RE: [PATCH 3/3] mlsxfrm: Various fixes

2006-11-08 Thread Venkat Yekkirala 
 Such duplication can occur among the initial SIDs.

For some reason I thought that could happen between an initial SID
and a non-initial SID.

  Not sure 
 though when
 that would apply here,

It could apply to xfrms if they happen to be using the context
represented by any of the initial SIDs.

 and it would only apply if both SIDs 
 were initial
 SIDs.

OK. Will narrow the full context comparison to just this case.
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [PATCH 3/3] mlsxfrm: Various fixes

2006-11-08 Thread Stephen Smalley 
On Wed, 2006-11-08 at 08:34 -0600, Venkat Yekkirala wrote:
  Such duplication can occur among the initial SIDs.
 
 For some reason I thought that could happen between an initial SID
 and a non-initial SID.

I think only in the case where a non-initial SID has been invalidated by
policy reload that renders its context illegal and is thus remapped to
the unlabeled SID.  

   Not sure 
  though when
  that would apply here,
 
 It could apply to xfrms if they happen to be using the context
 represented by any of the initial SIDs.

Which would happen when?  

  and it would only apply if both SIDs 
  were initial
  SIDs.
 
 OK. Will narrow the full context comparison to just this case.

What's the harm from just using the SID comparison and allowing for the
possibility that there might be a few duplicates in rare circumstances?
Does it break any assumptions in the rest of the logic?

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [PATCH 3/3] mlsxfrm: Various fixes

2006-11-08 Thread Venkat Yekkirala 
Not sure
   though when
   that would apply here,
 
  It could apply to xfrms if they happen to be using the context
  represented by any of the initial SIDs.

 Which would happen when?

If one were attempting to use a context pertaining to the unlabeled init
sid in the SPD and/or the SAD. But would I be correct in assuming that the
same sid (unlabeled init sid in all likelyhood) would end up being returned
when the context is turned into a sid, resulting in the SPD and the SAD
using
the same init sid, thus making a full-context compare unnecessary?


   and it would only apply if both SIDs
   were initial
   SIDs.
 
  OK. Will narrow the full context comparison to just this case.

 What's the harm from just using the SID comparison and
 allowing for the
 possibility that there might be a few duplicates in rare
 circumstances?
 Does it break any assumptions in the rest of the logic?

The best I can think of is if the SA's sid doesn't match the
socket's SID, IKE would come into play, if it's configured.

I also wanted to conversely ask what harm exists if we did
a full-context compare in the event the sids didn't match?

Are we just trying to generally avoid extra code?

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 3/3] mlsxfrm: Various fixes

2006-11-07 Thread Stephen Smalley 
On Tue, 2006-11-07 at 15:29 -0500, Paul Moore wrote:
 Venkat Yekkirala wrote:
  +/*
  + * security_sid_compare() - compares two given sid contexts.
  + * Returns 1 if they are equal, 0 otherwise.
  + */
  +int security_sid_compare(u32 sid1, u32 sid2)
  +{
  +   struct context *context1;
  +   struct context *context2;
  +   int rc;
  +
  +   if (!ss_initialized)
  +   return 1;
  +
  +   if (sid1 == sid2)
  +   return 1;
  +   else if (sid1  SECINITSID_NUM  sid2  SECINITSID_NUM)
  +   return 0;
  +
  +   /* explicit comparison in order */
  +
  +   POLICY_RDLOCK;
  +   context1 = sidtab_search(sidtab, sid1);
  +   if (!context1) {
  +   printk(KERN_ERR security_sid_compare:  unrecognized SID 
  +  %u\n, sid1);
  +   rc = 0;
  +   goto out_unlock;
  +   }
  +
  +   context2 = sidtab_search(sidtab, sid2);
  +   if (!context2) {
  +   printk(KERN_ERR security_sid_compare:  unrecognized SID 
  +  %u\n, sid2);
  +   rc = 0;
  +   goto out_unlock;
  +   }
  +
  +   rc = context_cmp(context1, context2);
  +
  +out_unlock:
  +   POLICY_RDUNLOCK;
  +   return rc;
  +}
 
 I understand wanting a generic LSM interface to do secid token comparisons, 
 but
 in the SELinux implementation of this function I think we can get away with 
 only
 a simple sid1 == sid2 since the security server shouldn't be creating
 duplicate SID/secid values for identical contexts, I think.  Did you run into
 something in testing that would indicate otherwise?

Such duplication can occur among the initial SIDs.  Not sure though when
that would apply here, and it would only apply if both SIDs were initial
SIDs.

-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html