From: Eric Paris <eparis@redhat.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
netfilter-devel@vger.kernel.org, jmorris@namei.org,
sds@tycho.nsa.gov, jengelh@medozas.de, paul.moore@hp.com,
casey@schaufler-ca.com, linux-security-module@vger.kernel.org,
netfilter@vger.kernel.org, mr.dash.four@googlemail.com
Subject: Re: [PATCH 2/6] secmark: make secmark object handling generic
Date: Mon, 27 Sep 2010 12:47:56 -0400 [thread overview]
Message-ID: <1285606076.2815.15.camel@localhost.localdomain> (raw)
In-Reply-To: <4C9DB54C.4010100@netfilter.org>
On Sat, 2010-09-25 at 10:39 +0200, Pablo Neira Ayuso wrote:
> On 24/09/10 22:45, Eric Paris wrote:
> > Right now secmark has lots of direct selinux calls. Use all LSM calls and
> > remove all SELinux specific knowledge. The only SELinux specific knowledge
> > we leave is the mode. The only point is to make sure that other LSMs at
> > least test this generic code before they assume it works. (They may also
> > have to make changes if they do not represent labels as strings)
> >
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> > ---
> >
> > include/linux/netfilter/xt_SECMARK.h | 14 ++------
> > include/linux/security.h | 25 +++++++++++++
> > include/linux/selinux.h | 63 ----------------------------------
> > net/netfilter/xt_CT.c | 1 -
> > net/netfilter/xt_SECMARK.c | 57 +++++++++++++++----------------
> > security/capability.c | 17 +++++++++
> > security/security.c | 18 ++++++++++
> > security/selinux/exports.c | 49 --------------------------
> > security/selinux/hooks.c | 24 +++++++++++++
> > security/selinux/include/security.h | 1 +
> > 10 files changed, 116 insertions(+), 153 deletions(-)
> >
> > diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
> > index 6fcd344..b8d55c4 100644
> > --- a/include/linux/netfilter/xt_SECMARK.h
> > +++ b/include/linux/netfilter/xt_SECMARK.h
> > @@ -10,19 +10,13 @@
> > * 'mode' refers to the specific security subsystem which the
> > * packets are being marked for.
> > */
> > -#define SECMARK_MODE_SEL 0x01 /* SELinux */
> > -#define SECMARK_SELCTX_MAX 256
> > -
> > -struct xt_secmark_target_selinux_info {
> > - __u32 selsid;
> > - char selctx[SECMARK_SELCTX_MAX];
> > -};
> > +#define SECMARK_MODE_SELINUX 0x01 /* SELinux */
> > +#define SECMARK_SECCTX_MAX 256
>
> The SECMARK_MODE_SEL is exposed to user-space, even if we have a copy of
> it in the internal iptables tree, I'm not sure if it's a good policy to
> change it.
Ok. I just hate 'SEL' as an abbreviation of SELinux. I always think
it's select or something like that. I could do something hideous like
#define SECMARK_MODE_SEL 0x01
#define SECMARK_MODE_SELINUX SECMARK_MODE_SEL
But it seems like too much work and doesn't add anything really. I'll
revert that part of this change.
-Eric
next prev parent reply other threads:[~2010-09-27 17:16 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-24 20:45 [PATCH 1/6] secmark: do not return early if there was no error Eric Paris
2010-09-24 20:45 ` [PATCH 2/6] secmark: make secmark object handling generic Eric Paris
2010-09-25 8:39 ` Pablo Neira Ayuso
2010-09-27 16:47 ` Eric Paris [this message]
2010-09-24 20:45 ` [PATCH 3/6] secmark: export binary yes/no rather than kernel internal secid Eric Paris
2010-09-25 8:41 ` Pablo Neira Ayuso
2010-09-27 16:44 ` Eric Paris
2010-09-27 0:50 ` James Morris
2010-09-27 17:01 ` Eric Paris
2010-09-27 18:29 ` Paul Moore
2010-09-27 19:25 ` Eric Paris
2010-09-27 19:45 ` Paul Moore
2010-09-27 22:48 ` Pablo Neira Ayuso
2010-09-28 0:00 ` Jan Engelhardt
2010-09-28 8:45 ` Mr Dash Four
2010-09-27 23:45 ` James Morris
2010-09-28 12:32 ` Casey Schaufler
2010-09-24 20:45 ` [PATCH 4/6] security: secid_to_secctx returns len when data is NULL Eric Paris
2010-09-27 13:49 ` Casey Schaufler
2010-09-24 20:45 ` [PATCH 5/6] conntrack: export lsm context rather than internal secid via netlink Eric Paris
2010-09-24 21:08 ` Jan Engelhardt
2010-09-27 11:01 ` Pablo Neira Ayuso
2010-09-27 16:51 ` Eric Paris
2010-09-24 20:45 ` [PATCH 6/6] secmark: export secctx, drop secmark in procfs Eric Paris
2010-09-24 21:01 ` [PATCH 1/6] secmark: do not return early if there was no error Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1285606076.2815.15.camel@localhost.localdomain \
--to=eparis@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=jengelh@medozas.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mr.dash.four@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).