lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhS_txcE=3r9MFNRwNuxNwK1JT1272h+yeqqx-gXMdYgzQ@mail.gmail.com>
Date:   Wed, 10 Jan 2018 11:39:45 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     linux-sctp@...r.kernel.org
Cc:     Richard Haines <richard_c_haines@...nternet.com>,
        selinux@...ho.nsa.gov, netdev@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Vlad Yasevich <vyasevich@...il.com>, nhorman@...driver.com,
        Stephen Smalley <sds@...ho.nsa.gov>,
        Eric Paris <eparis@...isplace.org>, marcelo.leitner@...il.com,
        casey@...aufler-ca.com
Subject: Re: [PATCH V4 0/4] Add SELinux SCTP protocol support

On Sat, Dec 30, 2017 at 12:18 PM, Richard Haines
<richard_c_haines@...nternet.com> wrote:
> Note: Some conflicts are expected when merging with current net-next due to
> Interleaving Data (I-DATA) sets of patches:
> PATCH 2/4 - Where 'sctp_datachk_len(&asoc->stream)' has replaced
> 'sizeof(struct sctp_data_chunk)' in include/net/sctp/sctp.h,
> net/sctp/chunk.c and net/sctp/socket.c
> PATCH 3/4 - Where include/uapi/linux/sctp.h requires a fix to update the
> #define SCTP_SENDMSG_CONNECT to a higher number.
>
> These patches have been built on Fedora 27 with kernel 4.14.8 plus
> the following userspace patches to enable testing:
>
> 1) Updates to libsepol 2.7 to support the sctp portcon statement.
>    The patch is available from:
>          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>          selinux-Add-support-for-the-SCTP-portcon-keyword.patch
>
> 2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
>    selinux-testsuite/README.sctp for details. The patch is available from:
>          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>          selinux-testsuite-Add-SCTP-test-support.patch
>
> 3) Updates to lksctp-tools that show SELinux info in sctp_darn and
>    sctp_test. It also contains a minor patch for test_1_to_1_connect.c
>    as when CIPSO/CALIPSO configured, NetLabel returns a different error
>    code for illegal addresses in test 5. The patch is available from:
>          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>          lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
>
> All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
>
> All SCTP regression tests "./sctp-tests run" run correctly in enforcing
> mode. These tests are obtained from: https://github.com/sctp/sctp-tests
>
> The selinux-testsuite patch also adds remote tests (that need some manual
> configuration). These are useful for testing CIPSO/CALIPSO over a network
> with a number of categories to produce large ip option fields with various
> message sizes forcing fragmentation etc..
>
> Changes since RFC Patch:
> Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
> as re-engineered. However this patchset will require the NetLabel
> patch at [1] to fully run the SCTP selinux-testsuite.
>
> V1 Changes:
> PATCH 1/4
> Remove unused parameter from security_sctp_assoc_request().
> Reformat and update LSM-sctp.rst documentation.
> PATCH 2/4
> Add variables and RCU locks as requested in [2] to support IP options.
> PATCH 3/4
> Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
> and sctp_sf_do_5_2_4_dupcook().
> Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
> no longer required.
> PATCH 4/4
> Reformat and update SELinux-sctp.rst documentation.
> Remove bindx and connectx permissions.
> Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
> utilise helpers for code reuse.
> Add spinlock to selinux_sctp_assoc_request().
> Remove unused parameter from security_sctp_assoc_request().
> Use address->sa_family == AF_INET in *_bind and *_connect to ensure
> correct address type.
> Minor cleanups.
>
> V2 Changes:
> PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
> PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]
>
> V3 Changes:
> PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
> Marcelo
>
> V4 Changes:
> PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
> lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
> PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
> selinux_netlbl_socket_connect_locked() and move description comments to
> selinux_sctp_bind_connect()
>
> [1] https://marc.info/?l=selinux&m=151061619115945&w=2
> [2] https://marc.info/?l=selinux&m=150962470215797&w=2
> [3] https://marc.info/?l=selinux&m=151198281817779&w=2

SCTP folks, any objections?  I'm planning on merging these into
selinux-next after the next merge window so if you want to see any
changes, please speak up ...

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ