From: Paul Moore <paul.moore@hp.com>
To: James Morris <jmorris@namei.org>
Cc: Venkat Yekkirala <vyekkirala@TrustedCS.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Joshua Brindle <method@gentoo.org>,
netdev@vger.kernel.org, selinux@tycho.nsa.gov,
kmacmillan@mentalrootkit.com
Subject: Re: [PATCH 7/7] secid reconciliation-v03: Enforcement for SELinux
Date: Fri, 29 Sep 2006 13:43:27 -0400 [thread overview]
Message-ID: <451D5B3F.70206@hp.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0609291247170.6007@d.namei>
James Morris wrote:
> On Fri, 29 Sep 2006, Paul Moore wrote:
>
>>>It seems more of a pain to actually
>>>prevent their use at the same time and/or explain strange/unnatural
>>>behavior.
>>
>>Agreed, the solution that we agreed upon is much easier to implement and
>>explain than a lot of the alternatives.
>
> Ok, can you please explain it further?
>
> i.e. show me what the policy looks like, exactly what the user is trying
> to achieve, and explain what happens to each packet exactly in terms of
> labeling on the input and output paths.
All right, here is my take on it, perhaps Venkat can chime in too.
* packet labeling, input
Code below is taken from the secid patchset, minus the SID transition
code as it sounds like that is going to be dropped. Please note that
this is not a patch just something to help explain.
+static int selinux_skb_flow_in(struct sk_buff *skb, unsigned short family)
+{
+ u32 xfrm_sid, trans_sid;
u32 nlbl_sid;
+ int err;
+
+ if (selinux_compat_net)
+ return 1;
+
+ /* xfrm/cipso inapplicable for loopback traffic */
+ if (skb->dev == &loopback_dev)
+ return 1;
+
+ err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
+ BUG_ON(err);
+
+ err = avc_has_perm(xfrm_sid, skb->secmark, SECCLASS_PACKET,
+ PACKET__FLOW_IN, NULL);
+ if (err)
+ goto out;
+
if (xfrm_sid)
skb->secmark = xfrm_sid;
err = selinux_netlbl_skbuff_getsid(skb,
skb->secmark,
&nlbl_sid);
if (err)
goto out;
if (nlbl_sid != SECINITSID_UNLABELED) {
/* not sure if we want this avc check above this if
* block? */
err = avc_has_perm(nlbl_sid,
skb->secmark,
SECCLASS_PACKET,
PACKET__FLOW_IN,
NULL);
if (err)
goto out;
skb->secmark = nlbl_sid;
}
+
+out:
+ return err ? 0 : 1;
+};
* packet labeling, output
This is currently being discussed, so take this with a few grains of salt.
+static int selinux_skb_flow_out(struct sk_buff *skb, u32 nf_secid)
+{
+ u32 trans_sid;
u32 nlbl_sid;
+ int err;
+
+ if (selinux_compat_net)
+ return 1;
+
+ if (!skb->secmark) {
+ u32 xfrm_sid;
+
+ selinux_skb_xfrm_sid(skb, &xfrm_sid);
+
+ if (xfrm_sid)
+ skb->secmark = xfrm_sid;
+ else if (skb->sk) {
+ struct sk_security_struct *sksec =
+ skb->sk->sk_security;
+ skb->secmark = sksec->sid;
+ }
err = selinux_netlbl_skbuff_getsid(skb,
skb->secmark,
&nlbl_sid);
if (err)
goto out;
if (nlbl_sid != SECINITSID_UNLABELED) {
err = avc_has_perm(nlbl_sid,
skb->secmark,
SECCLASS_PACKET,
PACKET__FLOW_OUT,
NULL);
if (err)
goto out;
skb->secmark = nlbl_sid;
}
+ }
+
+ err = avc_has_perm(skb->secmark, nf_secid, SECCLASS_PACKET,
+ PACKET__FLOW_OUT, NULL);
+
+out:
+ return err ? 0 : 1;
+}
* pseudo policy
Since NetLabel presently only provides a MLS label I don't believe there
would be any additional SELinux allow rules beyond those needed for
IPsec labeling (maybe in the flow_out, not sure). The MLS/MCS
constraints would be the only thing affected I believe, and even then
the existing constraints should suffice.
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-09-29 17:43 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-29 16:27 [PATCH 7/7] secid reconciliation-v03: Enforcement for SELinux Venkat Yekkirala
2006-09-29 16:31 ` Paul Moore
2006-09-29 16:50 ` James Morris
2006-09-29 17:32 ` James Morris
2006-09-29 17:50 ` Paul Moore
2006-09-29 17:43 ` Paul Moore [this message]
2006-09-29 18:41 ` James Morris
2006-09-29 19:06 ` Paul Moore
2006-09-29 19:33 ` James Morris
2006-09-29 19:51 ` Paul Moore
2006-09-29 20:04 ` James Morris
2006-09-29 20:09 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2006-10-01 21:30 Venkat Yekkirala
2006-09-29 22:10 Venkat Yekkirala
2006-09-29 21:54 Venkat Yekkirala
2006-09-29 18:50 Venkat Yekkirala
2006-09-29 19:13 ` Paul Moore
2006-09-29 17:27 Venkat Yekkirala
2006-09-29 17:38 ` Paul Moore
2006-09-29 16:22 Venkat Yekkirala
2006-09-29 16:17 Venkat Yekkirala
2006-09-29 16:09 Venkat Yekkirala
2006-09-29 16:13 ` Paul Moore
2006-09-29 2:33 Venkat Yekkirala
2006-09-29 3:52 ` Joshua Brindle
2006-09-29 12:59 ` Stephen Smalley
2006-09-29 14:00 ` Joshua Brindle
2006-09-29 14:28 ` Stephen Smalley
2006-09-29 14:33 ` James Morris
2006-09-29 14:39 ` Stephen Smalley
2006-09-29 16:06 ` Paul Moore
2006-09-29 16:10 ` James Morris
2006-09-29 16:15 ` Paul Moore
2006-09-29 16:39 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=451D5B3F.70206@hp.com \
--to=paul.moore@hp.com \
--cc=jmorris@namei.org \
--cc=kmacmillan@mentalrootkit.com \
--cc=method@gentoo.org \
--cc=netdev@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=vyekkirala@TrustedCS.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).