| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080207120459.d4994f44.akpm@linux-foundation.org> Date: Thu, 7 Feb 2008 12:04:59 -0800 From: Andrew Morton <akpm@...ux-foundation.org> To: Paul Moore <paul.moore@...com> Cc: casey@...aufler-ca.com, davem@...emloft.net, jmorris@...ei.org, mingo@...e.hu, sds@...ho.nsa.gov, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: + smack-unlabeled-outgoing-ambient-packets.patch added to -mm tree On Thu, 7 Feb 2008 14:50:41 -0500 Paul Moore <paul.moore@...com> wrote: > On Thursday 07 February 2008 2:02:06 pm akpm@...ux-foundation.org wrote: > > The patch titled > > Smack: unlabeled outgoing ambient packets > > has been added to the -mm tree. Its filename is > > smack-unlabeled-outgoing-ambient-packets.patch > > > > Before you just go and hit "reply", please: > > a) Consider who else should be cc'ed > > b) Prefer to cc a suitable mailing list as well > > c) Ideally: find the original patch on the mailing list and do a > > reply-to-all to that, adding suitable additional cc's > > I didn't see this patch hit any of the relevant mailing lists (am I missing > one somewhere?) so I'm just CC'ing everyone on the To/CC line, minus > mm-commits. It was on linux-kernel and netdev. I've restored those cc's. > > ------------------------------------------------------ > > Subject: Smack: unlabeled outgoing ambient packets > > From: Casey Schaufler <casey@...aufler-ca.com> > > > > Smack uses CIPSO labeling, but allows for unlabeled packets by specifying > > an "ambient" label that is applied to incoming unlabeled packets. Because > > the other end of the connection may dislike IP options, and ssh is one know > > application that behaves thus, it is prudent to respond in kind. This > > patch changes the network labeling behavior such that an outgoing packet > > that would be given a CIPSO label that matches the ambient label is left > > unlabeled. > > I suppose you are entitled to use NetLabel however you want, so long as it > works and doesn't cause problems for other users, but I think you are > starting down a rather ugly road with this patch. In my mind a cleaner > solution would be to make of use of the built-in NetLabel/LSM domain mapping > functionality to accomplish the same thing. In other words, there is already > a mechanism to do what you want, it's probably a good idea to make use of it > instead of recreating it. > > I would suggest that when you set the NetLabel security attributes for a > socket you set the domain field to the smack label (see the SELinux code for > an example, if you are unsure see selinux_netlbl_sock_setsid() and > security_netlbl_sid_to_secattr()). Once you do that you should continue to > set the default NetLabel domain mapping to send CIPSO tagged packets but also > create a new NetLabel domain mapping so that the ambient smack label causes > packets to be sent "unlabeled". The only other change you would have to make > is to ensure that the NetLabel domain mappings are kept in sync with any > ambient label changes (should be easy enough and a rather infrequent > operation in practice). > > This also should have the advantage of making your life easier if/when more > advanced labeled network controls are added to Smack (see the SELinux changes > made in 2.6.25 and our previous discussions). > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists