lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LRH.1.10.0810011952100.6732@tundra.namei.org>
Date:	Wed, 1 Oct 2008 19:55:49 +1000 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Paul Moore <paul.moore@...com>
cc:	selinux@...ho.nsa.gov, linux-security-module@...r.kernel.org,
	netdev@...r.kernel.org
Subject: Re: [RFC PATCH v6 11/16] netlabel: Add functionality to set the
 security attributes of a packet

On Tue, 16 Sep 2008, Paul Moore wrote:

> This patch builds upon the new NetLabel address selector functionality by
> providing the NetLabel KAPI and CIPSO engine support needed to enable the
> new packet-based labeling.  The only new addition to the NetLabel KAPI at
> this point is shown below:
> 
>  * int netlbl_skbuff_setattr(skb, family, secattr)
> 
> ... and is designed to be called from a Netfilter hook after the packet's
> IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.
> 
> This patch also provides the necessary SELinux hooks to support this new
> functionality.  Smack support is not currently included due to uncertainty
> regarding the permissions needed to expand the Smack network access controls.
> 
> Signed-off-by: Paul Moore <paul.moore@...com>

Reviewed-by: James Morris <jmorris@...ei.org>

> +	/* we overwrite any existing options to ensure that we have enough
> +	 * room for the CIPSO option, the reason is that we _need_ to guarantee
> +	 * that the security label is applied to the packet - we do the same
> +	 * thing when using the socket options and it hasn't caused a problem,
> +	 * if we need to we can always revisit this choice later */

....

> +	/* we have to do the following because we are being called from a
> +	 * netfilter hook which means the packet already has had the header
> +	 * fields populated and the checksum calculated - yes this means we
> +	 * are doing more work than needed but we do it to keep the core
> +	 * stack clean and tidy */

It might be better in the long term to integrate this stuff more directly 
with the core networking.



- James
-- 
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ