lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 11 Jun 2024 11:42:00 +0200
From: Ondrej Mosnacek <omosnace@...hat.com>
To: Casey Schaufler <casey@...aufler-ca.com>
Cc: Paul Moore <paul@...l-moore.com>, netdev@...r.kernel.org, 
	linux-security-module@...r.kernel.org
Subject: Re: [PATCH v2 0/2] cipso: make cipso_v4_skbuff_delattr() fully remove
 the CIPSO options

On Mon, Jun 10, 2024 at 6:53 PM Casey Schaufler <casey@...aufler-ca.com> wrote:
>
> On 6/10/2024 8:14 AM, Ondrej Mosnacek wrote:
> > On Fri, Jun 7, 2024 at 8:50 PM Casey Schaufler <casey@...aufler-ca.com> wrote:
> >> On 6/7/2024 9:07 AM, Ondrej Mosnacek wrote:
> >>> This series aims to improve cipso_v4_skbuff_delattr() to fully
> >>> remove the CIPSO options instead of just clearing them with NOPs.
> >>> That is implemented in the second patch, while the first patch is
> >>> a bugfix for cipso_v4_delopt() that the second patch depends on.
> >>>
> >>> Tested using selinux-testsuite a TMT/Beakerlib test from this PR:
> >>> https://src.fedoraproject.org/tests/selinux/pull-request/488
> >> Smack also uses CIPSO. The Smack testsuite is:
> >> https://github.com/smack-team/smack-testsuite.git
> > I tried to run it now, but 6 out of 114 tests fail for me already on
> > the baseline kernel (I tried with the v6.9 tag from mainline). The
> > output is not very verbose, so I'm not sure what is actually failing
> > and if it's caused by something on my side... With my patches applied,
> > the number of failed tests was the same, though, so there is no
> > evidence of a regression, at least.
>
> I assume you didn't select CONFIG_SECURITY_SMACK_NETFILTER, which
> impacts some of the IPv6 test case. Thank you for running the tests.

You're right, I only enabled SECURITY_SMACK and didn't look at the
other options. Enabling SECURITY_SMACK_NETFILTER fixed most of the
failures, but the audit-avc test is still failing:

./tests/audit-avc.sh:62 FAIL
./tests/audit-avc.sh:78 PASS
./tests/audit-avc.sh PASS=1 FAIL=1

I didn't try the baseline kernel this time, but looking at the test
script the failure doesn't appear to be related to the patches.

--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ