From: Paul Moore <paul.moore@hp.com>
To: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Cc: James Morris <jmorris@namei.org>,
netdev@vger.kernel.org, selinux@tycho.nsa.gov,
Stephen Smalley <sds@tycho.nsa.gov>,
Chad Hanson <chanson@TrustedCS.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 0/3] secid reconciliation-v01: Repost patchset with up dates
Date: Thu, 31 Aug 2006 10:45:09 -0400 [thread overview]
Message-ID: <44F6F5F5.5000408@hp.com> (raw)
In-Reply-To: <36282A1733C57546BE392885C061859201512B64@chaos.tcs.tcs-sec.com>
Venkat Yekkirala wrote:
>>My main concern with these patches is that moving the
>>NetLabel check out
>>of selinux_socket_sock_rcv_skb() and into
>>selinux_skb_policy_check() (as
>>it is currently written) would force us to compare a packet's NetLabel
>>with either the IPsec label or the secmark label
>
> Yes you would do these checks (while using a netlabel based off of the
> secmark at that point) to enforce flow control and when they succeed,
> you will copy netlabel into secmark.
>
>>and not the socket's
>>label.
>
> The socket Vs. secmark check that happens later in rcv_skb will in fact be
> looking at the cipso label that is by then a part of the secmark context.
So what you envison is that when an MLS label is found on a packet using
NetLabel the MLS label from the packet is attached to the secmark
context (replacing the existing MLS label, if any) and the resulting
context would be checked for a "flow_in" permission, yes?
Assuming the permission is granted the packet's secmark is replaced with
the updated context. This updated secmark context would then be used in
sock_rcv_skb() to make an access decision, yes?
>> The ability to make access decisions based on the process
>>consuming the data and the data itself it one of the nicer
>>qualities of
>>NetLabel in my opinion.
>
> This nicer quality ends up being preserved as explained above :)
It wasn't clear to me from your patch or the "master plan" what you
intended to do with the NetLabel context. I thought the "/* See if
CIPSO can flow in thru the current secmark here */" comment in your
patch was rather cryptic.
> We just need to get out of the mindset of viewing netlabel separately
> once we are past the reconciliation point.
Agreed. Although to be honest, I think the NetLabel context can be
reconciled with the secmark and XFRM contexts just as easily using the
existing sock_rcv_skb() hook. I guess I need to see where the
xfrm[4|6]_policy_check() hooks are called from in the stack to better
understand ...
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-08-31 14:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-31 14:08 [PATCH 0/3] secid reconciliation-v01: Repost patchset with up dates Venkat Yekkirala
2006-08-31 14:45 ` Paul Moore [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-08-31 15:13 Venkat Yekkirala
2006-08-25 13:30 Venkat Yekkirala
2006-08-25 14:26 ` James Morris
2006-08-30 20:21 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44F6F5F5.5000408@hp.com \
--to=paul.moore@hp.com \
--cc=chanson@TrustedCS.com \
--cc=davem@davemloft.net \
--cc=jmorris@namei.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).