[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20251001215643.31465-1-casey@schaufler-ca.com>
Date: Wed, 1 Oct 2025 14:56:41 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: casey@...aufler-ca.com,
paul@...l-moore.com,
linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org,
serge@...lyn.com,
keescook@...omium.org,
john.johansen@...onical.com,
penguin-kernel@...ove.sakura.ne.jp,
stephen.smalley.work@...il.com,
linux-kernel@...r.kernel.org,
selinux@...r.kernel.org
Subject: [PATCH 0/2] LSM: Identify module using network facilities
Security identification for network packets is provided by two mechanisms,
secmarks and netlabel.
Secmarks are 32 bit quantities managed by the netfilter system. It is
strongly believed that there is no hope that the size of this will ever
change. This is problematic in the face of multiple security modules
trying to use this facility at the same time. There is no identified use
case, nor user space support for specifying netfilter rules for multiple
LSMs. The LSMs have been modified to request use of the secmark, and to
eschew them if the request is denied. The first LSM that requests use
of secmarks is granted it, and all subsequent requests are denied.
Netlabel uses the CIPSO2 and CALIPSO IP options to transmit security
information on IP packets. It does not support sending multiple sets of
data. It is unlikely that any two LSMs would agree on how a packet should
be labeled. As with the secmarks, LSMs have been modified to request use
of netlabel, and to eschew them if the request is denied. The first LSM
that requests use of netlabel is granted it, and all subsequent requests
are denied.
The ordering determines which LSM gets these features. The ability
to determine which LSM gets the feature at boot time, perhaps with
lsm.secmark and lsm.netlabel boot options, is left for future work.
https://github.com/cschaufler/lsm-stacking#secmark-6.17-rc6-v1
Casey Schaufler (2):
LSM: Exclusive secmark usage
LSM: Allow reservation of netlabel
include/linux/lsm_hooks.h | 2 ++
security/apparmor/include/net.h | 5 ++++
security/apparmor/lsm.c | 7 +++---
security/security.c | 12 +++++++++
security/selinux/hooks.c | 11 +++++---
security/selinux/include/netlabel.h | 5 ++++
security/selinux/netlabel.c | 4 +--
security/smack/smack.h | 10 ++++++++
security/smack/smack_lsm.c | 39 +++++++++++++++++++++--------
security/smack/smack_netfilter.c | 10 ++++++--
security/smack/smackfs.c | 20 ++++++++++++++-
11 files changed, 103 insertions(+), 22 deletions(-)
--
2.51.0
Powered by blists - more mailing lists