On Thu, 2017-10-05 at 00:47 -0500, Serge E. Hallyn wrote:
> On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote:
> > The selinux netlink socket is used to notify userspace of changes
> > to
> > the enforcing mode and policy reloads. At present, these
> > notifications
> > are always
On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Implement the actual checks introduced to eBPF related syscalls. This
> implementation use the security field inside bpf object to store a
> sid that
> identify the bpf object. And when processes try
On Wed, Oct 4, 2017 at 4:29 PM, Daniel Borkmann wrote:
> On 10/04/2017 08:29 PM, Chenbo Feng wrote:
>>
>> From: Chenbo Feng
>>
>> Introduce the map read/write flags to the eBPF syscalls that returns the
>> map fd. The flags is used to set up the file mode
On 10/04/2017 08:29 PM, Chenbo Feng wrote:
From: Chenbo Feng
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege to read/write the bpf map or use the bpf program.
On 10/05/2017 01:44 AM, Daniel Borkmann wrote:
On 10/04/2017 08:29 PM, Chenbo Feng wrote:
From: Chenbo Feng
Introduce a bpf object related check when sending and receiving files
through unix domain socket as well as binder. It checks if the receiving
process have privilege
On 10/05/2017 01:58 AM, Chenbo Feng wrote:
On Wed, Oct 4, 2017 at 4:29 PM, Daniel Borkmann wrote:
On 10/04/2017 08:29 PM, Chenbo Feng wrote:
From: Chenbo Feng
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags
On 10/04/2017 08:29 PM, Chenbo Feng wrote:
From: Chenbo Feng
Introduce the map read/write flags to the eBPF syscalls that returns the
map fd. The flags is used to set up the file mode when construct a new
file descriptor for bpf maps. To not break the backward capability, the
On Thu, 2017-10-05 at 10:06 -0400, Stephen Smalley wrote:
> On Thu, 2017-10-05 at 00:47 -0500, Serge E. Hallyn wrote:
> > On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote:
> > > The selinux netlink socket is used to notify userspace of changes
> > > to
> > > the enforcing mode and
On Thu, 2017-10-05 at 11:49 -0400, Stephen Smalley wrote:
> On Thu, 2017-10-05 at 11:27 -0400, Stephen Smalley wrote:
> > On Mon, 2017-10-02 at 11:58 -0400, Stephen Smalley wrote:
> > > Provide a userspace API to unshare the selinux namespace.
> > > Currently implemented via a selinuxfs node. This
On 10/05/2017 03:28 PM, Stephen Smalley wrote:
[...]
+static int selinux_bpf_prog(struct bpf_prog *prog)
+{
+ u32 sid = current_sid();
+ struct bpf_security_struct *bpfsec;
+
+ bpfsec = prog->aux->security;
I haven't looked closely at the bpf code, but is it guaranteed that
On Thu, 2017-10-05 at 11:27 -0400, Stephen Smalley wrote:
> On Mon, 2017-10-02 at 11:58 -0400, Stephen Smalley wrote:
> > Provide a userspace API to unshare the selinux namespace.
> > Currently implemented via a selinuxfs node. This could be
> > coupled with unsharing of other namespaces (e.g.
On Mon, 2017-10-02 at 11:58 -0400, Stephen Smalley wrote:
> Provide a userspace API to unshare the selinux namespace.
> Currently implemented via a selinuxfs node. This could be
> coupled with unsharing of other namespaces (e.g. mount namespace,
> network namespace) that will always be needed or
On Mon, 2 Oct 2017, Stephen Smalley wrote:
> An alternative would be to hang the selinux namespace off of the
> user namespace, which itself is associated with the cred. This
> seems undesirable however since DAC and MAC are orthogonal, and
> there appear to be real use cases where one will want
On Thu, 2017-10-05 at 09:37 -0400, Stephen Smalley wrote:
> On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
> > From: Chenbo Feng
> >
> > Introduce a bpf object related check when sending and receiving
> > files
> > through unix domain socket as well as binder. It checks
On Mon, 2 Oct 2017, Stephen Smalley wrote:
> This change presumes that one will always unshare the network namespace
> when unsharing a new selinux namespace (the reverse is not required).
> Otherwise, the same inconsistencies could arise between the notifications
> and the relevant policy. At
15 matches
Mail list logo