lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1314779777-12669-1-git-send-email-rongqing.li@windriver.com>
Date:	Wed, 31 Aug 2011 16:36:15 +0800
From:	<rongqing.li@...driver.com>
To:	<netdev@...r.kernel.org>, <selinux@...ho.nsa.gov>,
	<linux-security-module@...r.kernel.org>
Subject: [PATCH 0/2] Dump the sock's security context 

-------
    Any review would be much appreciated.
 
Comments:
--------
    Add a netlink attribute INET_DIAG_SECCTX
    
    Add a new netlink attribute INET_DIAG_SECCTX to dump the security
    context of TCP sockets.
    
    The element sk_security of struct sock represents the socket
    security context ID, which is inherited from the parent process
    when the socket is created.
    
    but when SELinux type_transition rule is applied to socket, or
    application sets /proc/xxx/attr/createsock, the socket security
    context would be different from the creating process. For these
    conditions, the "netstat -Z" would return wrong value, since
    "netstat -Z" only returns the process security context as socket
    process security.


The application to verify the netlink new attribute.
------
See attached file

test:
--------
1. Enable SELinux when compile and startup .
	root@...u-host:/root> ./printsocketsec
	 inode:7141 system_u:system_r:rpcbind_t:s0 
	 inode:7136 system_u:system_r:rpcbind_t:s0 
	 inode:7604 system_u:system_r:initrc_t:s0 
	 inode:7227 system_u:system_r:rpcd_t:s0 
	 inode:7471 system_u:system_r:sshd_t:s0-s0:c0.c1023 
	 inode:7469 system_u:system_r:sshd_t:s0-s0:c0.c1023 
	 inode:7552 system_u:system_r:sendmail_t:s0 
	 inode:7348 system_u:system_r:initrc_t:s0 
	 inode:7553 system_u:system_r:sendmail_t:s0 
	root@...u-host:/root> 

2. Disable SELinux when startup.
	root@...u-host:/root> ./printsocketsec 
	inode:3221 
	inode:2942 
	inode:2861 
	inode:3256 
	inode:3156 
	inode:3220 
	inode:3060
	root@...u-host:/root>

3. Disable SELinux when compile and startup
	root@...u-host:/root> ./printsocketsec 
	inode:3221 
	inode:2942 
	inode:2861 
	inode:3256 
	inode:3156 
	inode:3220 
	inode:3060
	root@...u-host:/root>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ