Assuming the permission is granted the packet's secmark is
replaced with
the updated context. This updated secmark context would then
be used in
sock_rcv_skb() to make an access decision, yes?
You got it.
The ability to make access decisions based on the process
consuming the data
This defines SELinux enforcement of the 2 new LSM hooks.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
security/selinux/hooks.c| 125 --
security/selinux/include/xfrm.h |5 +
security/selinux/ss/mls.c |2
security/selinux/ss/services.c
Invoke the skb_netfilter_check LSM hook for outbound (OUTPUT/FORWARD)
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
net/netfilter/xt_CONNSECMARK.c | 44 ++-
net/netfilter/xt_SECMARK.c | 20
Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
reconciliation of the various security identifiers as well as enforce
flow control on inbound (INPUT/FORWARD) and outbound (OUTPUT/FORWARD)
traffic.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux/security.h
the originating socket
do so in the outbound hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/net/ip.h | 32
include/net/request_sock.h | 17
avperm flow_out to enable flow
control checks on the outbound (output/forward), addressed in this patch
as well.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
security/selinux/include/av_perm_to_string.h |2 ++
security/selinux/include/av_permissions.h|2 ++
2 files changed, 4
Invoke the skb_policy_check LSM hook for inbound (INPUT/FORWARD)
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/net/xfrm.h | 50 +++
1 file changed, 27 insertions(+), 23 deletions(-)
diff
This labels the skb(s) for locally generated IPv6 traffic. This will
be reconciled with xfrm secid as well as used in pertinent flow control
checks on the outbound later in the LSM hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat
The following are the changes included in this patchset since the previous post:
- Perform flow_in check before (as opposed to after) computing transition
secid on inbound; this seems more intuitive and correct.
- Implement reconciliation and flow control for outbound traffic
(forward case
Is there any way you can send patches without format=flowed in the
content-type? On two mailers I've tried, the patches get mangled.
Yes. I will send them to you in a few minutes with format=flowed disabled.
As soon as you let me know you see them fine, I will resend them to the
lists.
On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
+ if (selinux_compat_net) {
+ err = selinux_xfrm_decode_session(skb, peersid, 0);
+ BUG_ON(err);
I'm pretty sure this should not be a BUG_ON. IIUC, you want
to panic the
kernel because one of the nested SAs has
On Fri, 8 Sep 2006, Venkat Yekkirala wrote:
@@ -114,6 +128,9 @@ static struct xt_target xt_connsecmark_t
.target = target,
.targetsize = sizeof(struct
xt_connsecmark_target_info),
.table = mangle,
+ .hooks
This doesn't look right since kzalloc would already have zeroed the
structure out. Are you sure you are getting garbage in the acquire
from the kernel? If you are, I strongly doubt that this would be the
one causing it (unless kzalloc on this arch misbehaved).
Or is this a racoon bug?
See below.
-Original Message-
From: James Morris [mailto:[EMAIL PROTECTED]
Sent: Monday, September 18, 2006 2:12 PM
To: Venkat Yekkirala
Cc: netdev@vger.kernel.org; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: [PATCH 4/7] secid reconciliation-v02: Invoke LSM
+static int selinux_skb_policy_check(struct sk_buff *skb,
unsigned short
family) +{
+ u32 xfrm_sid, trans_sid;
+ int err;
+
+ if (selinux_compat_net)
+ return 1;
+
+ err = selinux_xfrm_decode_session(skb, xfrm_sid, 0);
+ BUG_ON(err);
First, any reason
the identifiers on the
inbound (input/forward). Also adds a new avperm flow_out to enable flow
control checks on the outbound (output/forward), addressed in this patch
as well.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
security/selinux/include/av_perm_to_string.h |2 ++
security/selinux
This labels the skb(s) for locally generated IPv6 traffic. This will
be used in pertinent flow control checks on the outbound later in the
LSM hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED
This patchset is relative to davem's net-2.6.git
The following are the changes included in this patchset since the previous post:
- Retain secmark (from the originating socket/flow) on loopback traffic;
this traffic is now flow controlled on the outbound only.
- When multiple iptables
Invoke the skb_flow_in LSM hook for inbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/net/xfrm.h | 45 +--
1 file changed, 22 insertions(+), 23 deletions(-)
diff --git a/include/net
hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/net/ip.h | 32
include/net/request_sock.h | 17 +
net/dccp/ipv4.c
This defines SELinux enforcement of the 2 new LSM hooks as well
as related changes elsewhere in the SELinux code.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
security/selinux/hooks.c| 129 +++---
security/selinux/include/xfrm.h |5 +
security
Invoke the skb_flow_out LSM hook for outbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
net/netfilter/xt_CONNSECMARK.c | 70 +++
net/netfilter/xt_SECMARK.c | 33 +-
2 files changed, 85
Fine with me, unless Venkat has an immediate use case for such
transitions in the flow_in case (but I think this is mostly
my fault for
suggesting transitions a while ago).
I don't have a use case currently.
Unless I'm confusing something, there still may be a need for
transitions
Unless I'm confusing something, there still may be a need
for transitions
if we want to support both IPsec and NetLabel labeling on the same
connection.
I'd prefer not to support this, as it's too complicated,
Actually, from my vantage point, it actually seems natural.
and
CIPSO is
That's fine by me, I just wanted to make sure something like
that would
be acceptable. So, in summary, we would do the normal flow_in checks
for both IPsec and NetLabel and then set the secmark using the IPsec
label as the base sid for the NetLabel's generated SID?
That's correct (in short
I tend to agree, I just can't see it being all that useful in the real
world. However, each time it comes up (including the conference call
earlier this week) it seems that people would prefer to use
both at the
same time.
A matter of providing options to users. It seems more of a pain to
+static int selinux_skb_flow_in(struct sk_buff *skb,
unsigned short family)
+{
+ u32 xfrm_sid, trans_sid;
+ int err;
+
+ if (selinux_compat_net)
+ return 1;
+
+ /* xfrm/cipso inapplicable for loopback traffic */
+ if (skb-dev == loopback_dev)
+
While I don't see any explicit mention of it in the documentation or
your comments, I assume we would want a flow_out check for
NetLabel here
as well?
I don't believe we do. By this time, the packet is or
should already be
carrying the CIPSO/NetLabel option which should already be
@@ -3672,16 +3674,20 @@ static int selinux_skb_flow_in(struct sk
if (err)
goto out;
- if (xfrm_sid) {
- err = security_transition_sid(xfrm_sid, skb-secmark,
-
SECCLASS_PACKET, trans_sid);
- if
Venkat,
With xfrm labeling, the external packets are always going to
be protocol
ESP or AH, and we can't connection track the inner protocols. So,
Are you sure? This doesn't compare to what my limited testing seems
to have turned up (normal netfiltering of inner protos followed by
It seems more of a pain to actually
prevent their use at the same time and/or explain
strange/unnatural
behavior.
Agreed, the solution that we agreed upon is much easier to
implement and
explain than a lot of the alternatives.
Ok, can you please explain it further?
i.e. show me
The way I was seeing the problem was when connecting via IPsec to a
confined service on an SELinux box (vsftpd), which did not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would be blocked,
Given that the resolver fails to find a policy here,
Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
reconciliation of the various security identifiers as well as enforce
flow control on inbound (PREROUTING/INPUT) and outbound
(OUTPUT/FORWARD/POSTROUTING)
traffic.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include
-by: Venkat Yekkirala [EMAIL PROTECTED]
---
security/selinux/hooks.c| 148 +++---
security/selinux/include/xfrm.h | 11 +-
security/selinux/xfrm.c | 66 +
3 files changed, 150 insertions(+), 75 deletions(-)
diff --git a/security/selinux/hooks.c b
).
This patch: Add new flask definitions to SELinux
Adds a new avperm flow_in to arbitrate among the identifiers on the
inbound (input/forward). Also adds a new avperm flow_out to enable flow
control checks on the outbound (output/forward), addressed in this patch
as well.
Signed-off-by: Venkat
hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/net/ip.h | 31 +++
include/net/request_sock.h | 18 ++
net/dccp/ipv4.c
Invoke the skb_flow_in LSM hook for inbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/net/xfrm.h | 45 +--
1 file changed, 22 insertions(+), 23 deletions(-)
diff --git a/include/net
This beings secmark into the picture when classifying flows
using an skb.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux/security.h | 10 --
include/linux/skbuff.h | 20
2 files changed, 20 insertions(+), 10 deletions(-)
--- net-2.6.sid
This labels the skb(s) for locally generated IPv6 traffic. This will
be used in pertinent flow control checks on the outbound later in the
LSM hook.
NOTE: Forwarded traffic is already labeled with the reconciled
secmark on the inbound.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED
Invoke the skb_flow_out LSM hook for outbound
traffic for secid reconciliation and flow control.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
net/netfilter/xt_CONNSECMARK.c | 72 ---
net/netfilter/xt_SECMARK.c | 45 ++-
2 files changed
In the case above I am concerned about the situation where the
skb-secmark == 0 and there is a IPv4 option (i.e. it is NetLabel
labeled) on the packet.
It's unfortunate that you cut out the code in your reply.
It's even more unfortunate that you should say this. The proper
thing to do is to
On Sun, 1 Oct 2006, Venkat Yekkirala wrote:
The way I was seeing the problem was when connecting via
IPsec to a
confined service on an SELinux box (vsftpd), which did
not have the
appropriate SELinux policy permissions to send packets via IPsec.
The first SYNACK would
My immediate concern is not really what selinux_xfrm_decode_session()
returns, but how to handle it, or rather errors in general, in
selinux_skb_flow_in(). I'm in the process of creating a patch to add
the missing NetLabel support to the secid patches and I am
wondering if
I should
This is indeed the designed and expected (for me) behavior.
This is a security hole. SELinux denies all access by
default, so the
default behavior of this code is to allow all traffic to bypass IPsec.
You should not need to add a rule to 'allow' increased security.
You are right.
If this selinux_netlbl_skb_sid() call can fail for any
reason other than
a kernel bug, then this needs to goto out instead of using
BUG_ON. For
example, if the function can fail due to temporary memory pressure
leading to a failed allocation, then you want to simply
drop the packet,
system-hi.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
This is an incremental patch the secid-reconcilation v4 patchset.
--- net-2.6.sid3/security/selinux/hooks.c 2006-10-01 15:43:12.0
-0500
+++ net-2.6/security/selinux/hooks.c2006-10-03 16:43:21.0 -0500
.
Thanks,
venkat
-Original Message-
From: James Morris [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 04, 2006 8:00 AM
To: Evgeniy Polyakov
Cc: David S. Miller; Herbert Xu; netdev@vger.kernel.org; Stephen
Smalley; Venkat Yekkirala; Paul Moore; Daniel J Walsh
Subject: Re: [PATCH] Fix
Considering the above change, I wonder if it would also
make sense to
update the secmark to SECINITSID_UNLABELED in the abscence of any
external labeling (labeled IPsec or NetLabel)?
Ungh, my apologies ... I meant to say SECINITSID_NETMSG *not*
SECINITSID_UNLABELED.
In the
@@ -3714,19 +3714,34 @@ static int selinux_skb_flow_in(struct sk
if (skb-dev == loopback_dev)
return 1;
+ if (skb-secmark)
+ loc_sid = skb-secmark;
+ else
+ loc_sid = SECINITSID_NETMSG;
+
err = selinux_xfrm_decode_session(skb,
@@ -3714,19 +3714,34 @@ static int selinux_skb_flow_in(struct sk
if (skb-dev == loopback_dev)
return 1;
+ if (skb-secmark)
+ loc_sid = skb-secmark;
+ else
+ loc_sid = SECINITSID_NETMSG;
+
err = selinux_xfrm_decode_session(skb,
As for the rest of the network labeling, please work
together with Venkat
and the SELinux developers on a final patchset which meets
all of the
design goals and has been tested, with policy which has been merged
upstream and is available via Fedora devel. Please keep
the
* XFRM present
xfrm_sid = full context from xfrm
loc_sid = SECINITSID_NETMSG
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb-secmark = avc_ok : ext_sid ? unchanged
* NetLabel present
xfrm_sid = SECSID_NULL/0
loc_sid = SECSID_NULL/0
nlbl_sid =
* XFRM present
xfrm_sid = full context from xfrm
loc_sid = SECINITSID_NETMSG
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb-secmark = avc_ok : ext_sid ? unchanged
Actually, I meant to cite the following instead of the above:
* Nothing
xfrm_sid = SECSID_NULL/0
On Wed, 2006-10-04 at 15:27 -0400, Paul Moore wrote:
Venkat Yekkirala wrote:
* XFRM present
xfrm_sid = full context from xfrm
loc_sid = SECINITSID_NETMSG
nlbl_sid = SECSID_NULL/0
ext_sid = xfrm_sid
final skb-secmark = avc_ok : ext_sid ? unchanged
As noted
This version takes into account David Miller's comments
regarding treatment of security layer errors in the case
of socket policies. Specifically, these errors will be
treated like how these kind of errors are treated for
the main/sub policies, which is to return a full lookup
failure.
This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
net/xfrm/xfrm_policy.c | 26
into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the no explicit context case
is now handled properly.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include
From: James Morris [EMAIL PROTECTED]
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false ok
This version takes into account David Miller's comments
regarding treatment of security layer errors in the case
of socket policies. Specifically, these errors will be
treated like how these kind of errors are treated for
the main/sub policies, which is to return a full lookup
failure.
This version takes into account David Miller's comments
regarding treatment of security layer errors in the case
of socket policies. Specifically, these errors will be
treated like how these kind of errors are treated for
the main/sub policies, which is to return a full lookup
- if (xfrm_policy_match(pol, fl, type, family, dir)) {
+ err = xfrm_policy_match(pol, fl, type, family, dir);
+ if (err) {
+ if (err == -ESRCH)
+ continue;
+ else {
+
From: James Morris [EMAIL PROTECTED]
Date: Thu, 5 Oct 2006 16:54:38 -0400 (EDT)
#ifdef CONFIG_XFRM_SUB_POLICY
pol = xfrm_policy_lookup_bytype(XFRM_POLICY_TYPE_SUB,
fl, family, dir);
- if (pol)
+ if (IS_ERR(pol)) {
+ err = PTR_ERR(pol);
+ pol = NULL;
+
My apologies. The second one is also numbered 1, but has the
following distinct subject line:
[PATCH 1/3] Fix for IPsec leakage with SELinux enabled -
V.03: Fix xfrm code
I definitely deleted one of them, since I usually get N copies
of very single patch posting and two of them looked
This is a bug fix for the MLSXFRM patchset already queued for 2.6.19.
This version is just a repost of V.03 with the subject titles
fixed up, and the patches ported to davem's net-2.6.git as of today.
include/linux/security.h| 24 ++-
include/net/flow.h |2
This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
net/xfrm/xfrm_policy.c | 26
into play only when an explicit context is associated
with the IPSec policy rule.
Also, this no longer defaults the context of a socket policy to
the context of the socket since the no explicit context case
is now handled properly.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include
From: James Morris [EMAIL PROTECTED]
When a security module is loaded (in this case, SELinux), the
security_xfrm_policy_lookup() hook can return an access denied permission
(or other error). We were not handling that correctly, and in fact
inverting the return logic and propagating a false ok
From an initial review of this patchset, it doesn't look
quite ready to
queue for 2.6.20 (which I plan to to via git once it is).
Outstanding items include resolving the igmp skb hook issue
generally,
testing to verify both the design and implementation, and
ensuring that
all the
So if the security folks actually care about this, they'd need to
flush the flow cache whenever a relevant change is made to the
security database.
I do not believe we are doing this. I will look into this ASAP.
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body
This patch causes security policy denials to be cached instead of
causing a relookup every time.
Only, on a security policy denial (-ESRCH from the LSM hook), a 0
is returned by the resolver to signify no applicable policy since
a negative result is akin to no policy. And I see the no policy
Only, on a security policy denial (-ESRCH from the LSM hook), a 0
is returned by the resolver to signify no applicable policy since
a negative result is akin to no policy. And I see the no policy
case is already cached.
I'm not talking about an xfrm policy lookup failure, that exists
This patch is an incremental fix to the flow_cache_genid
patch for selinux that breaks the build of 2.6.20-rc6 when
xfrm is not configured.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
security/selinux/include/xfrm.h |9 +
security/selinux/ss/services.c |6 +++---
2
List;
Uwe Bugla;
[EMAIL PROTECTED]; linux-ide@vger.kernel.org;
[EMAIL PROTECTED]; Gerhard Dirschl; Christoph Hellwig;
[EMAIL PROTECTED]; Michal Piotrowski; Venkat Yekkirala; David Miller;
[EMAIL PROTECTED]; [EMAIL PROTECTED]; netdev@vger.kernel.org; Livio
Soares; Paul Mackerras; [EMAIL PROTECTED
.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
net/key/af_key.c | 22 ++
1 file changed, 22 insertions(+)
--- linux-2.6.16.vanilla/net/key/af_key.c 2006-06-12 17:49:42.0
-0500
+++ linux-2.6.16/net/key/af_key.c 2006-06-19 19:48:24.0 -0500
This patch has been included here just for reference. It will be submitted
to the serefpolicy list later.
This patch adds a polmatch avperm to arbitrate flow/state's access to
a xfrm policy. It also defines MLS policy for association { sendto,
recvfrom, polmatch }.
NOTE: When an inbound packet
From: Serge Hallyn [EMAIL PROTECTED]
This includes the security context of a security association created for use by
IKE
in the acquire messages sent to IKE daemons using netlink/xfrm_user. This would
allow
the daemons to include the security context in the negotiation, so that the
resultant
definitions to SELinux
Adds a new avperm polmatch to arbitrate flow/state access to a xfrm policy
rule.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
The patch set is relative to 2.6.17-rc6-mm2. A policy patch is also included
for reference.
A patch to ipsec-tools/racoon will follow later
This defines a routine that combines the Type Enforcement portion of one sid
with the MLS portion from the other sid to arrive at a new sid. This is
currently
used to define a sid for a security association that is to be negotiated by IKE.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED
This adds security for IP sockets at the sock level. Security at the
sock level is needed to enforce the SELinux security policy for security
associations even when a sock is orphaned (such as in the TCP LAST_ACK state).
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux
This makes the security sid a part of the flow key and implements a seemless
mechanism for xfrm policy selection and state matching based on the flow sid.
This also includes the necessary SELinux enforcement pieces.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux/security.h
+static inline void sock_copy(struct sock *nsk, const
struct sock *osk)
+{
+ void *sptr = nsk-sk_security;
+
+ memcpy(nsk, osk, osk-sk_prot-obj_size);
+ nsk-sk_security = sptr;
I don't get it. Why do you put sk_security away and then set it back.
Doesn't memcpy already do
Hello,
When there is a lot (thousands) of IPSec policy rules in the kernel, a dump
request from user land would currently cause most of the policy rules to not
make it to the socket receive buffer depending on what value sk_rcvbuf has.
Using setkey to load a bunch of policy rules, then trying to
31, 2006 10:59 AM
To: Venkat Yekkirala
Cc: netdev@vger.kernel.org; Chad Hanson; Darrel Goeddel
Subject: Re: IPSec DUMP issue
On Tue, 2006-31-01 at 11:42 -0500, Venkat Yekkirala wrote:
I gather this is a known issue and was wondering about
possible/acceptable
solutions as I would
socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux/security.h| 19 -
net/xfrm/xfrm_policy.c |3
security/dummy.c|7 -
security/selinux/hooks.c| 26
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.
What about the case of a localhost TCP connection not using
xfrm labeling?
Joe Nall raised this as an important
Such duplication can occur among the initial SIDs.
For some reason I thought that could happen between an initial SID
and a non-initial SID.
Not sure
though when
that would apply here,
It could apply to xfrms if they happen to be using the context
represented by any of the initial SIDs.
Not sure
though when
that would apply here,
It could apply to xfrms if they happen to be using the context
represented by any of the initial SIDs.
Which would happen when?
If one were attempting to use a context pertaining to the unlabeled init
sid in the SPD and/or the SAD. But
This patchset is against davem's net-2.6.git. Please apply to 2.6.19.
The following are the changes since the previous post of this patchset:
1. Separate BUG_ON usage per Eric's suggestion.
2. Replace security_sid_compare with a simple sid compare check per
a suggestion from Paul/Stephen.
-
socket_t peer_sa_t:association { recvfrom };
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux/security.h| 19 -
net/xfrm/xfrm_policy.c |3
security/dummy.c|7 --
security/selinux/hooks.c| 26 +--
security/selinux
Fix SO_PEERSEC for tcp sockets to return the security context of
the peer (as represented by the SA from the peer) as opposed to the
SA used by the local/source socket.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux/security.h| 14 ++
include/net
that
the SA carries the label of the originating socket/flow.
Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED]
---
include/linux/security.h| 21 --
security/dummy.c|4 +--
security/selinux/include/xfrm.h |4 +--
security/selinux/xfrm.c | 35
I think this should be aimed at 2.6.20, because we are at the last or
second-last -rc currently, and I don't think these fixes are
urgent enough
to justify the risk at this stage.
That makes sense. Thanks.
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a
I pulled in the lspp respin kernels and am checking the labeling
behavior now so I should have a full response later, however
I ran into
one unexpected thing immediately on bootup with the new kernel:
Just FYI- The labeled-ipsec patch doesn't affect or influence the
packet class handling
Hi,
I am wondering if 26sec supports NAT-Traversal for multiple
endpoints behind the same NAT. In looking at xfrm_tmpl it's
not obvious to me that it's supported, at least going by the
following from the setkey man page:
When NAT-T is enabled in the kernel, policy matching for ESP
Something like this (untested) on the ipv4 side, for example:
diff --git a/include/net/route.h b/include/net/route.h
index 486e37a..a8af632 100644
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -146,7 +146,8 @@ static inline char rt_tos2priority(u8 tos)
static inline int
@@ -2552,7 +2550,7 @@ static int pfkey_spdget(struct sock
*sk, struct sk_buff *skb, struct sadb_msg *h
return -EINVAL;
xp = xfrm_policy_byid(XFRM_POLICY_TYPE_MAIN, dir,
pol-sadb_x_policy_id,
- hdr-sadb_msg_type == SADB_X_SPDDELETE2);
+
Also, [Joy cc'd] deletions here needn't be audited?
OK, I see the next patch addressed this :)
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Signed-off-by: Eric Paris [EMAIL PROTECTED]
Acked-by: Venkat Yekkirala [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
-by: Eric Paris [EMAIL PROTECTED]
Acked-by: Venkat Yekkirala [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
(and successes) will actually get audited.
Not sure ALL failures are being audited this way elsewhere, but I guess
they would catchup in course of time.
Signed-off-by: Eric Paris [EMAIL PROTECTED]
Acked-by: Venkat Yekkirala [EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe
1 - 100 of 145 matches
Mail list logo