From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@trustedcs.com>
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, jmorris@namei.org,
sds@tycho.nsa.gov, chanson@trustedcs.com
Subject: Re: [PATCH 7/7] secid reconciliation-v02: Enforcement for SELinux
Date: Mon, 18 Sep 2006 18:26:47 -0400 [thread overview]
Message-ID: <200609181826.47622.paul.moore@hp.com> (raw)
In-Reply-To: <45019F72.2050708@trustedcs.com>
On Friday 08 September 2006 12:50 pm, Venkat Yekkirala wrote:
> This defines SELinux enforcement of the 2 new LSM hooks.
{snip}
> +static int selinux_skb_policy_check(struct sk_buff *skb, unsigned short
> family) +{
> + u32 xfrm_sid, trans_sid;
> + int err;
> +
> + if (selinux_compat_net)
> + return 1;
> +
> + err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
> + BUG_ON(err);
First, any reason against including the "struct sock *" in the LSM hook? At a
quick glance it looks like it is available at each place
security_skb_policy_check() is invoked? If there are no objections I would
like to see it included in the hook.
Second, I wonder if it would be better to do a NetLabel/CIPSO query here using
the xfrm_sid as the NetLabel "base_sid" instead of at the end of the function
(see your comment)? This way we wouldn't have to duplicate the
avc_has_perm() and security_transition_sid() calls for both xfrm and
NetLabel. It just seems to be more inline with the whole secid
reconciliation concept.
I don't feel too strongly either way, I just thought it was worth exploring -
thoughts?
> + err = avc_has_perm(xfrm_sid, skb->secmark, SECCLASS_PACKET,
> + PACKET__FLOW_IN, NULL);
> + if (err)
> + goto out;
> +
> + if (xfrm_sid) {
> + err = security_transition_sid(xfrm_sid, skb->secmark,
> + SECCLASS_PACKET, &trans_sid);
> + if (err)
> + goto out;
> +
> + skb->secmark = trans_sid;
> + }
> +
> + /* See if CIPSO can flow in thru the current secmark here */
> +
> +out:
> + return err ? 0 : 1;
> +};
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-09-18 22:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-08 16:50 [PATCH 7/7] secid reconciliation-v02: Enforcement for SELinux Venkat Yekkirala
2006-09-18 18:37 ` James Morris
2006-09-18 18:55 ` James Morris
2006-09-18 22:26 ` Paul Moore [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-09-18 19:15 Venkat Yekkirala
2006-09-20 21:08 Venkat Yekkirala
2006-09-20 22:46 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200609181826.47622.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=chanson@trustedcs.com \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@trustedcs.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).