From: Paul Moore <pmoore@redhat.com>
To: Andy King <acking@vmware.com>
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org,
selinux@tycho.nsa.gov, Gerd Hoffmann <kraxel@redhat.com>,
Eric Paris <eparis@redhat.com>
Subject: Re: AF_VSOCK and the LSMs
Date: Fri, 22 Feb 2013 19:27:25 -0500 [thread overview]
Message-ID: <2331260.82H25I6ITJ@sifl> (raw)
In-Reply-To: <888679886.3769933.1361573683299.JavaMail.root@vmware.com>
On Friday, February 22, 2013 02:54:43 PM Andy King wrote:
> Hi Paul,
>
> > to see if anyone had any strong feelings on this approach (either good or
> > bad). Here is what I am proposing, and currently working on ...
> >
> > * Add a LSM secid/blob to the vmci_datagram struct
>
> I think perhaps this is the wrong layer at which to embed this. Think
> of that structure as an ethernet header, with VMCI being ethernet; it's
> what the device (and the hypervisor and peer) understand. So this
> really cannot be changed.
Hmmm, so can VMware/VMCI-enabled guests send vmci_datagram packets directly
into the kernel? It isn't wrapped by things like AF_VSOCK? If that is the
case, then yes, we'll probably need to add a thin wrapper struct to carry the
security label; similar to the control packets but not quite, as we have data
to deal with unlike the control packets. However, if vmci_datagram is an
internal only structure, why not add the extra field?
Either way, we should be able to work around this, it would just be cleaner if
we could add it to the datagram directly.
> It's also not entirely clear to me how this will work in a heterogeneous
> environments. What if there's a Linux guest running on a Windows host,
> or vice-versa?
I maybe missing something here, but VMCI never leaves the physical host system
correct? It doesn't get tunneled over some external network does it?
Assuming it stays on the physical host system then we don't really care about
a Windows host in this context do we? From a guests point of view it doesn't
really matter, the kernel handles all of the labeling and access control; the
guests create their AF_VSOCKS as they normally would.
> I'll take a closer read at the rest of your mail, but I think we need to
> address the above first.
I think there is some confusion about VMCI - which is almost surely on my end
- and what I'm trying to accomplish with the labeling, perhaps by answering
the above questions you can help me gain a better understanding and we can
sort things out.
Thanks.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2013-02-23 0:27 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-22 22:33 AF_VSOCK and the LSMs Paul Moore
2013-02-22 22:54 ` Andy King
2013-02-23 0:27 ` Paul Moore [this message]
2013-02-25 7:29 ` Gerd Hoffmann
2013-02-25 15:06 ` Paul Moore
2013-02-22 23:00 ` Casey Schaufler
2013-02-23 0:45 ` Paul Moore
2013-02-23 23:43 ` Casey Schaufler
2013-02-25 16:55 ` Paul Moore
2013-02-25 18:02 ` Casey Schaufler
2013-02-25 21:05 ` Paul Moore
2013-02-25 23:06 ` Casey Schaufler
2013-02-26 21:21 ` LSM stacking and the network access controls (was: AF_VSOCK and the LSMs) Paul Moore
2013-02-26 23:12 ` LSM stacking and the network access controls Casey Schaufler
2013-02-27 16:43 ` Paul Moore
2013-02-27 16:51 ` Casey Schaufler
2013-02-27 17:31 ` Paul Moore
2013-02-27 17:40 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2331260.82H25I6ITJ@sifl \
--to=pmoore@redhat.com \
--cc=acking@vmware.com \
--cc=eparis@redhat.com \
--cc=kraxel@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox