_ops->sk_getsecid(sk, secid);
+}
+EXPORT_SYMBOL(security_sk_getsecid);
+
 void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
 {
 	security_ops->req_classify_flow(req, fl);
-- 
1.7.1

Re: [PATCH 1/6] Security: define security_sk_getsecid.

[Casey Schaufler]

On 8/9/2011 12:28 AM, rongqing.li@windriver.com wrote:
> From: Roy.Li <rongqing.li@windriver.com>
>
> Define security_sk_getsecid to get the security id of a sock.

Why are you requesting the secid when you're just going to
use it to get the secctx? Why not ask for that directly?
Is there ever a case where you only want the secid?

>
> Signed-off-by: Roy.Li <rongqing.li@windriver.com>
> ---
>  include/linux/security.h |    6 ++++++
>  security/security.c      |    6 ++++++
>  2 files changed, 12 insertions(+), 0 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ebd2a53..739ac39 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -2560,6 +2560,7 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>  void security_sk_free(struct sock *sk);
>  void security_sk_clone(const struct sock *sk, struct sock *newsk);
>  void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
> +void security_sk_getsecid(struct sock *sk, u32 *secid);
>  void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
>  void security_sock_graft(struct sock*sk, struct socket *parent);
>  int security_inet_conn_request(struct sock *sk,
> @@ -2701,6 +2702,11 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>  {
>  }
>  
> +static inline void security_sk_getsecid(struct sock *sk, u32 *secid)
> +{
> +	*secid = 0;
> +}
> +
>  static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>  {
>  }
> diff --git a/security/security.c b/security/security.c
> index 0e4fccf..b0e0825 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1104,6 +1104,12 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>  }
>  EXPORT_SYMBOL(security_sk_classify_flow);
>  
> +void security_sk_getsecid(struct sock *sk, u32 *secid)
> +{
> +	security_ops->sk_getsecid(sk, secid);
> +}
> +EXPORT_SYMBOL(security_sk_getsecid);
> +
>  void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>  {
>  	security_ops->req_classify_flow(req, fl);

Re: [PATCH 1/6] Security: define security_sk_getsecid.

[Rongqing Li]

On 08/10/2011 12:13 AM, Casey Schaufler wrote:
> On 8/9/2011 12:28 AM, rongqing.li@windriver.com wrote:
>> From: Roy.Li<rongqing.li@windriver.com>
>>
>> Define security_sk_getsecid to get the security id of a sock.
>
> Why are you requesting the secid when you're just going to
> use it to get the secctx? Why not ask for that directly?
> Is there ever a case where you only want the secid?
>
Hi:

As I know, we have not method to get secctx directly.
On the most of time, we get secctx like this.

The below comes from kernel/auditsc.c

void audit_log_task_context(struct audit_buffer *ab)
{
         char *ctx = NULL;
         unsigned len;
         int error;
         u32 sid;

         security_task_getsecid(current, &sid);
         if (!sid)
                 return;

         error = security_secid_to_secctx(sid, &ctx, &len);
         if (error) {
                 if (error != -EINVAL)
                         goto error_path;
                 return;
         }

         audit_log_format(ab, " subj=%s", ctx);
         security_release_secctx(ctx, len);
         return;

error_path:
         audit_panic("error in audit_log_task_context");
         return;
}


-Roy


>>
>> Signed-off-by: Roy.Li<rongqing.li@windriver.com>
>> ---
>>   include/linux/security.h |    6 ++++++
>>   security/security.c      |    6 ++++++
>>   2 files changed, 12 insertions(+), 0 deletions(-)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index ebd2a53..739ac39 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -2560,6 +2560,7 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>>   void security_sk_free(struct sock *sk);
>>   void security_sk_clone(const struct sock *sk, struct sock *newsk);
>>   void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
>> +void security_sk_getsecid(struct sock *sk, u32 *secid);
>>   void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
>>   void security_sock_graft(struct sock*sk, struct socket *parent);
>>   int security_inet_conn_request(struct sock *sk,
>> @@ -2701,6 +2702,11 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>   {
>>   }
>>
>> +static inline void security_sk_getsecid(struct sock *sk, u32 *secid)
>> +{
>> +	*secid = 0;
>> +}
>> +
>>   static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>   {
>>   }
>> diff --git a/security/security.c b/security/security.c
>> index 0e4fccf..b0e0825 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -1104,6 +1104,12 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>   }
>>   EXPORT_SYMBOL(security_sk_classify_flow);
>>
>> +void security_sk_getsecid(struct sock *sk, u32 *secid)
>> +{
>> +	security_ops->sk_getsecid(sk, secid);
>> +}
>> +EXPORT_SYMBOL(security_sk_getsecid);
>> +
>>   void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>   {
>>   	security_ops->req_classify_flow(req, fl);
>
>

-- 
Best Reagrds,
Roy | RongQing Li

Re: [PATCH 1/6] Security: define security_sk_getsecid.

[Casey Schaufler]

On 8/9/2011 5:43 PM, Rongqing Li wrote:
> On 08/10/2011 12:13 AM, Casey Schaufler wrote:
>> On 8/9/2011 12:28 AM, rongqing.li@windriver.com wrote:
>>> From: Roy.Li<rongqing.li@windriver.com>
>>>
>>> Define security_sk_getsecid to get the security id of a sock.
>>
>> Why are you requesting the secid when you're just going to
>> use it to get the secctx? Why not ask for that directly?
>> Is there ever a case where you only want the secid?
>>
> Hi:
>
> As I know, we have not method to get secctx directly.

You are defining the method! Ask for what you want!

The whole notion of secids is a holdover from the bad old
days when SELinux was a user space based enforcement mechanism.
The audit system was implemented when SELinux was the lone LSM
and unfortunately and unnecessarily propagated the use of secids.
If an object has a secid it must also have a secctx. The
interfaces that use secids could just as well use the secctx.
It is wasteful to create a new interface that fetches a secid
just to turn around and ask for the secctx in all cases.

> On the most of time, we get secctx like this.
>
> The below comes from kernel/auditsc.c
>
> void audit_log_task_context(struct audit_buffer *ab)
> {
>         char *ctx = NULL;
>         unsigned len;
>         int error;
>         u32 sid;
>
>         security_task_getsecid(current, &sid);
>         if (!sid)
>                 return;
>
>         error = security_secid_to_secctx(sid, &ctx, &len);
>         if (error) {
>                 if (error != -EINVAL)
>                         goto error_path;
>                 return;
>         }
>
>         audit_log_format(ab, " subj=%s", ctx);
>         security_release_secctx(ctx, len);
>         return;
>
> error_path:
>         audit_panic("error in audit_log_task_context");
>         return;
> }
>
>
> -Roy
>
>
>>>
>>> Signed-off-by: Roy.Li<rongqing.li@windriver.com>
>>> ---
>>>   include/linux/security.h |    6 ++++++
>>>   security/security.c      |    6 ++++++
>>>   2 files changed, 12 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>> index ebd2a53..739ac39 100644
>>> --- a/include/linux/security.h
>>> +++ b/include/linux/security.h
>>> @@ -2560,6 +2560,7 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>>>   void security_sk_free(struct sock *sk);
>>>   void security_sk_clone(const struct sock *sk, struct sock *newsk);
>>>   void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
>>> +void security_sk_getsecid(struct sock *sk, u32 *secid);
>>>   void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
>>>   void security_sock_graft(struct sock*sk, struct socket *parent);
>>>   int security_inet_conn_request(struct sock *sk,
>>> @@ -2701,6 +2702,11 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>   {
>>>   }
>>>
>>> +static inline void security_sk_getsecid(struct sock *sk, u32 *secid)
>>> +{
>>> +    *secid = 0;
>>> +}
>>> +
>>>   static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>   {
>>>   }
>>> diff --git a/security/security.c b/security/security.c
>>> index 0e4fccf..b0e0825 100644
>>> --- a/security/security.c
>>> +++ b/security/security.c
>>> @@ -1104,6 +1104,12 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>   }
>>>   EXPORT_SYMBOL(security_sk_classify_flow);
>>>
>>> +void security_sk_getsecid(struct sock *sk, u32 *secid)
>>> +{
>>> +    security_ops->sk_getsecid(sk, secid);
>>> +}
>>> +EXPORT_SYMBOL(security_sk_getsecid);
>>> +
>>>   void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>   {
>>>       security_ops->req_classify_flow(req, fl);
>>
>>
>

Re: [PATCH 1/6] Security: define security_sk_getsecid.

[Rongqing Li]

On 08/10/2011 08:57 AM, Casey Schaufler wrote:
> On 8/9/2011 5:43 PM, Rongqing Li wrote:
>> On 08/10/2011 12:13 AM, Casey Schaufler wrote:
>>> On 8/9/2011 12:28 AM, rongqing.li@windriver.com wrote:
>>>> From: Roy.Li<rongqing.li@windriver.com>
>>>>
>>>> Define security_sk_getsecid to get the security id of a sock.
>>>
>>> Why are you requesting the secid when you're just going to
>>> use it to get the secctx? Why not ask for that directly?
>>> Is there ever a case where you only want the secid?
>>>
>> Hi:
>>
>> As I know, we have not method to get secctx directly.
>
> You are defining the method! Ask for what you want!
>
> The whole notion of secids is a holdover from the bad old
> days when SELinux was a user space based enforcement mechanism.
> The audit system was implemented when SELinux was the lone LSM
> and unfortunately and unnecessarily propagated the use of secids.
> If an object has a secid it must also have a secctx. The
> interfaces that use secids could just as well use the secctx.
> It is wasteful to create a new interface that fetches a secid
> just to turn around and ask for the secctx in all cases.
>

Do you means I should write a method like below
security_sk_getsecctx(struct sock *sk, char *secctx, int *len)?

But secctx only is used to user. secid is used to source code to
compute and compare the access permission.

And I do not see the same method like
security_task_getsecctx(). but security_task_getsecid() has been
implemented in kernel source code.

-Roy


>> On the most of time, we get secctx like this.
>>
>> The below comes from kernel/auditsc.c
>>
>> void audit_log_task_context(struct audit_buffer *ab)
>> {
>>          char *ctx = NULL;
>>          unsigned len;
>>          int error;
>>          u32 sid;
>>
>>          security_task_getsecid(current,&sid);
>>          if (!sid)
>>                  return;
>>
>>          error = security_secid_to_secctx(sid,&ctx,&len);
>>          if (error) {
>>                  if (error != -EINVAL)
>>                          goto error_path;
>>                  return;
>>          }
>>
>>          audit_log_format(ab, " subj=%s", ctx);
>>          security_release_secctx(ctx, len);
>>          return;
>>
>> error_path:
>>          audit_panic("error in audit_log_task_context");
>>          return;
>> }
>>
>>
>> -Roy
>>
>>
>>>>
>>>> Signed-off-by: Roy.Li<rongqing.li@windriver.com>
>>>> ---
>>>>    include/linux/security.h |    6 ++++++
>>>>    security/security.c      |    6 ++++++
>>>>    2 files changed, 12 insertions(+), 0 deletions(-)
>>>>
>>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>>> index ebd2a53..739ac39 100644
>>>> --- a/include/linux/security.h
>>>> +++ b/include/linux/security.h
>>>> @@ -2560,6 +2560,7 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>>>>    void security_sk_free(struct sock *sk);
>>>>    void security_sk_clone(const struct sock *sk, struct sock *newsk);
>>>>    void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
>>>> +void security_sk_getsecid(struct sock *sk, u32 *secid);
>>>>    void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
>>>>    void security_sock_graft(struct sock*sk, struct socket *parent);
>>>>    int security_inet_conn_request(struct sock *sk,
>>>> @@ -2701,6 +2702,11 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>>    {
>>>>    }
>>>>
>>>> +static inline void security_sk_getsecid(struct sock *sk, u32 *secid)
>>>> +{
>>>> +    *secid = 0;
>>>> +}
>>>> +
>>>>    static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>>    {
>>>>    }
>>>> diff --git a/security/security.c b/security/security.c
>>>> index 0e4fccf..b0e0825 100644
>>>> --- a/security/security.c
>>>> +++ b/security/security.c
>>>> @@ -1104,6 +1104,12 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>>    }
>>>>    EXPORT_SYMBOL(security_sk_classify_flow);
>>>>
>>>> +void security_sk_getsecid(struct sock *sk, u32 *secid)
>>>> +{
>>>> +    security_ops->sk_getsecid(sk, secid);
>>>> +}
>>>> +EXPORT_SYMBOL(security_sk_getsecid);
>>>> +
>>>>    void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>>    {
>>>>        security_ops->req_classify_flow(req, fl);
>>>
>>>
>>
>
>

-- 
Best Reagrds,
Roy | RongQing Li

Re: [PATCH 1/6] Security: define security_sk_getsecid.

[Casey Schaufler]

On 8/9/2011 6:24 PM, Rongqing Li wrote:
> On 08/10/2011 08:57 AM, Casey Schaufler wrote:
>> On 8/9/2011 5:43 PM, Rongqing Li wrote:
>>> On 08/10/2011 12:13 AM, Casey Schaufler wrote:
>>>> On 8/9/2011 12:28 AM, rongqing.li@windriver.com wrote:
>>>>> From: Roy.Li<rongqing.li@windriver.com>
>>>>>
>>>>> Define security_sk_getsecid to get the security id of a sock.
>>>>
>>>> Why are you requesting the secid when you're just going to
>>>> use it to get the secctx? Why not ask for that directly?
>>>> Is there ever a case where you only want the secid?
>>>>
>>> Hi:
>>>
>>> As I know, we have not method to get secctx directly.
>>
>> You are defining the method! Ask for what you want!
>>
>> The whole notion of secids is a holdover from the bad old
>> days when SELinux was a user space based enforcement mechanism.
>> The audit system was implemented when SELinux was the lone LSM
>> and unfortunately and unnecessarily propagated the use of secids.
>> If an object has a secid it must also have a secctx. The
>> interfaces that use secids could just as well use the secctx.
>> It is wasteful to create a new interface that fetches a secid
>> just to turn around and ask for the secctx in all cases.
>>
>
> Do you means I should write a method like below
> security_sk_getsecctx(struct sock *sk, char *secctx, int *len)?

Yes. That is exactly what you should do.

>
> But secctx only is used to user.

But all you're doing is printing out the secctx. The only
thing you are doing with the secid is converting it to a
secctx.

> secid is used to source code to
> compute and compare the access permission.

That will depend on the LSM involved. You are making a change to
the LSM, not just SELinux.

>
> And I do not see the same method like
> security_task_getsecctx(). but security_task_getsecid() has been
> implemented in kernel source code.

Have a look at how those interfaces are used.


>
> -Roy
>
>
>>> On the most of time, we get secctx like this.
>>>
>>> The below comes from kernel/auditsc.c
>>>
>>> void audit_log_task_context(struct audit_buffer *ab)
>>> {
>>>          char *ctx = NULL;
>>>          unsigned len;
>>>          int error;
>>>          u32 sid;
>>>
>>>          security_task_getsecid(current,&sid);
>>>          if (!sid)
>>>                  return;
>>>
>>>          error = security_secid_to_secctx(sid,&ctx,&len);
>>>          if (error) {
>>>                  if (error != -EINVAL)
>>>                          goto error_path;
>>>                  return;
>>>          }
>>>
>>>          audit_log_format(ab, " subj=%s", ctx);
>>>          security_release_secctx(ctx, len);
>>>          return;
>>>
>>> error_path:
>>>          audit_panic("error in audit_log_task_context");
>>>          return;
>>> }
>>>
>>>
>>> -Roy
>>>
>>>
>>>>>
>>>>> Signed-off-by: Roy.Li<rongqing.li@windriver.com>
>>>>> ---
>>>>>    include/linux/security.h |    6 ++++++
>>>>>    security/security.c      |    6 ++++++
>>>>>    2 files changed, 12 insertions(+), 0 deletions(-)
>>>>>
>>>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>>>> index ebd2a53..739ac39 100644
>>>>> --- a/include/linux/security.h
>>>>> +++ b/include/linux/security.h
>>>>> @@ -2560,6 +2560,7 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>>>>>    void security_sk_free(struct sock *sk);
>>>>>    void security_sk_clone(const struct sock *sk, struct sock *newsk);
>>>>>    void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
>>>>> +void security_sk_getsecid(struct sock *sk, u32 *secid);
>>>>>    void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
>>>>>    void security_sock_graft(struct sock*sk, struct socket *parent);
>>>>>    int security_inet_conn_request(struct sock *sk,
>>>>> @@ -2701,6 +2702,11 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>>>    {
>>>>>    }
>>>>>
>>>>> +static inline void security_sk_getsecid(struct sock *sk, u32 *secid)
>>>>> +{
>>>>> +    *secid = 0;
>>>>> +}
>>>>> +
>>>>>    static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>>>    {
>>>>>    }
>>>>> diff --git a/security/security.c b/security/security.c
>>>>> index 0e4fccf..b0e0825 100644
>>>>> --- a/security/security.c
>>>>> +++ b/security/security.c
>>>>> @@ -1104,6 +1104,12 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>>>    }
>>>>>    EXPORT_SYMBOL(security_sk_classify_flow);
>>>>>
>>>>> +void security_sk_getsecid(struct sock *sk, u32 *secid)
>>>>> +{
>>>>> +    security_ops->sk_getsecid(sk, secid);
>>>>> +}
>>>>> +EXPORT_SYMBOL(security_sk_getsecid);
>>>>> +
>>>>>    void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>>>    {
>>>>>        security_ops->req_classify_flow(req, fl);
>>>>
>>>>
>>>
>>
>>
>

Re: [PATCH 1/6] Security: define security_sk_getsecid.

[Rongqing Li]

On 08/10/2011 09:35 AM, Casey Schaufler wrote:
> On 8/9/2011 6:24 PM, Rongqing Li wrote:
>> On 08/10/2011 08:57 AM, Casey Schaufler wrote:
>>> On 8/9/2011 5:43 PM, Rongqing Li wrote:
>>>> On 08/10/2011 12:13 AM, Casey Schaufler wrote:
>>>>> On 8/9/2011 12:28 AM, rongqing.li@windriver.com wrote:
>>>>>> From: Roy.Li<rongqing.li@windriver.com>
>>>>>>
>>>>>> Define security_sk_getsecid to get the security id of a sock.
>>>>>
>>>>> Why are you requesting the secid when you're just going to
>>>>> use it to get the secctx? Why not ask for that directly?
>>>>> Is there ever a case where you only want the secid?
>>>>>
>>>> Hi:
>>>>
>>>> As I know, we have not method to get secctx directly.
>>>
>>> You are defining the method! Ask for what you want!
>>>
>>> The whole notion of secids is a holdover from the bad old
>>> days when SELinux was a user space based enforcement mechanism.
>>> The audit system was implemented when SELinux was the lone LSM
>>> and unfortunately and unnecessarily propagated the use of secids.
>>> If an object has a secid it must also have a secctx. The
>>> interfaces that use secids could just as well use the secctx.
>>> It is wasteful to create a new interface that fetches a secid
>>> just to turn around and ask for the secctx in all cases.
>>>
>>
>> Do you means I should write a method like below
>> security_sk_getsecctx(struct sock *sk, char *secctx, int *len)?
>
> Yes. That is exactly what you should do.
>
>>
>> But secctx only is used to user.
>
> But all you're doing is printing out the secctx. The only
> thing you are doing with the secid is converting it to a
> secctx.
>
>> secid is used to source code to
>> compute and compare the access permission.
>
> That will depend on the LSM involved. You are making a change to
> the LSM, not just SELinux.
>
>>
>> And I do not see the same method like
>> security_task_getsecctx(). but security_task_getsecid() has been
>> implemented in kernel source code.
>
> Have a look at how those interfaces are used.
>
>
Thank you very much.

I will study these interfaces, and hope get your comments when
I send new patches.

Thanks.


>>
>> -Roy
>>
>>
>>>> On the most of time, we get secctx like this.
>>>>
>>>> The below comes from kernel/auditsc.c
>>>>
>>>> void audit_log_task_context(struct audit_buffer *ab)
>>>> {
>>>>           char *ctx = NULL;
>>>>           unsigned len;
>>>>           int error;
>>>>           u32 sid;
>>>>
>>>>           security_task_getsecid(current,&sid);
>>>>           if (!sid)
>>>>                   return;
>>>>
>>>>           error = security_secid_to_secctx(sid,&ctx,&len);
>>>>           if (error) {
>>>>                   if (error != -EINVAL)
>>>>                           goto error_path;
>>>>                   return;
>>>>           }
>>>>
>>>>           audit_log_format(ab, " subj=%s", ctx);
>>>>           security_release_secctx(ctx, len);
>>>>           return;
>>>>
>>>> error_path:
>>>>           audit_panic("error in audit_log_task_context");
>>>>           return;
>>>> }
>>>>
>>>>
>>>> -Roy
>>>>
>>>>
>>>>>>
>>>>>> Signed-off-by: Roy.Li<rongqing.li@windriver.com>
>>>>>> ---
>>>>>>     include/linux/security.h |    6 ++++++
>>>>>>     security/security.c      |    6 ++++++
>>>>>>     2 files changed, 12 insertions(+), 0 deletions(-)
>>>>>>
>>>>>> diff --git a/include/linux/security.h b/include/linux/security.h
>>>>>> index ebd2a53..739ac39 100644
>>>>>> --- a/include/linux/security.h
>>>>>> +++ b/include/linux/security.h
>>>>>> @@ -2560,6 +2560,7 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
>>>>>>     void security_sk_free(struct sock *sk);
>>>>>>     void security_sk_clone(const struct sock *sk, struct sock *newsk);
>>>>>>     void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
>>>>>> +void security_sk_getsecid(struct sock *sk, u32 *secid);
>>>>>>     void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
>>>>>>     void security_sock_graft(struct sock*sk, struct socket *parent);
>>>>>>     int security_inet_conn_request(struct sock *sk,
>>>>>> @@ -2701,6 +2702,11 @@ static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>>>>     {
>>>>>>     }
>>>>>>
>>>>>> +static inline void security_sk_getsecid(struct sock *sk, u32 *secid)
>>>>>> +{
>>>>>> +    *secid = 0;
>>>>>> +}
>>>>>> +
>>>>>>     static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>>>>     {
>>>>>>     }
>>>>>> diff --git a/security/security.c b/security/security.c
>>>>>> index 0e4fccf..b0e0825 100644
>>>>>> --- a/security/security.c
>>>>>> +++ b/security/security.c
>>>>>> @@ -1104,6 +1104,12 @@ void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
>>>>>>     }
>>>>>>     EXPORT_SYMBOL(security_sk_classify_flow);
>>>>>>
>>>>>> +void security_sk_getsecid(struct sock *sk, u32 *secid)
>>>>>> +{
>>>>>> +    security_ops->sk_getsecid(sk, secid);
>>>>>> +}
>>>>>> +EXPORT_SYMBOL(security_sk_getsecid);
>>>>>> +
>>>>>>     void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
>>>>>>     {
>>>>>>         security_ops->req_classify_flow(req, fl);
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
>

-- 
Best Reagrds,
Roy | RongQing Li

Re: [PATCH 1/6] Security: define security_sk_getsecid.

[Stephen Smalley]

On Wed, 2011-08-10 at 09:24 +0800, Rongqing Li wrote:
> On 08/10/2011 08:57 AM, Casey Schaufler wrote:
> > On 8/9/2011 5:43 PM, Rongqing Li wrote:
> >> On 08/10/2011 12:13 AM, Casey Schaufler wrote:
> >>> On 8/9/2011 12:28 AM, rongqing.li@windriver.com wrote:
> >>>> From: Roy.Li<rongqing.li@windriver.com>
> >>>>
> >>>> Define security_sk_getsecid to get the security id of a sock.
> >>>
> >>> Why are you requesting the secid when you're just going to
> >>> use it to get the secctx? Why not ask for that directly?
> >>> Is there ever a case where you only want the secid?
> >>>
> >> Hi:
> >>
> >> As I know, we have not method to get secctx directly.
> >
> > You are defining the method! Ask for what you want!
> >
> > The whole notion of secids is a holdover from the bad old
> > days when SELinux was a user space based enforcement mechanism.
> > The audit system was implemented when SELinux was the lone LSM
> > and unfortunately and unnecessarily propagated the use of secids.
> > If an object has a secid it must also have a secctx. The
> > interfaces that use secids could just as well use the secctx.
> > It is wasteful to create a new interface that fetches a secid
> > just to turn around and ask for the secctx in all cases.
> >
> 
> Do you means I should write a method like below
> security_sk_getsecctx(struct sock *sk, char *secctx, int *len)?
> 
> But secctx only is used to user. secid is used to source code to
> compute and compare the access permission.
> 
> And I do not see the same method like
> security_task_getsecctx(). but security_task_getsecid() has been
> implemented in kernel source code.

Unlike Casey, I don't think secids are a bad idea or just a holdover -
we find them to be quite useful and efficient in SELinux.  But in this
instance, he is correct that there is no reason to first fetch a secid
only to convert it into a context.  There are other cases where you do
in fact want to avoid generating and managing the life cycle of a
security context string until you truly need it, and thus a secid makes
sense.  So if you want to add a security_sk_getsecctx() hook, feel free.
There are some existing examples, e.g. security_inode_getsecctx() for
inodes, security_getprocattr() for tasks.  Note that they use a slightly
different interface than what you describe above.

-- 
Stephen Smalley
National Security Agency

[PATCH 2/6] Define the function to write sock's security context to seq_file.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

sock_write_secctx will write the sock's security context to a seq_file
and return the number of characters successfully written.

This function will be called when export socket information to proc.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 include/net/sock.h |    1 +
 net/core/sock.c    |   28 ++++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 0 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index 8e4062f..8bedb0c 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1828,6 +1828,7 @@ static inline struct sock *skb_steal_sock(struct sk_buff *skb)
 extern void sock_enable_timestamp(struct sock *sk, int flag);
 extern int sock_get_timestamp(struct sock *, struct timeval __user *);
 extern int sock_get_timestampns(struct sock *, struct timespec __user *);
+extern int sock_write_secctx(struct sock *sk, struct seq_file *seq);
 
 /* 
  *	Enable debug/info messages 
diff --git a/net/core/sock.c b/net/core/sock.c
index bc745d0..032ea72 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2254,6 +2254,34 @@ void sk_common_release(struct sock *sk)
 }
 EXPORT_SYMBOL(sk_common_release);
 
+int sock_write_secctx(struct sock *sk, struct seq_file *seq)
+{
+	char *ctx = NULL;
+	u32 ctxlen, secid;
+	int len;
+
+	if (sk == NULL)
+		goto error;
+
+	if (security_socket_getsockname(sk->sk_socket))
+		goto error;
+
+	security_sk_getsecid(sk, &secid);
+	if (!secid)
+		goto error;
+
+	if (security_secid_to_secctx(secid, &ctx, &ctxlen))
+		goto error;
+
+	seq_printf(seq, " %s%n", ctx, &len);
+	security_release_secctx(ctx, ctxlen);
+	return len;
+
+error:
+	seq_printf(seq, " %s%n", "-", &len);
+	return len;
+}
+
 static DEFINE_RWLOCK(proto_list_lock);
 static LIST_HEAD(proto_list);
 
-- 
1.7.1

[PATCH 3/6] Export the raw sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

The element sk_security of struct sock represents the socket
security context ID, which is inheriting from the process when
creates this socket on most of the time.

but when SELinux type_transition rule is applied to socket, or
application sets /proc/xxx/attr/createsock, the socket security
context would be different from the creating process. on this
condition, the "netstat -Z" will return wrong value, since
"netstat -Z" only returns the process security context as socket
process security.

Export the raw sock's security context to proc, so that "netstat -Z"
could be fixed by reading procfs.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/raw.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 1457acb..79c17e5 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -979,12 +979,15 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 	      srcp  = inet->inet_num;
 
 	seq_printf(seq, "%4d: %08X:%04X %08X:%04X"
-		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d\n",
+		" %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d",
 		i, src, srcp, dest, destp, sp->sk_state,
 		sk_wmem_alloc_get(sp),
 		sk_rmem_alloc_get(sp),
 		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
 		atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
+
+	sock_write_secctx(sp, seq);
+	seq_putc(seq, '\n');
 }
 
 static int raw_seq_show(struct seq_file *seq, void *v)
@@ -992,7 +995,7 @@ static int raw_seq_show(struct seq_file *seq, void *v)
 	if (v == SEQ_START_TOKEN)
 		seq_printf(seq, "  sl  local_address rem_address   st tx_queue "
 				"rx_queue tr tm->when retrnsmt   uid  timeout "
-				"inode ref pointer drops\n");
+				"inode ref pointer drops  seclabel\n");
 	else
 		raw_sock_seq_show(seq, v, raw_seq_private(seq)->bucket);
 	return 0;
-- 
1.7.1

[PATCH 4/6] Export the udp sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the udp sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/udp.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 1b5a193..6a1aff9 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2102,21 +2102,23 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
 		0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
 		atomic_read(&sp->sk_refcnt), sp,
 		atomic_read(&sp->sk_drops), len);
+
+	*len += sock_write_secctx(sp, f);
 }
 
 int udp4_seq_show(struct seq_file *seq, void *v)
 {
 	if (v == SEQ_START_TOKEN)
-		seq_printf(seq, "%-127s\n",
+		seq_printf(seq, "%-150s\n",
 			   "  sl  local_address rem_address   st tx_queue "
 			   "rx_queue tr tm->when retrnsmt   uid  timeout "
-			   "inode ref pointer drops");
+			   "inode ref pointer drops seclabel");
 	else {
 		struct udp_iter_state *state = seq->private;
 		int len;
 
 		udp4_format_sock(v, seq, state->bucket, &len);
-		seq_printf(seq, "%*s\n", 127 - len, "");
+		seq_printf(seq, "%*s\n", (150 - len) > 0 ? 150 - len : 0, "");
 	}
 	return 0;
 }
-- 
1.7.1

[PATCH 5/6] Export the unix sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the unix sock's security context to proc, since it maybe
different from the sock's owner process security context.

Output '-' on Path column if the addr of unix_sock is NULL, rather 
than nothing.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/unix/af_unix.c |   20 ++++++++++++++++----
 1 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index ec68e1c..9021f9b 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2239,12 +2239,14 @@ static void unix_seq_stop(struct seq_file *seq, void *v)
 	spin_unlock(&unix_table_lock);
 }
 
+#define OFFSET_PATH_START	40
 static int unix_seq_show(struct seq_file *seq, void *v)
 {
+	int len, offset = OFFSET_PATH_START;
 
 	if (v == SEQ_START_TOKEN)
 		seq_puts(seq, "Num       RefCount Protocol Flags    Type St "
-			 "Inode Path\n");
+			 "Inode Path  SecLabel\n");
 	else {
 		struct sock *s = v;
 		struct unix_sock *u = unix_sk(s);
@@ -2261,9 +2263,9 @@ static int unix_seq_show(struct seq_file *seq, void *v)
 			(s->sk_state == TCP_ESTABLISHED ? SS_CONNECTING : SS_DISCONNECTING),
 			sock_i_ino(s));
 
+		seq_putc(seq, ' ');
 		if (u->addr) {
-			int i, len;
-			seq_putc(seq, ' ');
+			int i;
 
 			i = 0;
 			len = u->addr->len - sizeof(short);
@@ -2275,7 +2277,17 @@ static int unix_seq_show(struct seq_file *seq, void *v)
 			}
 			for ( ; i < len; i++)
 				seq_putc(seq, u->addr->name->sun_path[i]);
-		}
+		} else
+			seq_printf(seq, " %s%n", "-", &len);
+
+		if (offset > len)
+			offset -= (len + 1);
+		else
+			offset = 0;
+
+		seq_printf(seq, "%*s", offset, " ");
+		sock_write_secctx(s, seq);
+
 		unix_state_unlock(s);
 		seq_putc(seq, '\n');
 	}
-- 
1.7.1

[PATCH 6/6] Export the tcp sock's security context to proc.

[rongqing.li]

From: Roy.Li <rongqing.li@windriver.com>

Export the tcp sock's security context to proc, since it maybe
different from the sock's owner process security context.

Signed-off-by: Roy.Li <rongqing.li@windriver.com>
---
 net/ipv4/tcp_ipv4.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 955b8e6..ddac912 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2479,12 +2479,13 @@ static int tcp4_seq_show(struct seq_file *seq, void *v)
 {
 	struct tcp_iter_state *st;
 	int len;
+	struct sock *s = NULL;
 
 	if (v == SEQ_START_TOKEN) {
 		seq_printf(seq, "%-*s\n", TMPSZ - 1,
 			   "  sl  local_address rem_address   st tx_queue "
 			   "rx_queue tr tm->when retrnsmt   uid  timeout "
-			   "inode");
+			   "inode seclabel");
 		goto out;
 	}
 	st = seq->private;
@@ -2493,15 +2494,20 @@ static int tcp4_seq_show(struct seq_file *seq, void *v)
 	case TCP_SEQ_STATE_LISTENING:
 	case TCP_SEQ_STATE_ESTABLISHED:
 		get_tcp4_sock(v, seq, st->num, &len);
+		s = v;
 		break;
 	case TCP_SEQ_STATE_OPENREQ:
 		get_openreq4(st->syn_wait_sk, v, seq, st->num, st->uid, &len);
+		s = st->syn_wait_sk;
 		break;
 	case TCP_SEQ_STATE_TIME_WAIT:
 		get_timewait4_sock(v, seq, st->num, &len);
 		break;
 	}
-	seq_printf(seq, "%*s\n", TMPSZ - 1 - len, "");
+
+	len += sock_write_secctx(s, seq);
+	len = TMPSZ - 1 - len;
+	seq_printf(seq, "%*s\n", len > 0 ? len : 0, "");
 out:
 	return 0;
 }
-- 
1.7.1

Re: [PATCH 6/6] Export the tcp sock's security context to proc.

[David Miller]

From: <rongqing.li@windriver.com>
Date: Tue, 9 Aug 2011 15:28:30 +0800

>  	if (v == SEQ_START_TOKEN) {
>  		seq_printf(seq, "%-*s\n", TMPSZ - 1,
>  			   "  sl  local_address rem_address   st tx_queue "
>  			   "rx_queue tr tm->when retrnsmt   uid  timeout "
> -			   "inode");
> +			   "inode seclabel");
>  		goto out;
>  	}

Unfortunately you cannot change the layout of procfs file output in
this way.  It has the potential to break programs which are parsing
this file in userspace already.

The layout hasn't changed in a very long time because it is essentially
a uservisible ABI.

If you want to export new information you'll have to do it using the
facility that is extensible, and that's the netlink based socket dumping
facility implemented in inet_diag.c, tcp_diag.c and friends.

There, you can simply add a new netlink attribute that gets dumped with
the entry, which will provide the security context.

Re: [PATCH 6/6] Export the tcp sock's security context to proc.

[Rongqing Li]

On 08/09/2011 03:33 PM, David Miller wrote:
> From:<rongqing.li@windriver.com>
> Date: Tue, 9 Aug 2011 15:28:30 +0800
>
>>   	if (v == SEQ_START_TOKEN) {
>>   		seq_printf(seq, "%-*s\n", TMPSZ - 1,
>>   			   "  sl  local_address rem_address   st tx_queue "
>>   			   "rx_queue tr tm->when retrnsmt   uid  timeout "
>> -			   "inode");
>> +			   "inode seclabel");
>>   		goto out;
>>   	}
>
> Unfortunately you cannot change the layout of procfs file output in
> this way.  It has the potential to break programs which are parsing
> this file in userspace already.
>
> The layout hasn't changed in a very long time because it is essentially
> a uservisible ABI.
>
> If you want to export new information you'll have to do it using the
> facility that is extensible, and that's the netlink based socket dumping
> facility implemented in inet_diag.c, tcp_diag.c and friends.
>
> There, you can simply add a new netlink attribute that gets dumped with
> the entry, which will provide the security context.
>
>

Thanks, I see how I should do.
I will continue to develop it and hope get your help.
Thanks.


-- 
Best Reagrds,
Roy | RongQing Li