| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251001215643.31465-1-casey@schaufler-ca.com> Date: Wed, 1 Oct 2025 14:56:41 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: casey@...aufler-ca.com, paul@...l-moore.com, linux-security-module@...r.kernel.org Cc: jmorris@...ei.org, serge@...lyn.com, keescook@...omium.org, john.johansen@...onical.com, penguin-kernel@...ove.sakura.ne.jp, stephen.smalley.work@...il.com, linux-kernel@...r.kernel.org, selinux@...r.kernel.org Subject: [PATCH 0/2] LSM: Identify module using network facilities Security identification for network packets is provided by two mechanisms, secmarks and netlabel. Secmarks are 32 bit quantities managed by the netfilter system. It is strongly believed that there is no hope that the size of this will ever change. This is problematic in the face of multiple security modules trying to use this facility at the same time. There is no identified use case, nor user space support for specifying netfilter rules for multiple LSMs. The LSMs have been modified to request use of the secmark, and to eschew them if the request is denied. The first LSM that requests use of secmarks is granted it, and all subsequent requests are denied. Netlabel uses the CIPSO2 and CALIPSO IP options to transmit security information on IP packets. It does not support sending multiple sets of data. It is unlikely that any two LSMs would agree on how a packet should be labeled. As with the secmarks, LSMs have been modified to request use of netlabel, and to eschew them if the request is denied. The first LSM that requests use of netlabel is granted it, and all subsequent requests are denied. The ordering determines which LSM gets these features. The ability to determine which LSM gets the feature at boot time, perhaps with lsm.secmark and lsm.netlabel boot options, is left for future work. https://github.com/cschaufler/lsm-stacking#secmark-6.17-rc6-v1 Casey Schaufler (2): LSM: Exclusive secmark usage LSM: Allow reservation of netlabel include/linux/lsm_hooks.h | 2 ++ security/apparmor/include/net.h | 5 ++++ security/apparmor/lsm.c | 7 +++--- security/security.c | 12 +++++++++ security/selinux/hooks.c | 11 +++++--- security/selinux/include/netlabel.h | 5 ++++ security/selinux/netlabel.c | 4 +-- security/smack/smack.h | 10 ++++++++ security/smack/smack_lsm.c | 39 +++++++++++++++++++++-------- security/smack/smack_netfilter.c | 10 ++++++-- security/smack/smackfs.c | 20 ++++++++++++++- 11 files changed, 103 insertions(+), 22 deletions(-) -- 2.51.0
Powered by blists - more mailing lists