lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 16 Apr 2013 16:39:02 -0400
From:	Paul Moore <pmoore@...hat.com>
To:	netdev@...r.kernel.org, linux-security-module@...r.kernel.org,
	selinux@...ho.nsa.gov
Subject: [RFC PATCH 0/3] Shrink sk_buff and add a security blob

This patchset is a follow-up to the recent discussion around sk_buff
size and the desire to add a LSM security blob to the sk_buff.  The
patches proposed here do indeed shrink the size of the sk_buff from
256 bytes down to 248 bytes on my x86_64 system while adding a LSM
security blob, but there is a tradeoff in that the patches overload
the skb_shared_info->destructor_arg field (more info/detail in the
description of patch 3/3).  The overloading only takes place for LSMs
which make use of the blob, all other cases behave as they currently
do.  I wouldn't say this solution is perfect, but it does both shrink
the sk_buff and add a security blob through what I believe to be the
least invasive approach.

I'm posting this to restart the discussion around these changes now
that we have a set of patches to discuss, critique, etc.  Hopefully
we can find some middle ground that gets everyone enough of what they
want, if not all.

The standard disclaimers apply.  This is a RFC patch; it builds,
boots, and passes the basic unit tests I've thrown at it, but I can't
say I've tested it throughly.  This includes building the kernel with
all the different, relevant CONFIG options.  YMMV.

---

Paul Moore (3):
      skb: wrap skb_shared_info->destructor_arg access with set and get functions
      net: wrap skb->secmark access with set and get functions
      net: move sk_buff->secmark into a security blob in skb_shared_info


 drivers/net/macvtap.c             |    2 -
 drivers/net/tun.c                 |    2 -
 include/linux/security.h          |   91 ++++++++++++++++++++++++++-
 include/linux/skbuff.h            |   73 ++++++++++++++-------
 net/core/skbuff.c                 |   28 +++++++-
 net/ipv4/ip_output.c              |    2 -
 net/ipv6/ip6_output.c             |    2 -
 net/netfilter/xt_AUDIT.c          |    8 +-
 net/netfilter/xt_CONNSECMARK.c    |   10 ++-
 net/netfilter/xt_SECMARK.c        |    2 -
 net/packet/af_packet.c            |    4 +
 security/capability.c             |   38 +++++++++++
 security/security.c               |   63 +++++++++++++++++++
 security/selinux/hooks.c          |  126 +++++++++++++++++++++++++++++++++----
 security/selinux/include/objsec.h |    6 ++
 15 files changed, 397 insertions(+), 60 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ