On Tue, 2006-08-29 at 12:39 -0500, Serge E. Hallyn wrote:
> Quoting Paul Moore ([EMAIL PROTECTED]):
> > Serge E. Hallyn wrote:
> > > Quoting Paul Moore ([EMAIL PROTECTED]):
> > >
> > >>For those of you using the latest versions of the netlabel_tools you can
> > >>specify specific per-domain CIPSO configurations with the following
> > >>command
> > >>line (for older versions replace "map" with "mgmt"):
> > >>
> > >> # netlabelctl map add domain:<domain> protocol:cipsov4,<doi>
> > >>
> > >>An example for the "unlabeled_t" domain using CIPSO doi #8 would be:
> > >>
> > >> # netlabelctl map add domain:unlabeled_t protocol:cipsov4,8
> > >
> > >
> > > Ok, cool, that is in fact how we thought <doi> would be used. However,
> > > looking at the current code, this shouldn't work, as pointed out by
> > > KaiGai (thanks KaiGai). If you look at
> > > security/selinux/xfrm.c:selinux_authorizable_ctx(),
> > > it seems to enforce that doi == XFRM_SC_DOI_LSM.
> > >
> > > Should that check be removed, or am I misremembering what that fn is
> > > supposed to do?
> >
> > Actually, I think you are confusing IPsec/IKE DOIs with CIPSO DOIs (or
> > I'm confused <g>). A CIPSO DOI is not in any way related to an IPsec
> > DOI, all CIPSO DOI processing should be handled in the NetLabel code;
> > for more information on CIPSO DOI processing look at
> > net/ipv4/cipso_ipv4.c in David Miller's net-2.6.19 git tree.
> >
> > Does this make sense?
>
> Ah, yes, I was, and you are, thanks :)
>
> However, at least the second part of my patch still stands :) Checking
> the ipsec doi vs XFRM_SC_ALG_SELINUX is wrong.
>
> Regarding the first piece of the patch (again attached), the question
> then is, do we want to have the ipsec doi be predefined to
> 'XFRM_SC_DOI_LSM', or do we want it to be usable for separating ipsec
> policy domains of interpretations?
>
> thanks,
> -serge
>
> Subject: [PATCH] nethooks: fix some ctx_doi vs ctx_alg confusion
>
> The security selinux_authorizable_ctx() function is claiming that
> selinux will only authorize a single <doi>, which should be right.
> Remove that check.
>
> It is also using the wrong constant to enforce that selinux only
> authorize it's own algs in selinux_xfrm_sec_ctx_alloc(). Fix up
> the constant.
>
> Signed-off-by: Serge E. Hallyn <[EMAIL PROTECTED]>
>
> ---
>
> security/selinux/xfrm.c | 3 +--
> 1 files changed, 1 insertions(+), 2 deletions(-)
>
> 1ba0de675775d163bf34bca744ff3ea4bd35ad8a
> diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
> index 6c985ce..4e22a0e 100644
> --- a/security/selinux/xfrm.c
> +++ b/security/selinux/xfrm.c
> @@ -54,7 +54,6 @@
> static inline int selinux_authorizable_ctx(struct xfrm_sec_ctx *ctx)
> {
> return (ctx &&
> - (ctx->ctx_doi == XFRM_SC_DOI_LSM) &&
> (ctx->ctx_alg == XFRM_SC_ALG_SELINUX));
> }
>
> @@ -104,7 +103,7 @@ static int selinux_xfrm_sec_ctx_alloc(st
> struct xfrm_sec_ctx *ctx;
>
> BUG_ON(!uctx);
> - BUG_ON(uctx->ctx_doi != XFRM_SC_ALG_SELINUX);
> + BUG_ON(uctx->ctx_alg != XFRM_SC_ALG_SELINUX);
Venkat's mls xfrm patches (already in the net-2.6.19 tree) replace this
BUG_ON with an if statement that returns -EINVAL, as this represents
invalid data from userspace rather than a kernel bug. so you'll need to
re-base at least.
>
> if (uctx->ctx_len >= PAGE_SIZE)
> return -ENOMEM;
--
Stephen Smalley
National Security Agency
--
redhat-lspp mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/redhat-lspp
