> I have a question: if the sock type does not match the policy type > (xfrm_lookup hook on output step (2)), can we send the packet?
Only if the packet can send to SECINITSID_UNLABELED as checked in selinux_xfrm_postroute_last() which would be the 5th step below. > > It seems on output the socket and policy types must match, More accurately, the flow (which derives from the socket in the locally generated case) and the policy types must "polmatch", yes. > but this > is not the case on input (input step (3) checks socket access and > flow type is from sa). Again the flow has to polmatch a policy; the flow derives the Type from the SA used or unlabeled if no SA was used. In either direction, it's the "flow" that selects a policy (or not). The "input step(3)" you refer to above is really a socket Vs. state (recvfrom) check; the equivalent on the output being the generic flow_state_match (sendto) check. And the latter has to be a generic "flow" based check since in the forward case we wouldn't have a source socket. > Nor was it the case in the original patch. Are you referring to my original patch or the current upstreamed implementation? > > Output step (4) checks that the socket can send to the specific sa > type which is right. > > The extra level of indirection provided by the flow makes things a > bit harder to follow, so I think that this should be made clear in > documentation somehow. I am not sure if people will be able to > maintain this notion easily later. My understanding is below. It would be lot a easier if people looked at this in terms of "flow". > > On input: > (1) get flow label from sa via packet > (2) authorize flow label matches policy (xfrm_lookup hook) > (3) authorize socket access to sa label (rcv_skb) > > On output: > (1) get flow label from socket (xfrm_lookup) > (2) authorize flow label matches policy (xfrm_lookup hook) > (3) authorize sa matches policy (state_pol_flow) > (4) authorize flow label can send to state (flow_state_match) (5) If not using a xfrm, authorize flow label can send to the unlabeled "association". > > Regards, > Trent. > ---------------------------------------------- > Trent Jaeger, Associate Professor > Pennsylvania State University, CSE Dept > 346A IST Bldg, University Park, PA 16802 > Email: [EMAIL PROTECTED] > Ph: (814) 865-1042, Fax: (814) 865-3176 > > > -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
