lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2084590.x0rrIneakS@sifl>
Date:	Sun, 07 Feb 2016 14:56:18 -0500
From:	Paul Moore <pmoore@...hat.com>
To:	Huw Davies <huw@...eweavers.com>
Cc:	netdev@...r.kernel.org, linux-security-module@...r.kernel.org,
	selinux@...ho.nsa.gov
Subject: Re: [RFC PATCH v2 00/18] CALIPSO Implementation

On Friday, January 08, 2016 09:52:36 AM Huw Davies wrote:
> This patch series implements RFC 5570 - Common Architecture Label IPv6
> Security Option (CALIPSO).  Its goal is to set MLS sensitivity labels
> on IPv6 packets using a hop-by-hop option.  CALIPSO is very similar to
> its IPv4 cousin CIPSO and much of this series is based on that code.
> 
> I'm particularly interested in feedback relating to adding
> struct ipv6_txoptions* to struct inet_request_sock.
> (ipv6: Allow request socks to contain IPv6 options.)
> 
> Thoughts about this or any of the other patches are most welcome.
> 
> If anybody actually wants to play with this, then you'll need some patches
> to netlabel-tools that are currently available on the 'calipso' branch at:
> https://github.com/hdmdavies/netlabel_tools.git
> 
> Thanks to Paul Moore, Hannes Frederic Sowa and Casey Schaufler for their
> comments so far.
> 
> Changes between v2 and v1:
> 
> * Simplify ipv6_renew_options_kern() to use set_fs(KERNEL_DS).
>   Thanks to Hannes Frederic Sowa for suggesting this.
> 
> * Use the parent socket to account for the listener socket
>   option's memory usage.  Again, thanks for Hannes for this.
> 
> * Added netlbl_cfg_calipso_* functions for SMACK.
> 
> * Rebased to v4.4-rc8.

Thanks for fixing this patchset up and sending out a v2.  I took a closer look 
and just sent out my comments, let me know if you have any questions.

Once we get to a v3 patchset, I think it's time to reach out Oracle and try 
some interop with Solaris TX.  Let me know when you are ready and I'll put 
everybody in touch to try to get some testing going.

-- 
paul moore
security @ redhat

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ