From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Paris <eparis@redhat.com>
Cc: linux-kernel@vger.kernel.org, selinux@tycho.nsa.gov,
netfilter-devel@vger.kernel.org, jmorris@namei.org,
sds@tycho.nsa.gov, jengelh@medozas.de, paul.moore@hp.com,
casey@schaufler-ca.com, linux-security-module@vger.kernel.org,
netfilter@vger.kernel.org, mr.dash.four@googlemail.com
Subject: Re: [PATCH 2/6] secmark: make secmark object handling generic
Date: Sat, 25 Sep 2010 10:39:40 +0200 [thread overview]
Message-ID: <4C9DB54C.4010100@netfilter.org> (raw)
In-Reply-To: <20100924204524.28355.87206.stgit@paris.rdu.redhat.com>
On 24/09/10 22:45, Eric Paris wrote:
> Right now secmark has lots of direct selinux calls. Use all LSM calls and
> remove all SELinux specific knowledge. The only SELinux specific knowledge
> we leave is the mode. The only point is to make sure that other LSMs at
> least test this generic code before they assume it works. (They may also
> have to make changes if they do not represent labels as strings)
>
> Signed-off-by: Eric Paris <eparis@redhat.com>
> ---
>
> include/linux/netfilter/xt_SECMARK.h | 14 ++------
> include/linux/security.h | 25 +++++++++++++
> include/linux/selinux.h | 63 ----------------------------------
> net/netfilter/xt_CT.c | 1 -
> net/netfilter/xt_SECMARK.c | 57 +++++++++++++++----------------
> security/capability.c | 17 +++++++++
> security/security.c | 18 ++++++++++
> security/selinux/exports.c | 49 --------------------------
> security/selinux/hooks.c | 24 +++++++++++++
> security/selinux/include/security.h | 1 +
> 10 files changed, 116 insertions(+), 153 deletions(-)
>
> diff --git a/include/linux/netfilter/xt_SECMARK.h b/include/linux/netfilter/xt_SECMARK.h
> index 6fcd344..b8d55c4 100644
> --- a/include/linux/netfilter/xt_SECMARK.h
> +++ b/include/linux/netfilter/xt_SECMARK.h
> @@ -10,19 +10,13 @@
> * 'mode' refers to the specific security subsystem which the
> * packets are being marked for.
> */
> -#define SECMARK_MODE_SEL 0x01 /* SELinux */
> -#define SECMARK_SELCTX_MAX 256
> -
> -struct xt_secmark_target_selinux_info {
> - __u32 selsid;
> - char selctx[SECMARK_SELCTX_MAX];
> -};
> +#define SECMARK_MODE_SELINUX 0x01 /* SELinux */
> +#define SECMARK_SECCTX_MAX 256
The SECMARK_MODE_SEL is exposed to user-space, even if we have a copy of
it in the internal iptables tree, I'm not sure if it's a good policy to
change it.
next prev parent reply other threads:[~2010-09-25 8:39 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-24 20:45 [PATCH 1/6] secmark: do not return early if there was no error Eric Paris
2010-09-24 20:45 ` [PATCH 2/6] secmark: make secmark object handling generic Eric Paris
2010-09-25 8:39 ` Pablo Neira Ayuso [this message]
2010-09-27 16:47 ` Eric Paris
2010-09-24 20:45 ` [PATCH 3/6] secmark: export binary yes/no rather than kernel internal secid Eric Paris
2010-09-25 8:41 ` Pablo Neira Ayuso
2010-09-27 16:44 ` Eric Paris
2010-09-27 0:50 ` James Morris
2010-09-27 17:01 ` Eric Paris
2010-09-27 18:29 ` Paul Moore
2010-09-27 19:25 ` Eric Paris
2010-09-27 19:45 ` Paul Moore
2010-09-27 22:48 ` Pablo Neira Ayuso
2010-09-28 0:00 ` Jan Engelhardt
2010-09-28 8:45 ` Mr Dash Four
2010-09-27 23:45 ` James Morris
2010-09-28 12:32 ` Casey Schaufler
2010-09-24 20:45 ` [PATCH 4/6] security: secid_to_secctx returns len when data is NULL Eric Paris
2010-09-27 13:49 ` Casey Schaufler
2010-09-24 20:45 ` [PATCH 5/6] conntrack: export lsm context rather than internal secid via netlink Eric Paris
2010-09-24 21:08 ` Jan Engelhardt
2010-09-27 11:01 ` Pablo Neira Ayuso
2010-09-27 16:51 ` Eric Paris
2010-09-24 20:45 ` [PATCH 6/6] secmark: export secctx, drop secmark in procfs Eric Paris
2010-09-24 21:01 ` [PATCH 1/6] secmark: do not return early if there was no error Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C9DB54C.4010100@netfilter.org \
--to=pablo@netfilter.org \
--cc=casey@schaufler-ca.com \
--cc=eparis@redhat.com \
--cc=jengelh@medozas.de \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mr.dash.four@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=netfilter@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).