Re: [PATCH v2 4/4] smack: provide socketpair callback

gt; Signed-off-by: David Herrmann <dh.herrm...@gmail.com> This doesn't look like it will cause any problems. I've only been able to test it in a general way. I haven't created specific tests, but it passes the usual Smack use cases. Acked-by: Casey Schaufler <ca...@schaufler-ca.com&

Re: [PATCH 0/3] Introduce LSM-hook for socketpair(2)

On 4/23/2018 6:30 AM, David Herrmann wrote: > Hi > > This series adds a new LSM hook for the socketpair(2) syscall. The idea > is to allow SO_PEERSEC to be called on AF_UNIX sockets created via > socketpair(2), and return the same information as if you emulated > socketpair(2) via a temporary

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On 4/18/2018 5:46 PM, Paul Moore wrote: > On Wed, Apr 18, 2018 at 8:41 PM, Casey Schaufler <ca...@schaufler-ca.com> > wrote: >> On 4/18/2018 4:47 PM, Paul Moore wrote: >>> On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs <r...@redhat.com> wrote: >&g

Re: [RFC PATCH ghak32 V2 01/13] audit: add container id

On 4/18/2018 4:47 PM, Paul Moore wrote: > On Fri, Mar 16, 2018 at 5:00 AM, Richard Guy Briggs wrote: >> Implement the proc fs write to set the audit container ID of a process, >> emitting an AUDIT_CONTAINER record to document the event. >> ... >> >> diff --git

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

On 2/27/2018 9:36 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:30 PM, Casey Schaufler <ca...@schaufler-ca.com> > wrote: >> On 2/27/2018 8:39 AM, Andy Lutomirski wrote: >>> On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov >>> <alexei.st

Re: [PATCH bpf-next v8 05/11] seccomp,landlock: Enforce Landlock programs per process hierarchy

On 2/27/2018 8:39 AM, Andy Lutomirski wrote: > On Tue, Feb 27, 2018 at 5:32 AM, Alexei Starovoitov > wrote: >> [ Snip ] > An earlier version of the patch set used the seccomp filter chain. > Mickaël, what exactly was wrong with that approach other than that the >

Re: RFC(V3): Audit Kernel Container IDs

On 2/2/2018 3:24 PM, Paul Moore wrote: > On Fri, Feb 2, 2018 at 5:19 PM, Simo Sorce wrote: >> On Fri, 2018-02-02 at 16:24 -0500, Paul Moore wrote: >>> On Wed, Jan 10, 2018 at 2:00 AM, Richard Guy Briggs wrote: On 2018-01-09 11:18, Simo Sorce wrote: > On

Re: [PATCH v3 1/4] security: Add support for SCTP security hooks

On 12/22/2017 5:05 AM, Marcelo Ricardo Leitner wrote: > From: Richard Haines > > The SCTP security hooks are explained in: > Documentation/security/LSM-sctp.rst > > Signed-off-by: Richard Haines > Acked-by: Marcelo Ricardo Leitner

Re: RFC(v2): Audit Kernel Container IDs

On 12/11/2017 8:30 AM, Eric Paris wrote: > On Sat, 2017-12-09 at 10:28 -0800, Casey Schaufler wrote: >> Because a container doesn't have to use namespaces to be a container >> you still need a mechanism for a process to declare that it is in >> fact >> in a container, an

Re: RFC(v2): Audit Kernel Container IDs

On 12/9/2017 2:20 AM, Micka�l Sala�n wrote: > On 12/10/2017 18:33, Casey Schaufler wrote: >> On 10/12/2017 7:14 AM, Richard Guy Briggs wrote: >>> Containers are a userspace concept. The kernel knows nothing of them. >>> >>> The Linux audit system needs a w

Re: [BUG] kernel stack corruption during/after Netlabel error

On 11/30/2017 9:57 AM, Eric Dumazet wrote: > On Thu, 2017-11-30 at 10:30 -0700, David Ahern wrote: >> On 11/30/17 8:44 AM, David Ahern wrote: >>> On 11/30/17 3:50 AM, Eric Dumazet wrote: @@ -1631,24 +1659,6 @@ int tcp_v4_rcv(struct sk_buff *skb)     th = (const struct tcphdr

Re: [BUG] kernel stack corruption during/after Netlabel error

On 11/30/2017 2:50 AM, Eric Dumazet wrote: > On Wed, 2017-11-29 at 19:16 -0800, Casey Schaufler wrote: >> On 11/29/2017 4:31 PM, James Morris wrote: >>> On Wed, 29 Nov 2017, Casey Schaufler wrote: >>> >>>> I see that there is a proposed fix later in the thre

Re: [BUG] kernel stack corruption during/after Netlabel error

On 11/30/2017 2:50 AM, Eric Dumazet wrote: > On Wed, 2017-11-29 at 19:16 -0800, Casey Schaufler wrote: >> On 11/29/2017 4:31 PM, James Morris wrote: >>> On Wed, 29 Nov 2017, Casey Schaufler wrote: >>> >>>> I see that there is a proposed fix later in the thre

Re: [BUG] kernel stack corruption during/after Netlabel error

On 11/29/2017 4:31 PM, James Morris wrote: > On Wed, 29 Nov 2017, Casey Schaufler wrote: > >> I see that there is a proposed fix later in the thread, but I don't see >> the patch. Could you send it to me, so I can try it on my problem? > Forwarded off-list. The patch d

Re: [BUG] kernel stack corruption during/after Netlabel error

On 11/29/2017 2:26 AM, James Morris wrote: > I'm seeing a kernel stack corruption bug (detected via gcc) when running > the SELinux testsuite on a 4.15-rc1 kernel, in the 2nd inet_socket test: > > https://github.com/SELinuxProject/selinux-testsuite/blob/master/tests/inet_socket/test > > #

Re: RFC(v2): Audit Kernel Container IDs

On 10/18/2017 5:05 PM, Richard Guy Briggs wrote: > On 2017-10-17 01:10, Casey Schaufler wrote: >> On 10/16/2017 5:33 PM, Richard Guy Briggs wrote: >>> On 2017-10-12 16:33, Casey Schaufler wrote: >>>> On 10/12/2017 7:14 AM, Richard Guy Briggs wrote: >>&g

Re: RFC(v2): Audit Kernel Container IDs

On 10/17/2017 8:44 AM, James Bottomley wrote: > On Tue, 2017-10-17 at 11:28 -0400, Simo Sorce wrote: >>> Without a *kernel* policy on containerIDs you can't say what >>> security policy is being exempted. >> The policy has been basically stated earlier. >> >> A way to track a set of processes from

Re: RFC(v2): Audit Kernel Container IDs

On 10/17/2017 8:28 AM, Simo Sorce wrote: > On Tue, 2017-10-17 at 07:59 -0700, Casey Schaufler wrote: >> On 10/17/2017 5:31 AM, Simo Sorce wrote: >>> On Mon, 2017-10-16 at 21:42 -0400, Steve Grubb wrote: >>>> On Monday, October 16, 2017 8:33:40 PM EDT

Re: RFC(v2): Audit Kernel Container IDs

On 10/17/2017 5:31 AM, Simo Sorce wrote: > On Mon, 2017-10-16 at 21:42 -0400, Steve Grubb wrote: >> On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote: >>> There is such a thing, but the kernel doesn't know about it >>> yet.  This same situation exists for loginuid and sessionid

Re: RFC(v2): Audit Kernel Container IDs

On 10/16/2017 5:33 PM, Richard Guy Briggs wrote: > On 2017-10-12 16:33, Casey Schaufler wrote: >> On 10/12/2017 7:14 AM, Richard Guy Briggs wrote: >>> Containers are a userspace concept. The kernel knows nothing of them. >>> >>> The Linux audit system needs a w

Re: RFC(v2): Audit Kernel Container IDs

On 10/12/2017 7:14 AM, Richard Guy Briggs wrote: > Containers are a userspace concept. The kernel knows nothing of them. > > The Linux audit system needs a way to be able to track the container > provenance of events and actions. Audit needs the kernel's help to do > this. > > Since the concept

Re: Permissions for eBPF objects

Adding the LSM list to the thread. On 8/25/2017 11:01 AM, Jeffrey Vander Stoep via Selinux wrote: > I’d like to get your thoughts on adding LSM permission checks on BPF objects. Aside from the use of these objects requiring privilege, what sort of controls do you think might be reasonable? Who

Re: [kernel-hardening] Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem

On 4/19/2017 3:03 PM, Mickaël Salaün wrote: > On 19/04/2017 01:40, Kees Cook wrote: >> On Tue, Apr 18, 2017 at 4:16 PM, Casey Schaufler <ca...@schaufler-ca.com> >> wrote: >>> On 4/18/2017 3:44 PM, Mickaël Salaün wrote: >>>> On 19/04/2017 00:17, Kees Cook

Re: [PATCH net-next v6 04/11] landlock: Add LSM hooks related to filesystem

On 4/18/2017 3:44 PM, Mickaël Salaün wrote: > On 19/04/2017 00:17, Kees Cook wrote: >> On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote: >>> Handle 33 filesystem-related LSM hooks for the Landlock filesystem >>> event: LANDLOCK_SUBTYPE_EVENT_FS. >>> >>> A Landlock event

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/20/2016 1:13 PM, Paul Moore wrote: > On Tue, Jul 19, 2016 at 7:37 PM, Casey Schaufler <ca...@schaufler-ca.com> > wrote: >> Digging into this further I have determined that the >> circumstances leading to this issue are somewhat complex. >> The good news is

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/6/2016 11:56 AM, Casey Schaufler wrote: > On 7/6/2016 11:43 AM, David Ahern wrote: >> On 7/6/16 11:01 AM, Casey Schaufler wrote: >>> I find the test occasionally passes without hanging, but will >>> hang the system if repeated. I am running on Ubuntu and Fedora, &

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/6/2016 11:43 AM, David Ahern wrote: > On 7/6/16 11:01 AM, Casey Schaufler wrote: >> I find the test occasionally passes without hanging, but will >> hang the system if repeated. I am running on Ubuntu and Fedora, >> both with systemd, which may be a contributing factor

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/6/2016 10:40 AM, David Ahern wrote: > On 7/6/16 10:24 AM, Casey Schaufler wrote: >> On 7/6/2016 9:28 AM, David Ahern wrote: >>> On 7/5/16 6:31 PM, Casey Schaufler wrote: >>>> On 7/5/2016 5:49 PM, David Ahern wrote: >>>>> On 7/5/16 5:38 PM, Cas

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/6/2016 9:28 AM, David Ahern wrote: > On 7/5/16 6:31 PM, Casey Schaufler wrote: >> On 7/5/2016 5:49 PM, David Ahern wrote: >>> On 7/5/16 5:38 PM, Casey Schaufler wrote: >>>> I have encountered a system hang with my Smack >>>> networking tests that bis

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/6/2016 7:03 AM, Paul Moore wrote: > On Wed, Jul 6, 2016 at 8:50 AM, Paul Moore <p...@paul-moore.com> wrote: >> On Tue, Jul 5, 2016 at 8:38 PM, Casey Schaufler <ca...@schaufler-ca.com> >> wrote: >>> I have encountered a system hang with my Smack >>>

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/6/2016 5:50 AM, Paul Moore wrote: > On Tue, Jul 5, 2016 at 8:38 PM, Casey Schaufler <ca...@schaufler-ca.com> > wrote: >> I have encountered a system hang with my Smack >> networking tests that bisects to the change below. >> I can't say that I have any idea

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On 7/5/2016 5:49 PM, David Ahern wrote: > On 7/5/16 5:38 PM, Casey Schaufler wrote: >> I have encountered a system hang with my Smack >> networking tests that bisects to the change below. >> I can't say that I have any idea why the change >> would impact the Smack pr

Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

I have encountered a system hang with my Smack networking tests that bisects to the change below. I can't say that I have any idea why the change would impact the Smack processing, but there appears to be some serious packet processing going on. The Smack code is using CIPSO on the loopback

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On 4/15/2016 2:38 AM, Paolo Abeni wrote: > On Thu, 2016-04-14 at 18:53 -0400, Paul Moore wrote: >> On Tue, Apr 12, 2016 at 4:52 AM, Paolo Abeni wrote: >>> Will be ok if we post a v2 version of this series, removing the hooks >>> de-registration bits, but preserving the selinux

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On 4/13/2016 4:57 AM, Paolo Abeni wrote: > On Tue, 2016-04-12 at 06:57 -0700, Casey Schaufler wrote: >> On 4/12/2016 1:52 AM, Paolo Abeni wrote: >>> On Thu, 2016-04-07 at 14:55 -0400, Paul Moore wrote: >>>> On Thursday, April 07, 2016 01:45:32 AM Florian Westphal wrot

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On 4/12/2016 1:52 AM, Paolo Abeni wrote: > On Thu, 2016-04-07 at 14:55 -0400, Paul Moore wrote: >> On Thursday, April 07, 2016 01:45:32 AM Florian Westphal wrote: >>> Paul Moore wrote: On Wed, Apr 6, 2016 at 6:14 PM, Florian Westphal wrote: >

Re: [RFC PATCH 2/2] selinux: implement support for dynamic net hook [de-]registration

On 4/6/2016 2:51 AM, Paolo Abeni wrote: > This patch leverage the netlbl_changed() hook to perform on demand > registration and deregistration of the netfilter hooks and the > socket_sock_rcv_skb hook. > > With default policy and empty netfilter/netlabel configuration, the > above hooks are not

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On 4/6/2016 2:51 AM, Paolo Abeni wrote: > Currently, selinux always registers iptables POSTROUTING hooks regarless of > the running policy needs for any action to be performed by them. > > Even the socket_sock_rcv_skb() is always registered, but it can result in a > no-op > depending on the

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On 4/6/2016 2:51 AM, Paolo Abeni wrote: > Currently, selinux always registers iptables POSTROUTING hooks regarless of > the running policy needs for any action to be performed by them. > > Even the socket_sock_rcv_skb() is always registered, but it can result in a > no-op > depending on the

Re: [RFC PATCH 00/17] CALIPSO implementation

On 12/22/2015 3:46 AM, Huw Davies wrote: > This patch series implements RFC 5570 - Common Architecture Label IPv6 > Security Option (CALIPSO). Its goal is to set MLS sensitivity labels > on IPv6 packets using a hop-by-hop option. CALIPSO very similar to > its IPv4 cousin CIPSO and much of this

[PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3

From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus

Re: [PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3

--- Paul Moore [EMAIL PROTECTED] wrote: On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets

Re: [PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3

and it does have the fix you need. Thank you. Verification in progress. Casey Schaufler [EMAIL PROTECTED] -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

[PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4

From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus

Re: [PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4

--- Paul Moore [EMAIL PROTECTED] wrote: On Friday 15 February 2008 6:24:25 pm Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets

[PATCH] [RFC] Smack: unlabeled outgoing ambient packets - v2

From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus

[PATCH] [RFC] Smack: unlabeled outgoing ambient packets - v2

From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus

[PATCH] (02/06/08 Linus git) Smack unlabeled outgoing ambient packets

From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying an ambient label that is applied to incoming unlabeled packets. Because the other end of the connection may dislike IP options, and ssh is one know application that behaves thus

Re: [bisected] Re: [bug] networking broke, ssh: connect to port 22: Protocol error

works on my testbox again :-/ And we have this 1 day old commit: commit e114e473771c848c3cfec05f0123e70f1cdbdc99 Author: Casey Schaufler [EMAIL PROTECTED] Date: Mon Feb 4 22:29:50 2008 -0800 Smack: Simplified Mandatory Access Control Kernel that adds SMACK. So unlike

Re: [PATCH net-2.6.25] Add packet filtering based on process's security context.

you get into that situation, and is it appropriate to have that situation in your security scheme? Can this occur without using privilege? Casey Schaufler [EMAIL PROTECTED] -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More

Re: [PATCH 1/1] Allow LSM to use IP address/port number.

. Be careful about the relationship between the events and the placement of your checks. * Stephen had good comments on the details on list earlier. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED

Re: [PATCH 0/3] NetLabel: add the remaining CIPSO tag types from the IETF draft

ugly. Fabulous. Thank you. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html