> > >
> > > Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
> > Acked-by: Venkat Yekkirala <[EMAIL PROTECTED]>
>
> What about your previous comment:
>
> "I guess you meant to do this here?
> else if (err)
> retu
t; all failures
> (and successes) will actually get audited.
Not sure ALL failures are being audited this way elsewhere, but I guess
they would catchup in course of time.
>
> Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
Acked-by: Venkat Yekkirala <[EMAIL PROTECTED]>
-
To unsub
g hooks as well.
>
> Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
Acked-by: Venkat Yekkirala <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> Signed-off-by: Eric Paris <[EMAIL PROTECTED]>
Acked-by: Venkat Yekkirala <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
> Also, [Joy cc'd] deletions here needn't be audited?
OK, I see the next patch addressed this :)
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
> @@ -2552,7 +2550,7 @@ static int pfkey_spdget(struct sock
> *sk, struct sk_buff *skb, struct sadb_msg *h
> return -EINVAL;
>
> xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir,
> pol->sadb_x_policy_id,
> - hdr->sadb_msg_type == SADB_X_SPDDELETE2);
> Something like this (untested) on the ipv4 side, for example:
>
> diff --git a/include/net/route.h b/include/net/route.h
> index 486e37a..a8af632 100644
> --- a/include/net/route.h
> +++ b/include/net/route.h
> @@ -146,7 +146,8 @@ static inline char rt_tos2priority(u8 tos)
>
> static inline i
ew Morton; Linux Kernel Mailing List;
> Uwe Bugla;
> [EMAIL PROTECTED]; linux-ide@vger.kernel.org;
> [EMAIL PROTECTED]; Gerhard Dirschl; Christoph Hellwig;
> [EMAIL PROTECTED]; Michal Piotrowski; Venkat Yekkirala; David Miller;
> [EMAIL PROTECTED]; [EMAIL PROTECTED]; netdev@vger.kern
This patch is an incremental fix to the flow_cache_genid
patch for selinux that breaks the build of 2.6.20-rc6 when
xfrm is not configured.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/include/xfrm.h |9 +
security/selinux/ss/services.c |6 +++
> > Only, on a security policy denial (-ESRCH from the LSM hook), a 0
> > is returned by the resolver to signify no applicable policy since
> > a negative result is akin to no policy. And I see the "no policy"
> > case is already cached.
>
> I'm not talking about an xfrm policy lookup failure, that
> > This patch causes security policy denials to be cached instead of
> > causing a relookup every time.
Only, on a security policy denial (-ESRCH from the LSM hook), a 0
is returned by the resolver to signify no applicable policy since
a negative result is akin to no policy. And I see the "no pol
> > So if the security folks actually care about this, they'd need to
> > flush the flow cache whenever a relevant change is made to the
> > security database.
I do not believe we are doing this. I will look into this ASAP.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the
Hi,
I am wondering if 26sec supports NAT-Traversal for multiple
endpoints behind the same NAT. In looking at xfrm_tmpl it's
not obvious to me that it's supported, at least going by the
following from the setkey man page:
When NAT-T is enabled in the kernel, policy matching for ESP ov
> I pulled in the lspp respin kernels and am checking the labeling
> behavior now so I should have a full response later, however
> I ran into
> one unexpected thing immediately on bootup with the new kernel:
Just FYI- The labeled-ipsec patch doesn't affect or influence the
packet class handlin
> I think this should be aimed at 2.6.20, because we are at the last or
> second-last -rc currently, and I don't think these fixes are
> urgent enough
> to justify the risk at this stage.
That makes sense. Thanks.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body o
o that
the SA carries the label of the originating socket/flow.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/linux/security.h| 21 --
security/dummy.c|4 +--
security/selinux/include/xfrm.h |4 +--
security/selinux/xfrm.
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/linux/security.h| 14 ++
inclu
o };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/linux/security.h| 19 -
net/xfrm/xfrm_policy.c |3
security/dummy.c|7 --
security/selinux/hooks.c| 26 +--
This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
The following are the changes since the previous post of this patchset:
1. Separate BUG_ON usage per Eric's suggestion.
2. Replace security_sid_compare with a simple sid compare check per
a suggestion from Paul/Stephen.
-
T
> > > Not sure
> > > though when
> > > that would apply here,
> >
> > It could apply to xfrms if they happen to be using the context
> > represented by any of the initial SIDs.
>
> Which would happen when?
If one were attempting to use a context pertaining to the unlabeled init
sid in the SPD and
> Such duplication can occur among the initial SIDs.
For some reason I thought that could happen between an initial SID
and a non-initial SID.
> Not sure
> though when
> that would apply here,
It could apply to xfrms if they happen to be using the context
represented by any of the initial SIDs
> > Fix SO_PEERSEC for tcp sockets to return the security context of
> > the peer (as represented by the SA from the peer) as opposed to the
> > SA used by the local/source socket.
>
> What about the case of a localhost TCP connection not using
> xfrm labeling?
>
> Joe Nall raised this as an import
ned-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
include/linux/security.h| 21 -
security/dummy.c|4 +--
security/selinux/include/xfrm.h |4 +--
security/selinux/
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/linux/security.h| 14 ++
inclu
o };
allow socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/linux/security.h| 19 -
net/xfrm/xfrm_policy.c |3
security/dummy.c|7 -
security/selinux/hooks.c
> From an initial review of this patchset, it doesn't look
> quite ready to
> queue for 2.6.20 (which I plan to to via git once it is).
>
> Outstanding items include resolving the igmp skb hook issue
> generally,
> testing to verify both the design and implementation, and
> ensuring that
> a
elinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit
From: James Morris <[EMAIL PROTECTED]>
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "
This is a bug fix for the MLSXFRM patchset already queued for 2.6.19.
This version is just a repost of V.03 with the subject titles
fixed up, and the patches ported to davem's net-2.6.git as of today.
include/linux/security.h| 24 ++-
include/net/flow.h |2
includ
This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
net/xfrm/xfrm_policy.c
> > My apologies. The second one is also numbered 1, but has the
> > following distinct subject line:
> > [PATCH 1/3] Fix for IPsec leakage with SELinux enabled -
> V.03: Fix xfrm code
>
> I definitely deleted one of them, since I usually get N copies
> of very single patch posting and two of the
> From: James Morris <[EMAIL PROTECTED]>
> Date: Thu, 5 Oct 2006 16:54:38 -0400 (EDT)
>
> > > #ifdef CONFIG_XFRM_SUB_POLICY
> > > pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB,
> fl, family, dir);
> > > - if (pol)
> > > + if (IS_ERR(pol)) {
> > > + err = PTR_ERR(pol);
> > > +
> > > This version takes into account David Miller's comments
> > > regarding treatment of security layer errors in the case
> > > of socket policies. Specifically, these errors will be
> > > treated like how these kind of errors are treated for
> > > the main/sub policies, which is to return a ful
> > - if (xfrm_policy_match(pol, fl, type, family, dir)) {
> > + err = xfrm_policy_match(pol, fl, type, family, dir);
> > + if (err) {
> > + if (err == -ESRCH)
> > + continue;
> > + else {
> > +
> > This version takes into account David Miller's comments
> > regarding treatment of security layer errors in the case
> > of socket policies. Specifically, these errors will be
> > treated like how these kind of errors are treated for
> > the main/sub policies, which is to return a full lookup
>
From: James Morris <[EMAIL PROTECTED]>
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false "
elinux side of things.
This makes sure SELinux polmatching of flow contexts to IPSec policy
rules comes into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the "no explicit
This version takes into account David Miller's comments
regarding treatment of security layer errors in the case
of socket policies. Specifically, these errors will be
treated like how these kind of errors are treated for
the main/sub policies, which is to return a full lookup
failure.
include/li
This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
net/xfrm/xfrm_policy.c
> On Wed, 2006-10-04 at 15:27 -0400, Paul Moore wrote:
> > Venkat Yekkirala wrote:
> > >> * XFRM present
> > >>
> > >> xfrm_sid =
> > >> loc_sid = SECINITSID_NETMSG
> > >> nlbl_sid = SECSID_NULL/0
> > >>
> >> * XFRM present
> >>
> >> xfrm_sid =
> >> loc_sid = SECINITSID_NETMSG
> >> nlbl_sid = SECSID_NULL/0
> >> ext_sid = xfrm_sid
> >> final skb->secmark = avc_ok : ext_sid ? unchanged
Actually, I meant to cite the following instead of the above:
* Nothing
xfrm_sid = SECSID_NULL/0
> * XFRM present
>
>xfrm_sid =
>loc_sid = SECINITSID_NETMSG
>nlbl_sid = SECSID_NULL/0
>ext_sid = xfrm_sid
>final skb->secmark = avc_ok : ext_sid ? unchanged
>
> * NetLabel present
>
>xfrm_sid = SECSID_NULL/0
>loc_sid = SECSID_NULL/0
>nlbl_sid =
>ext_sid =
> > As for the rest of the network labeling, please work
> together with Venkat
> > and the SELinux developers on a final patchset which meets
> all of the
> > design goals and has been tested, with policy which has been merged
> > upstream and is available via Fedora devel. Please keep
> th
> > @@ -3714,19 +3714,34 @@ static int selinux_skb_flow_in(struct sk
> > if (skb->dev == &loopback_dev)
> > return 1;
> >
> > + if (skb->secmark)
> > + loc_sid = skb->secmark;
> > + else
> > + loc_sid = SECINITSID_NETMSG;
> > +
> > err = selinux_xfrm_de
> @@ -3714,19 +3714,34 @@ static int selinux_skb_flow_in(struct sk
> if (skb->dev == &loopback_dev)
> return 1;
>
> + if (skb->secmark)
> + loc_sid = skb->secmark;
> + else
> + loc_sid = SECINITSID_NETMSG;
> +
> err = selinux_xfrm_decode_s
> > Considering the above change, I wonder if it would also
> make sense to
> > update the secmark to SECINITSID_UNLABELED in the abscence of any
> > external labeling (labeled IPsec or NetLabel)?
> >
>
> Ungh, my apologies ... I meant to say "SECINITSID_NETMSG" *not*
> "SECINITSID_UNLABELED".
andle.
Thanks,
venkat
> -Original Message-
> From: James Morris [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, October 04, 2006 8:00 AM
> To: Evgeniy Polyakov
> Cc: David S. Miller; Herbert Xu; netdev@vger.kernel.org; Stephen
> Smalley; Venkat Yekkirala; Paul Moore; Danie
system-hi.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
This is an incremental patch the secid-reconcilation v4 patchset.
--- net-2.6.sid3/security/selinux/hooks.c 2006-10-01 15:43:12.0
-0500
+++ net-2.6/security/selinux/hooks.c2006-10-03 16:43:21.0
> > If this selinux_netlbl_skb_sid() call can fail for any
> reason other than
> > a kernel bug, then this needs to goto out instead of using
> BUG_ON. For
> > example, if the function can fail due to temporary memory pressure
> > leading to a failed allocation, then you want to simply
> drop t
> > This is indeed the "designed" and expected (for me) behavior.
>
> This is a security hole. SELinux denies all access by
> default, so the
> default behavior of this code is to allow all traffic to bypass IPsec.
>
> You should not need to add a rule to 'allow' increased security.
You are r
> My immediate concern is not really what selinux_xfrm_decode_session()
> returns, but how to handle it, or rather errors in general, in
> selinux_skb_flow_in(). I'm in the process of creating a patch to add
> the missing NetLabel support to the secid patches and I am
> wondering if
> I should BU
> On Sun, 1 Oct 2006, Venkat Yekkirala wrote:
>
> > > The way I was seeing the problem was when connecting via
> IPsec to a
> > > confined service on an SELinux box (vsftpd), which did
> not have the
> > > appropriate SELinux policy permissions to s
> >>In the case above I am concerned about the situation where the
> >>skb->secmark == 0 and there is a IPv4 option (i.e. it is NetLabel
> >>labeled) on the packet.
>
> It's unfortunate that you cut out the code in your reply.
It's even more unfortunate that you should say this. The proper
thing
Invoke the skb_flow_out LSM hook for outbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
net/netfilter/xt_CONNSECMARK.c | 72 ---
net/netfilter/xt_SECMARK.c | 45 ++-
2
This beings secmark into the picture when classifying flows
using an skb.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/linux/security.h | 10 --
include/linux/skbuff.h | 20
2 files changed, 20 insertions(+), 10 deletions(-)
--- net-2
This labels the skb(s) for locally generated IPv6 traffic. This will
be used in pertinent flow control checks on the outbound later in the
LSM hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTEC
This tracks the peer's secid at connection establishment time
for clients, for later retrieval using SO_PEERSEC.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/linux/security.h | 14 ++
net/ipv4/tcp_input.c |2 ++
security/dummy.c
: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/hooks.c| 148 +++---
security/selinux/include/xfrm.h | 11 +-
security/selinux/xfrm.c | 66 +
3 files changed, 150 insertions(+), 75 deletions(-)
diff --git a/security/selinux/hoo
sed in this patch
as well.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/include/av_perm_to_string.h |2 ++
security/selinux/include/av_permissions.h|2 ++
2 files changed, 4 insertions(+)
diff --git a/security/selinux/include/av_perm_to_string.h
b/sec
hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/net/ip.h | 31 +++
include/net/request_sock.h | 18 ++
net/dccp/
Invoke the skb_flow_in LSM hook for inbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/net/xfrm.h | 45 +--
1 file changed, 22 insertions(+), 23 deletions(-)
diff --git a/i
Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
reconciliation of the various security identifiers as well as enforce
flow control on inbound (PREROUTING/INPUT) and outbound
(OUTPUT/FORWARD/POSTROUTING)
traffic.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
i
This patchset is relative to davem's net-2.6.git
The following are the changes included in this patchset since the previous post:
- Create IPSec SAs to be acquired with the creating sock's context as opposed
to that of the matching SPD rule, resulting in a simpler SPD as well as
policy.
- Set
> The way I was seeing the problem was when connecting via IPsec to a
> confined service on an SELinux box (vsftpd), which did not have the
> appropriate SELinux policy permissions to send packets via IPsec.
>
> The first SYNACK would be blocked,
Given that the resolver fails to find a policy h
> It seems more of a pain to actually
> prevent their use at the same time and/or explain
> strange/unnatural
> behavior.
> >>>
> >>>Agreed, the solution that we agreed upon is much easier to
> implement and
> >>>explain than a lot of the alternatives.
> >>
> >>Ok, can you please expl
> Venkat,
>
> With xfrm labeling, the external packets are always going to
> be protocol
> ESP or AH, and we can't connection track the inner protocols. So,
Are you sure? This doesn't compare to what my limited testing seems
to have turned up (normal netfiltering of inner protos followed by x
> @@ -3672,16 +3674,20 @@ static int selinux_skb_flow_in(struct sk
> if (err)
> goto out;
>
> - if (xfrm_sid) {
> - err = security_transition_sid(xfrm_sid, skb->secmark,
> -
> SECCLASS_PACKET, &trans_sid);
> -
> >>While I don't see any explicit mention of it in the documentation or
> >>your comments, I assume we would want a flow_out check for
> >>NetLabel here
> >>as well?
> >
> > I don't believe we do. By this time, the packet is or
> should already be
> > carrying the CIPSO/NetLabel option which s
> > +static int selinux_skb_flow_in(struct sk_buff *skb,
> unsigned short family)
> > +{
> > + u32 xfrm_sid, trans_sid;
> > + int err;
> > +
> > + if (selinux_compat_net)
> > + return 1;
> > +
> > + /* xfrm/cipso inapplicable for loopback traffic */
> > + if (skb->dev == &loopb
> That's fine by me, I just wanted to make sure something like
> that would
> be acceptable. So, in summary, we would do the normal flow_in checks
> for both IPsec and NetLabel and then set the secmark using the IPsec
> label as the "base sid" for the NetLabel's generated SID?
That's correct (in
> I tend to agree, I just can't see it being all that useful in the real
> world. However, each time it comes up (including the conference call
> earlier this week) it seems that people would prefer to use
> both at the
> same time.
A matter of providing options to users. It seems more of a pain
> > Unless I'm confusing something, there still may be a need
> for transitions
> > if we want to support both IPsec and NetLabel labeling on the same
> > connection.
>
> I'd prefer not to support this, as it's too complicated,
Actually, from my vantage point, it actually seems "natural".
> and
> > Fine with me, unless Venkat has an immediate use case for such
> > transitions in the flow_in case (but I think this is mostly
> my fault for
> > suggesting transitions a while ago).
I don't have a use case currently.
>
> Unless I'm confusing something, there still may be a need for
> tran
This defines SELinux enforcement of the 2 new LSM hooks as well
as related changes elsewhere in the SELinux code.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/hooks.c| 129 +++---
security/selinux/include/xfrm.h |5 +
se
Invoke the skb_flow_out LSM hook for outbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
net/netfilter/xt_CONNSECMARK.c | 70 +++
net/netfilter/xt_SECMARK.c | 33 +-
2 files c
This patchset is relative to davem's net-2.6.git
The following are the changes included in this patchset since the previous post:
- Retain secmark (from the originating socket/flow) on loopback traffic;
this traffic is now flow controlled on the outbound only.
- When multiple iptables labeling
Invoke the skb_flow_in LSM hook for inbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/net/xfrm.h | 45 +--
1 file changed, 22 insertions(+), 23 deletions(-)
diff --git a/i
hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/net/ip.h | 32
include/net/request_sock.h | 17 +
net/dccp/
n" to arbitrate among the identifiers on the
inbound (input/forward). Also adds a new avperm "flow_out" to enable flow
control checks on the outbound (output/forward), addressed in this patch
as well.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/inclu
Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
reconciliation of the various security identifiers as well as enforce
flow control on inbound (PREROUTING/INPUT) and outbound
(OUTPUT/FORWARD/POSTROUTING)
traffic.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
i
This labels the skb(s) for locally generated IPv6 traffic. This will
be used in pertinent flow control checks on the outbound later in the
LSM hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTEC
> > +static int selinux_skb_policy_check(struct sk_buff *skb,
> unsigned short
> > family) +{
> > + u32 xfrm_sid, trans_sid;
> > + int err;
> > +
> > + if (selinux_compat_net)
> > + return 1;
> > +
> > + err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
> > + BUG_ON(err);
>
See below.
> -Original Message-
> From: James Morris [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 18, 2006 2:12 PM
> To: Venkat Yekkirala
> Cc: netdev@vger.kernel.org; [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: Re: [PATCH 4/7] sec
This doesn't look right since kzalloc would already have zeroed the
structure out. Are you sure you are getting garbage in the acquire
from the kernel? If you are, I strongly doubt that this would be the
one causing it (unless kzalloc on this arch misbehaved).
Or is this a racoon bug?
> -Origi
> On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
>
> > + if (selinux_compat_net) {
> > + err = selinux_xfrm_decode_session(skb, &peersid, 0);
> > + BUG_ON(err);
>
> I'm pretty sure this should not be a BUG_ON. IIUC, you want
> to pan
> On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
>
> > @@ -114,6 +128,9 @@ static struct xt_target xt_connsecmark_t
> > .target = target,
> > .targetsize = sizeof(struct
> xt_connsecmark_target_info),
> >
> Is there any way you can send patches without "format=flowed" in the
> content-type? On two mailers I've tried, the patches get mangled.
Yes. I will send them to you in a few minutes with format=flowed disabled.
As soon as you let me know you see them fine, I will resend them to the
lists.
Tha
The following are the changes included in this patchset since the previous post:
- Perform flow_in check before (as opposed to after) computing transition
secid on inbound; this seems more intuitive and correct.
- Implement reconciliation and flow control for outbound traffic
(forward case bein
Invoke the skb_policy_check LSM hook for inbound (INPUT/FORWARD)
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/net/xfrm.h | 50 +++
1 file changed, 27 insertions(+), 23 del
This labels the skb(s) for locally generated IPv6 traffic. This will
be reconciled with xfrm secid as well as used in pertinent flow control
checks on the outbound later in the LSM hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat
originating socket
do so in the outbound hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include/net/ip.h | 32
include/net/request_sock.h
ward). Also adds a new avperm "flow_out" to enable flow
control checks on the outbound (output/forward), addressed in this patch
as well.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/include/av_perm_to_string.h |2 ++
security/selinux/include/av_permissi
Invoke the skb_netfilter_check LSM hook for outbound (OUTPUT/FORWARD)
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
net/netfilter/xt_CONNSECMARK.c | 44 ++-
net/netfilter/xt_SECMARK.c
Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
reconciliation of the various security identifiers as well as enforce
flow control on inbound (INPUT/FORWARD) and outbound (OUTPUT/FORWARD)
traffic.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include
This defines SELinux enforcement of the 2 new LSM hooks.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/hooks.c| 125 --
security/selinux/include/xfrm.h |5 +
security/selinux/ss/mls.c |2
security/selinux/ss/serv
> Assuming the permission is granted the packet's secmark is
> replaced with
> the updated context. This updated secmark context would then
> be used in
> sock_rcv_skb() to make an access decision, yes?
You got it.
>
> >> The ability to make access decisions based on the process
> >>consuming
> My main concern with these patches is that moving the
> NetLabel check out
> of selinux_socket_sock_rcv_skb() and into
> selinux_skb_policy_check() (as
> it is currently written) would force us to compare a packet's NetLabel
> with either the IPsec label or the secmark label
Yes you would do t
> I like these changes, but wondering why you haven't supplied
> code for the
> outbound case ?
>
>
> - James
The code for the outbound is still in the works. I hope to have it
out in a week or so.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
Invoke the skb_policy_check LSM hook from within networking code.
This is being done at the same time and as a part of checking
xfrm policy. This is hopefully adequate (not anticipating
IP protos that don't use xfrm).
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
include
). Also adds a new avperm "go_thru" to enable flow
control checks on the outbound (output/forward), addressed in a later
patch.
Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
---
security/selinux/include/av_perm_to_string.h |2 ++
security/selinux/include/av_permissions
1 - 100 of 153 matches
Mail list logo
