Re: [RFC PATCH 4/5] netlabel: Add SCTP support

t;valid) > goto unlabel_getattr_nolabel; > + > +#if IS_ENABLED(CONFIG_IPV6) > + /* When resolving a fallback label, check the sk_buff version as > +* it is possible (e.g. SCTP) to have family = PF_INET6 while > +* receiving ip_hdr(skb)->version = 4. > +*/ > + if (family == PF_INET6 && ip_hdr(skb)->version == 4) > + family = PF_INET; > +#endif /* IPv6 */ > + It seems like this should be pulled out into it's own patch as a fix that extends beyond SCTP, what do you think? -- paul moore www.paul-moore.com

Re: [RFC PATCH 1/5] security: Add support for SCTP security hooks

int, yes? > + | | > + | net/sctp/socket.c sctp_copy_sock() > + | If SCTP_SOCKET_TCP or peeled off > + | socket security_sctp_sk_clone() is > + | called to clone the new socket. In this case we are establishing a new association for a given endpoint, yes? > + | | > + ESTABLISHEDESTABLISHED > + | | > +-- > +| Association Established| > +-- > + > + -- paul moore www.paul-moore.com

Re: [PATCH ipsec] xfrm: do unconditional template resolution before pcpu cache check

bit more work (lookup in state hash > table) if we can reuse the xdst entry (we only avoid xdst alloc/free) > but we don't add a lot of extra work in case we can't reuse. > > xfrm_pol_dead() check is removed, reasoning is that > xfrm_tmpl_resolve does all needed checks. > > Cc:

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Thu, Nov 2, 2017 at 8:58 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote: >> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal <f...@strlen.de> >> wrote: >> > Paul Moore <p...@paul-moore.com> wrot

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal <f...@strlen.de> wrote: > Paul Moore <p...@paul-moore.com> wrote: >> On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley <s...@tycho.nsa.gov> wrote: >> > matching before (as in this patch) or after calling xfrm

Re: [RFC PATCH] xfrm: fix regression introduced by xdst pcpu cache

0 && > + (!xdst->u.dst.xfrm->sel.family || > +xfrm_selector_match(>u.dst.xfrm->sel, fl, > +xdst->u.dst.xfrm->sel.family)) && > + security_xfrm_state_pol_flow_match(xdst->u.dst.xfrm, >

Re: [PATCH net-next v7 5/5] selinux: bpf: Add addtional check for bpf object file receive

kernel/bpf/syscall.c | 4 ++-- > security/selinux/hooks.c | 49 > > 3 files changed, 54 insertions(+), 2 deletions(-) Same thing as 4/5. Acked-by: Paul Moore <p...@paul-moore.com> > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index 84c192da3e0b..1e33

Re: [PATCH net-next v7 4/5] selinux: bpf: Add selinux check for eBPF syscall operations

| 4 ++ > 3 files changed, 117 insertions(+) Not sure if DaveM has merged this into net-next yet, but it looks reasonable to me. Acked-by: Paul Moore <p...@paul-moore.com> > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index f5d304736852..12cf7de8cbed 10

Re: RFC(v2): Audit Kernel Container IDs

On Thu, Oct 19, 2017 at 12:25 PM, Eric W. Biederman <ebied...@xmission.com> wrote: > Paul Moore <p...@paul-moore.com> writes: > >> On Wed, Oct 18, 2017 at 8:43 PM, Eric W. Biederman >> <ebied...@xmission.com> wrote: >>> Aleksa Sarai <asa...@s

Re: RFC(v2): Audit Kernel Container IDs

ity arguments, welcome back old friend :) Once again, we're still trying to sort all this out so I reserve the right to change my mind, but my current thinking is as follows ... CAP_AUDIT_WRITE exists to control which applications can submit userspace generated audit records to the kernel, CAP_AUDIT_CON

Re: RFC(v2): Audit Kernel Container IDs

dit > namespace''. In an attempt to stay on-topic, let's try to stick with "audit container ID" or "container ID" if you must. I really want to avoid the term "audit namespace" simply because the term "namespace" implies some things which we aren't planning on doing. -- paul moore www.paul-moore.com

Re: RFC(v2): Audit Kernel Container IDs

has an unset audit container ID) but provides a blank slate for the orchestrator(s). > For nested containers, I actually think the label should be > hierarchical, so you can add a label for the new nested container but > it still also contains its parents label as well. I haven't made up my mind on this completely just yet, but I'm currently of the mindset that supporting multiple audit container IDs on a given process is not a good idea. -- paul moore www.paul-moore.com

Re: RFC(v2): Audit Kernel Container IDs

ntionally trying to limit its scope in an attempt to limit problems. If a more general solution appears in the future I think we would make every effect to migrate to that; keeping this initial effort small should make that easier. -- paul moore www.paul-moore.com

Re: [PATCH] MAINTAINERS: update the NetLabel and Labeled Networking information

On Thu, Aug 10, 2017 at 3:13 PM, Paul Moore <pmo...@redhat.com> wrote: > From: Paul Moore <p...@paul-moore.com> > > Signed-off-by: Paul Moore <p...@paul-moore.com> > --- > MAINTAINERS | 24 ++-- > 1 file changed, 14 insertions(+), 10 d

[PATCH] MAINTAINERS: update the NetLabel and Labeled Networking information

From: Paul Moore <p...@paul-moore.com> Signed-off-by: Paul Moore <p...@paul-moore.com> --- MAINTAINERS | 24 ++-- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/MAINTAINERS b/MAINTAINERS index 65990909fe73..be25ebaaeec3 100644 --- a/MAINT

Re: [PATCH] Cipso: cipso_v4_optptr enter infinite loop

20 and the first byte of ip > option is 0, produce this issue > > Signed-off-by: yujuan.qi <yujuan...@mediatek.com> > --- > net/ipv4/cipso_ipv4.c | 12 ++-- > 1 file changed, 10 insertions(+), 2 deletions(-) Considering I gave you the code below I should probably ack it

Re: [PATCH] Cipso: cipso_v4_optptr enter infinite loop

case IPOPT_NOOP: taglen = 1; break; default: taglen = optptr[1]; } optlen -= taglen; optptr += taglen; } -- paul moore security @ redhat

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

On Tue, Jul 25, 2017 at 5:59 AM, Paolo Abeni <pab...@redhat.com> wrote: > On Mon, 2017-07-24 at 22:00 -0400, Paul Moore wrote: >> > I'm happy to test this, but if you are curious, you can find the >> > selinux-testsuite at the link below; the "inet_socket&q

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

On Mon, Jul 24, 2017 at 3:00 PM, Paul Moore <p...@paul-moore.com> wrote: > On Mon, Jul 24, 2017 at 12:09 PM, Paolo Abeni <pab...@redhat.com> wrote: >> Hi, >> >> On Mon, 2017-07-24 at 10:42 -0400, Paul Moore wrote: >>> The change in behavi

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

On Mon, Jul 24, 2017 at 12:09 PM, Paolo Abeni <pab...@redhat.com> wrote: > Hi, > > On Mon, 2017-07-24 at 10:42 -0400, Paul Moore wrote: >> The change in behavior for userspace makes me a little nervous as >> there is no way of knowing how any random application

Re: SELinux/IP_PASSSEC regression in 4.13-rcX

On Mon, Jul 24, 2017 at 8:25 AM, Paolo Abeni <pab...@redhat.com> wrote: > Hi, > > On Fri, 2017-07-21 at 18:19 -0400, Paul Moore wrote: >> I've been seeing a SELinux regression with IP_PASSSEC on the v4.13-rcX >> kernels and finally tracked the problem down to the >&

SELinux/IP_PASSSEC regression in 4.13-rcX

the problem; my initial thought would be to simply make the skb_release_head_state() conditional on the skb->sp pointer, much like the IP options fix, but I'm not sure if you have a more clever idea. -- paul moore www.paul-moore.com

Re: [PATCH] net/ipv6: Fix CALIPSO causing GPF with datagram support

d-off-by: Richard Haines <richard_c_hai...@btinternet.com> > --- > net/ipv6/calipso.c | 6 +- > 1 file changed, 5 insertions(+), 1 deletion(-) Acked-by: Paul Moore <p...@paul-moore.com> Thanks Richard. DaveM, I assume you'll be pulling this into your tree? > diff

Re: [PATCH 06/12] audit: Use timespec64 to represent audit timestamps

uce the potential merge conflict. However, >> that's a relatively small thing to worry about. -- paul moore www.paul-moore.com

Re: [PATCH 06/12] audit: Use timespec64 to represent audit timestamps

afe struct timespec64 to represent the times. > The log strings can handle this transition as strings can > hold upto 1024 characters. > > Signed-off-by: Deepa Dinamani <deepa.ker...@gmail.com> > Reviewed-by: Arnd Bergmann <a...@arndb.de> > Acked-by: Paul Moore <

Re: [PATCH v2] selinux: check for address length in selinux_socket_bind()

On Fri, Mar 10, 2017 at 7:01 AM, Paul Moore <p...@paul-moore.com> wrote: > On Thu, Mar 9, 2017 at 2:12 AM, David Miller <da...@davemloft.net> wrote: >> From: Alexander Potapenko <gli...@google.com> >> Date: Mon, 6 Mar 2017 19:46:14 +0100 >> >>> KMS

Re: [PATCH v2] selinux: check for address length in selinux_socket_bind()

), which uses them to calculate a hash. >> >> Signed-off-by: Alexander Potapenko <gli...@google.com> > > Are the SELINUX folks going to pick this up or should I? Yes, it's on my list of things to merge, I was just a bit distracted this week with yet another audit problem. I'm going to start making my way through the patch backlog today. -- paul moore www.paul-moore.com

Re: netlink: GPF in netlink_unicast

On Wed, Mar 8, 2017 at 8:25 AM, Richard Guy Briggs <r...@redhat.com> wrote: > On 2017-03-07 14:23, Paul Moore wrote: >> On Tue, Mar 7, 2017 at 1:44 PM, Paul Moore <p...@paul-moore.com> wrote: >> > On Tue, Mar 7, 2017 at 10:55 AM, Richard Guy Briggs <r...@redhat.c

Re: netlink: GPF in netlink_unicast

On Tue, Mar 7, 2017 at 1:44 PM, Paul Moore <p...@paul-moore.com> wrote: > On Tue, Mar 7, 2017 at 10:55 AM, Richard Guy Briggs <r...@redhat.com> wrote: >> On 2017-03-07 09:29, Paul Moore wrote: >>> On Mon, Mar 6, 2017 at 11:03 PM, Richard Guy Briggs <r...@redhat.c

Re: netlink: GPF in netlink_unicast

On Tue, Mar 7, 2017 at 10:55 AM, Richard Guy Briggs <r...@redhat.com> wrote: > On 2017-03-07 09:29, Paul Moore wrote: >> On Mon, Mar 6, 2017 at 11:03 PM, Richard Guy Briggs <r...@redhat.com> wrote: >> > On 2017-03-06 10:10, Cong Wang wrote: >> >> On Mon, M

Re: netlink: GPF in netlink_unicast

after the > "quick_loop:" label. The condition on auditd is supposed to catch that > case. We don't want it locked while playing with the scheduler at the > bottom of that function. Let me look into this and play around with a few things. I suspected there might be a problem here, so I've got thoughts on how we might resolve it; I just need to see code them up and see what option sucks the least. FWIW Richard, yes wrapping most of kauditd_thread *should* resolve this but it's pretty heavy handed and not my first choice. -- paul moore www.paul-moore.com

Re: linux-next: build failure after merge of the selinux tree

security/selinux/include/classmap.h >> +++ b/security/selinux/include/classmap.h >> @@ -235,9 +235,11 @@ struct security_class_mapping secclass_map[] = { >> { COMMON_SOCK_PERMS, NULL } }, >> { "qipcrtr_socket", >> { COMMON_SOCK_PERMS, NULL } }, >> + { "smc_socket", >> + { COMMON_SOCK_PERMS, NULL } }, >> { NULL } >>}; >> >> -#if PF_MAX > 43 >> +#if PF_MAX > 44 >> #error New address family defined, please update secclass_map. >> #endif >> -- >> 2.10.2 > > This now applies when I merge the security tree (as it merged the > selinux tree, presumably). Yes, James just pulled the SELinux tree yesterday. -- paul moore www.paul-moore.com

Re: [PATCH net] netlabel: out of bound access in cipso_v4_validate()

pso: handle CIPSO options correctly when NetLabel is > disabled") > Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine") > Signed-off-by: Eric Dumazet <eduma...@google.com> > Reported-by: Dmitry Vyukov <dvyu...@google.com> > Cc: Paul Moore <p...@paul-m

Re: [PATCH v3] audit: log 32-bit socketcalls

sizeof(a)) > + return -EINVAL; > + > + if (copy_from_user(a, args, len)) > return -EFAULT; > + > + ret = audit_socketcall_compat(len / sizeof(a[0]), a); > + if (ret) > + return ret; > + > a0 = a[0]; > a1 = a[1]; > > -- > 1.7.1 > > -- > Linux-audit mailing list > linux-au...@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com

Re: [PATCH V2] audit: log 32-bit socketcalls

On Mon, Jan 16, 2017 at 10:53 PM, Richard Guy Briggs <r...@redhat.com> wrote: > On 2017-01-16 15:04, Paul Moore wrote: >> On Fri, Jan 13, 2017 at 9:42 AM, Eric Paris <epa...@redhat.com> wrote: >> > On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote: &g

Re: [PATCH V2] audit: log 32-bit socketcalls

call, u32 __user *, args) >> { >> + unsigned int len; >> int ret; >> - u32 a[6]; >> + u32 a[AUDITSC_ARGS]; >> u32 a0, a1; > > Longest to shortest line for local variable declarations please. > > -- > Linux-audit mailing list > linux-au...@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com

Re: [PATCH V2] audit: log 32-bit socketcalls

true > in Fedora I highly doubt that's true on the vast majority of systems > that have audit compiled in. Richard and I have talked about the likely/unlikely optimization before and I know Richard likes to use them, but I don't for the reasons Eric has already mentioned. Richard, sin

Re: linux-next: build failure after merge of the selinux tree

{ COMMON_SOCK_PERMS, NULL } }, > + { "smc_socket", > + { COMMON_SOCK_PERMS, NULL } }, > { NULL } >}; > > -#if PF_MAX > 43 > +#if PF_MAX > 44 > #error New address family defined, please update secclass_map. > #endif > -- > 2.10.2 > > -- > Cheers, > Stephen Rothwell -- paul moore www.paul-moore.com

[PATCH] netlabel: add CALIPSO to the list of built-in protocols

From: Paul Moore <p...@paul-moore.com> When we added CALIPSO support in Linux v4.8 we forgot to add it to the list of supported protocols with display at boot. Signed-off-by: Paul Moore <p...@paul-moore.com> --- net/netlabel/netlabel_kapi.c |5 + 1 file changed, 1 ins

Re: [RFC PATCH v3] audit: use proper refcount locking on audit_sock

On Tue, Dec 13, 2016 at 10:03 AM, Richard Guy Briggs wrote: > Resetting audit_sock appears to be racy. > > audit_sock was being copied and dereferenced without using a refcount on > the source sock. > > Bump the refcount on the underlying sock when we store a refrence in >

Re: [PATCH v2] audit: use proper refcount locking on audit_sock

{ > + (audit_replace(requesting_pid) & > (-ECONNREFUSED|-EPERM|-ENOMEM))) { Do we simply want to treat any error here as fatal, and not just ECONN/EPERM/ENOMEM? If not, let's come up with a single macro to handle the fatal netlink_unicast() return codes so we have some chance to keep things consistent in the future. -- paul moore www.paul-moore.com

Re: [PATCH v2] audit: use proper refcount locking on audit_sock

ask & AUDIT_STATUS_RATE_LIMIT) { > @@ -1283,8 +1302,11 @@ static void __net_exit audit_net_exit(struct net *net) > { > struct audit_net *aunet = net_generic(net, audit_net_id); > struct sock *sock = aunet->nlsk; > - if (sock == audit_sock) > + if (sock == audit_sock) { > + mutex_lock(_cmd_mutex); > auditd_reset(); > + mutex_unlock(_cmd_mutex); > + } > > RCU_INIT_POINTER(aunet->nlsk, NULL); > synchronize_net(); > -- > 1.7.1 > > -- > Linux-audit mailing list > linux-au...@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com

Re: [PATCH] netns: avoid disabling irq for netns id

On Wed, Nov 30, 2016 at 2:58 PM, David Miller <da...@davemloft.net> wrote: > From: Paul Moore <pmo...@redhat.com> > Date: Tue, 29 Nov 2016 17:11:29 -0500 > >> From: Paul Moore <p...@paul-moore.com> >> >> Bring back commit bc51dddf98c9 ("netns: av

Re: [PATCH] netns: avoid disabling irq for netns id

On Tue, Nov 29, 2016 at 5:11 PM, Paul Moore <pmo...@redhat.com> wrote: > From: Paul Moore <p...@paul-moore.com> > > Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns > id") now that we've fixed some audit multicast issues that cause

[PATCH] netns: avoid disabling irq for netns id

From: Paul Moore <p...@paul-moore.com> Bring back commit bc51dddf98c9 ("netns: avoid disabling irq for netns id") now that we've fixed some audit multicast issues that caused problems with original attempt. Additional information, and history, can be found in the links

Re: [PATCH] netns: revert "netns: avoid disabling irq for netns id"

On Fri, Oct 21, 2016 at 11:38 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Fri, Oct 21, 2016 at 6:49 PM, Paul Moore <pmo...@redhat.com> wrote: >> Eventually we should be able to reintroduce this code once we have >> rewritten the audit multicast code to queue me

Re: [Patch net] net: saving irq context for peernet2id()

On Fri, Oct 21, 2016 at 11:26 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Fri, Oct 21, 2016 at 1:03 PM, Paul Moore <p...@paul-moore.com> wrote: >> On Fri, Oct 21, 2016 at 2:02 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: >>> On Fri, Oct 21, 20

Re: [Patch net] net: saving irq context for peernet2id()

On Fri, Oct 21, 2016 at 4:53 PM, Paul Moore <p...@paul-moore.com> wrote: > On Fri, Oct 21, 2016 at 4:33 PM, David Miller <da...@davemloft.net> wrote: >> From: Paul Moore <p...@paul-moore.com> >> Date: Fri, 21 Oct 2016 16:15:00 -0400 >> >>> Howe

[PATCH] netns: revert "netns: avoid disabling irq for netns id"

From: Paul Moore <p...@paul-moore.com> This reverts commit bc51dddf98c9 ("netns: avoid disabling irq for netns id") as it was found to cause problems with systems running SELinux/audit, see the mailing list thread below: * http://marc.info/?t=14769465392=1=2 Eventually w

Re: [Patch net] net: saving irq context for peernet2id()

On Fri, Oct 21, 2016 at 4:33 PM, David Miller <da...@davemloft.net> wrote: > From: Paul Moore <p...@paul-moore.com> > Date: Fri, 21 Oct 2016 16:15:00 -0400 > >> However, that's not the case is it? Unless I missed something, the >> fix that Cong Wang is advocating

Re: [Patch net] net: saving irq context for peernet2id()

On Fri, Oct 21, 2016 at 3:39 PM, Richard Guy Briggs <r...@redhat.com> wrote: > On 2016-10-21 11:02, Cong Wang wrote: >> On Fri, Oct 21, 2016 at 9:19 AM, Paul Moore <p...@paul-moore.com> wrote: >> > On Thu, Oct 20, 2016 at 7:35 PM, Cong Wang <xiyo

Re: [Patch net] net: saving irq context for peernet2id()

On Fri, Oct 21, 2016 at 2:02 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Fri, Oct 21, 2016 at 9:19 AM, Paul Moore <p...@paul-moore.com> wrote: >> On Thu, Oct 20, 2016 at 7:35 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: >>> This is what I

Re: [Patch net] net: saving irq context for peernet2id()

On Thu, Oct 20, 2016 at 7:35 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Thu, Oct 20, 2016 at 12:07 PM, Paul Moore <p...@paul-moore.com> wrote: >> On Thu, Oct 20, 2016 at 2:29 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: >>> On Thu, Oct 20,

Re: [Patch net] net: saving irq context for peernet2id()

lly we would just be moving the multicast code from audit_log_end() into kauditd_thread(). This is the same approach I mentioned earlier off-list. However, that isn't something I want to mess with as a regression fix, mostly because I really want to see this regression gone by -rc2 as it is making S

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

the Smack attributes in the sk_security blob are not > explicitly set the problem does not occur. I have the same > result if I change the Smack attributes within the socket > security blob as I do if I replace the security blob. -- paul moore www.paul-moore.com

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On Wed, Jul 6, 2016 at 10:15 AM, Casey Schaufler <ca...@schaufler-ca.com> wrote: > On 7/6/2016 5:50 AM, Paul Moore wrote: >> On Tue, Jul 5, 2016 at 8:38 PM, Casey Schaufler <ca...@schaufler-ca.com> >> wrote: >>> I have encountered a system hang with my Sma

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

On Wed, Jul 6, 2016 at 8:50 AM, Paul Moore <p...@paul-moore.com> wrote: > On Tue, Jul 5, 2016 at 8:38 PM, Casey Schaufler <ca...@schaufler-ca.com> > wrote: >> I have encountered a system hang with my Smack >> networking tests that bisects to the change below. >&

Re: Network hang after c3f1010b30f7fc611139cfb702a8685741aa6827 with CIPSO & Smack

de after clearing the skb control buffer similar to IPv6. > From there the pktinfo can just pull it from cb with the PKTINFO_SKB_CB > cast. > > > Signed-off-by: David S. Miller <da...@davemloft.net> -- paul moore www.paul-moore.com

Re: [PATCH v4 00/19] CALIPSO Implementation

p-by-hop option. CALIPSO is very similar to >>> > its IPv4 cousin CIPSO and much of this series is based on that code. >>> >>> What tree do you expect to integrate this? >> >> My understanding is that Paul Moore is happy to take them >> in via the SELin

Re: [PATCH v4 00/19] CALIPSO Implementation

>> >> What tree do you expect to integrate this? > > My understanding is that Paul Moore is happy to take them > in via the SELinux tree. However, these patches do touch > some core networking code, such as the IPv6 option handling > code (in a similar manner to the way

Re: [PATCH] netlabel: handle sparse category maps in netlbl_catmap_getlong()

On Mon, Jun 13, 2016 at 10:16 AM, Paul Moore <pmo...@redhat.com> wrote: > From: Paul Moore <p...@paul-moore.com> > > In cases where the category bitmap is sparse enough that gaps exist > between netlbl_lsm_catmap structs, callers to netlbl_catmap_getlong() > could

[PATCH] netlabel: handle sparse category maps in netlbl_catmap_getlong()

From: Paul Moore <p...@paul-moore.com> In cases where the category bitmap is sparse enough that gaps exist between netlbl_lsm_catmap structs, callers to netlbl_catmap_getlong() could find themselves prematurely ending their search through the category bitmap. Further, the method

Re: [PATCH] iucv: properly clone LSM attributes to newly created child sockets

On Mon, Jun 13, 2016 at 6:08 AM, Ursula Braun <ubr...@linux.vnet.ibm.com> wrote: >> From: Paul Moore <p...@paul-moore.com> >> >> Much like we had to do for AF_BLUETOOTH and AF_ALG, make sure we >> properly clone the parent socket's LSM attributes to newly create

Re: [PATCH] iucv: properly clone LSM attributes to newly created child sockets

On Thu, Jun 9, 2016 at 8:59 AM, Paul Moore <pmo...@redhat.com> wrote: > From: Paul Moore <p...@paul-moore.com> > > Much like we had to do for AF_BLUETOOTH and AF_ALG, make sure we > properly clone the parent socket's LSM attributes to newly created > child sockets. >

[PATCH] iucv: properly clone LSM attributes to newly created child sockets

From: Paul Moore <p...@paul-moore.com> Much like we had to do for AF_BLUETOOTH and AF_ALG, make sure we properly clone the parent socket's LSM attributes to newly created child sockets. Signed-off-by: Paul Moore <p...@paul-moore.com> --- net/iucv/af_iucv.c |5 - 1 fil

Re: [PATCH] netlabel: add address family checks to netlbl_{sock, req}_delattr()

On Mon, Jun 6, 2016 at 3:35 PM, Paul Moore <pmo...@redhat.com> wrote: > From: Paul Moore <p...@paul-moore.com> > > It seems risky to always rely on the caller to ensure the socket's > address family is correct before passing it to the NetLabel kAPI, > especially since we

[PATCH] netlabel: add address family checks to netlbl_{sock, req}_delattr()

From: Paul Moore <p...@paul-moore.com> It seems risky to always rely on the caller to ensure the socket's address family is correct before passing it to the NetLabel kAPI, especially since we see at least one LSM which didn't. Add address family checks to the *_delattr() functions to help p

Re: [EDT][Patch 1/1] socket family check in netlabel APIs

w you how to do it correctly next time. > >>Second, this appears to only affect Smack based systems, yes? SELinux based >>systems should have the proper checking in place to prevent this (the checks >>are handled in the LSM). That said, it probably wouldn't hurt to add the >

Re: Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

On Wed, Jun 1, 2016 at 4:44 PM, Stephen Smalley <s...@tycho.nsa.gov> wrote: > On 06/01/2016 03:18 PM, Eric Dumazet wrote: >> On Wed, 2016-06-01 at 15:01 -0400, Paul Moore wrote: >>> Hello, >>> >>> I'm currently trying to debug a problem with 4.7-rc1 and la

Possible problem with e6afc8ac ("udp: remove headers from UDP packets before queueing")

soon and I can do a proper bisection test around this patch, but I wanted to mention this now in case others are seeing the same problem. -- paul moore www.paul-moore.com

Re: [RFC PATCH v3 17/19] calipso: Add validation of CALIPSO option.

On Mon, May 9, 2016 at 6:39 AM, Huw Davies <h...@codeweavers.com> wrote: > On Fri, May 06, 2016 at 06:59:32PM -0400, Paul Moore wrote: >> On Wed, Feb 17, 2016 at 8:22 AM, Huw Davies <h...@codeweavers.com> wrote: >> > We check lengths, checksum and the DOI. We le

Re: [RFC PATCH v3 00/19] CALIPSO Implementation

it . The protocol has changed > very slightly from the v2 patches, so please update to the latest. > > This patch series is based off v4.5-rc4. > > Thanks to Paul Moore, Hannes Frederic Sowa, Casey Schaufler and Julia > Lawall for their comments so far. > > Changes between v

Re: [RFC PATCH v3 17/19] calipso: Add validation of CALIPSO option.

] = { > .type = IPV6_TLV_JUMBO, > .func = ipv6_hop_jumbo, > }, > + { > + .type = IPV6_TLV_CALIPSO, > + .func = ipv6_hop_calipso, > + }, > { -1, } > }; > > -- > 2.7.0 > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- paul moore www.paul-moore.com

Re: [PATCH net-next v5] rtnetlink: add new RTM_GETSTATS message to dump link stats

nel, not by the userland. >From what I could tell from the patch description, it looks like RTM_NEWSTATS only dumps stats to userspace and doesn't alter the state of the kernel, is that correct? If so, then yes, NLMSG__READ is the right SELinux permission. However, if RTM_NEWSTATS does al

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

g it in the future shouldn't be a problem. -- paul moore www.paul-moore.com

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On Thursday, April 07, 2016 01:45:32 AM Florian Westphal wrote: > Paul Moore <p...@paul-moore.com> wrote: > > On Wed, Apr 6, 2016 at 6:14 PM, Florian Westphal <f...@strlen.de> wrote: > > > netfilter hooks are per namespace -- so there is hook unregister

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

enabling the SELinux netfilter hooks across namespaces. Perhaps we can revisit this at a later time, but let's keep it simple right now. -- paul moore www.paul-moore.com

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

s.c | 1 + >> security/selinux/xfrm.c | 4 +++ >> 9 files changed, 96 insertions(+), 13 deletions(-) >> > > Is there a patch 1/2? Yes, there was (it was the "security: add hook ..." patch), but for some reason it hasn't hit the archive that I normally use. Odd. I'll fwd the patch to you off-list so as not to spam everyone again. -- paul moore www.paul-moore.com

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On Wed, Apr 6, 2016 at 3:39 PM, David Miller <da...@davemloft.net> wrote: > From: Paul Moore <p...@paul-moore.com> > Date: Wed, 6 Apr 2016 14:36:43 -0400 > >> On Wed, Apr 6, 2016 at 2:23 PM, David Miller <da...@davemloft.net> wrote: >>> From: Paul Moore

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On Wed, Apr 6, 2016 at 2:23 PM, David Miller <da...@davemloft.net> wrote: > From: Paul Moore <p...@paul-moore.com> > Date: Wed, 6 Apr 2016 10:07:27 -0400 > >> "While marking the LSM hook structure doesn't directly affect the >> SELinux netfilter hooks, on

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

On Wed, Apr 6, 2016 at 10:03 AM, Paolo Abeni <pab...@redhat.com> wrote: > On Wed, 2016-04-06 at 08:33 -0400, Paul Moore wrote: >> On Wed, Apr 6, 2016 at 5:51 AM, Paolo Abeni <pab...@redhat.com> wrote: >> > Currently, selinux always registers iptables POSTROUTING hooks

Re: [RFC PATCH 0/2] selinux: avoid nf hooks overhead when not needed

directly affect the SELinux netfilter hooks, once we remove the ability to deregister the LSM hooks we will have no need to support deregistering netfilter hooks and I expect we will drop that functionality as well to help decrease the risk of tampering. -- paul moore www.paul-moore.com

Re: [PATCH] netlabel: fix a problem with netlbl_secattr_catmap_setrng()

On Mon, Mar 28, 2016 at 11:10 AM, Paul Moore <pmo...@redhat.com> wrote: > From: Janak Desai <janak.de...@gtri.gatech.edu> > > We try to be clever and set large chunks of the bitmap at once, when > possible; unfortunately we weren't very clever when we wrote

[PATCH] netlabel: fix a problem with netlbl_secattr_catmap_setrng()

Desai <janak.de...@gtri.gatech.edu> Signed-off-by: Paul Moore <p...@paul-moore.com> --- net/netlabel/netlabel_kapi.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 28cddc8..1325776 100644

Re: [RFC PATCH v2 02/18] netlabel: Add an address family to domain hash entries.

> + default: > + /* Already checked in > + * netlbl_domhsh_validate() > + */ Another style point - unless were talking about function header comment blocks, don't place a multi-line comment terminator on a separate line. For example, instead of the above, so something like this: /* already checked in * netlbl_domhsh_validate() */ > + return -EINVAL; > + } > } -- paul moore security @ redhat

Re: [RFC PATCH v2 03/18] netlabel: Initial support for the CALIPSO netlink protocol.

de/net/calipso.h b/include/net/calipso.h > new file mode 100644 > index 000..ad4d653 > --- /dev/null > +++ b/include/net/calipso.h > @@ -0,0 +1,79 @@ > +/* > + * CALIPSO - Common Architecture Label IPv6 Security Option > + * > + * This is an implementation of the C

Re: [RFC PATCH v2 00/18] CALIPSO Implementation

other patches are most welcome. > > If anybody actually wants to play with this, then you'll need some patches > to netlabel-tools that are currently available on the 'calipso' branch at: > https://github.com/hdmdavies/netlabel_tools.git > > Thanks to Paul Moore, Hannes Frederic Sowa

Re: [RFC PATCH v2 10/18] calipso: Set the calipso socket label to match the secattr.

set to NULL. > + * Otherwise it returns zero, creates a new header without the CALIPSO > + * option (and removing as much padding as possible) and returns with > + * @new set to that header. > + * > + */ > +static int calipso_opt_del(struct ipv6_opt_hdr *old, > +

Re: [RFC PATCH v2 12/18] ipv6: Allow request socks to contain IPv6 options.

12 +--- > net/ipv4/tcp_input.c| 3 +++ > net/ipv6/tcp_ipv6.c | 12 +--- > 4 files changed, 27 insertions(+), 7 deletions(-) -- paul moore security @ redhat

Re: [RFC PATCH v2 06/18] netlabel: Add support for creating a CALIPSO protocol domain mapping.

ret_val = netlbl_af6list_add(>list, >list6); > if (ret_val != 0) { > kfree(map); -- paul moore security @ redhat

Re: [RFC PATCH v2 08/18] ipv6: Add ipv6_renew_options_kern() that accepts a kernel mem pointer.

gt; +} I should preface this by saying that I don't have a strong opinion on this either way, and given where the code lives it is really up to DaveM, but I wonder if it might be better to create ipv6_renew_options_kern() as the common helper function that is called by ipv6_renew_options(). -- paul moore security @ redhat

Re: [RFC PATCH v2 14/18] calipso: Allow the lsm to label the skbuff directly.

return ret_val; > + > + if (len_delta) { > + if (len_delta > 0) > + skb_push(skb, len_delta); > + else > + skb_pull(skb, -len_delta); > + memmove((char *)ip6_hdr - len_delta, ip6_hdr, > + sizeof(*ip6_hdr) + start); > + skb_reset_network_header(skb); > + ip6_hdr = ipv6_hdr(skb); > + } -- paul moore security @ redhat

Re: [RFC PATCH 00/17] CALIPSO implementation

never had the time to see it through to the end; I'm happy that someone was finally able to get it finished. -- paul moore www.paul-moore.com -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH net] sctp: label accepted/peeled off sockets

tate. > > This patch clones the sock's label from the parent sock and resolves the > issue (similar to AF_BLUETOOTH protocol family). > > Cc: Paul Moore <pmo...@redhat.com> > Cc: David Teigland <teigl...@redhat.com> > Signed-off-by: Marcelo Ricardo Leitner <marcel

Re: [PATCH net-next] net: synack packets can be attached to request sockets

duma...@google.com> > Reported by: kernel test robot <ying.hu...@linux.intel.com> > Cc: Paul Moore <p...@paul-moore.com> > Cc: Stephen Smalley <s...@tycho.nsa.gov> > Cc: Eric Paris <epa...@parisplace.org> > --- > include/net/sock.h |8 > net/sche

[PATCH] af_unix: constify the sock parameter in unix_sk()

Make unix_sk() just like inet[6]_sk() by constify'ing the sock parameter. Signed-off-by: Paul Moore <pmo...@redhat.com> --- include/net/af_unix.h |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/net/af_unix.h b/include/net/af_unix.h index cb1b9bb..b36d837

Re: [PATCH] [NETLABEL] Minor cleanup: remove unused method definition

or do so myself. -- paul moore linux security @ hp -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3

.git;a=commit;h=4c3a0a254e5d706d3fe01bf42261534858d05586 -- paul moore linux security @ hp -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3

On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote: --- Paul Moore [EMAIL PROTECTED] wrote: On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote: From: Casey Schaufler [EMAIL PROTECTED] Smack uses CIPSO labeling, but allows for unlabeled packets by specifying

Re: [PATCH] (02/14/08 Linus git) Smack unlabeled outgoing ambient packets - v3

On Friday 15 February 2008 4:00:26 pm Casey Schaufler wrote: --- Paul Moore [EMAIL PROTECTED] wrote: On Friday 15 February 2008 12:38:49 am Casey Schaufler wrote: ... you shouldn't fix-up the return value from netlbl_sock_setattr(). It only returns an error when there really is an error

<    1   2   3   4   5   6   >