Re: [RFC 04/10] netns, selinux: create the selinux netlink socket per network namespace

On Thu, 2017-10-05 at 00:47 -0500, Serge E. Hallyn wrote: > On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote: > > The selinux netlink socket is used to notify userspace of changes > > to > > the enforcing mode and policy reloads.  At present, these > > notifications > > are always

Re: [PATCH net-next 3/4] selinux: bpf: Add selinux check for eBPF syscall operations

On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote: > From: Chenbo Feng > > Implement the actual checks introduced to eBPF related syscalls. This > implementation use the security field inside bpf object to store a > sid that > identify the bpf object. And when processes try

Re: [PATCH net-next 1/4] bpf: Add file mode configuration into bpf maps

On Wed, Oct 4, 2017 at 4:29 PM, Daniel Borkmann wrote: > On 10/04/2017 08:29 PM, Chenbo Feng wrote: >> >> From: Chenbo Feng >> >> Introduce the map read/write flags to the eBPF syscalls that returns the >> map fd. The flags is used to set up the file mode

Re: [PATCH net-next 4/4] selinux: bpf: Add addtional check for bpf object file receive

On 10/04/2017 08:29 PM, Chenbo Feng wrote: From: Chenbo Feng Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program.

Re: [PATCH net-next 4/4] selinux: bpf: Add addtional check for bpf object file receive

On 10/05/2017 01:44 AM, Daniel Borkmann wrote: On 10/04/2017 08:29 PM, Chenbo Feng wrote: From: Chenbo Feng Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege

Re: [PATCH net-next 1/4] bpf: Add file mode configuration into bpf maps

On 10/05/2017 01:58 AM, Chenbo Feng wrote: On Wed, Oct 4, 2017 at 4:29 PM, Daniel Borkmann wrote: On 10/04/2017 08:29 PM, Chenbo Feng wrote: From: Chenbo Feng Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags

Re: [PATCH net-next 1/4] bpf: Add file mode configuration into bpf maps

On 10/04/2017 08:29 PM, Chenbo Feng wrote: From: Chenbo Feng Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the

Re: [RFC 04/10] netns, selinux: create the selinux netlink socket per network namespace

On Thu, 2017-10-05 at 10:06 -0400, Stephen Smalley wrote: > On Thu, 2017-10-05 at 00:47 -0500, Serge E. Hallyn wrote: > > On Mon, Oct 02, 2017 at 11:58:19AM -0400, Stephen Smalley wrote: > > > The selinux netlink socket is used to notify userspace of changes > > > to > > > the enforcing mode and

Re: [RFC 09/10] selinux: add a selinuxfs interface to unshare selinux namespace

On Thu, 2017-10-05 at 11:49 -0400, Stephen Smalley wrote: > On Thu, 2017-10-05 at 11:27 -0400, Stephen Smalley wrote: > > On Mon, 2017-10-02 at 11:58 -0400, Stephen Smalley wrote: > > > Provide a userspace API to unshare the selinux namespace. > > > Currently implemented via a selinuxfs node. This

Re: [PATCH net-next 3/4] selinux: bpf: Add selinux check for eBPF syscall operations

On 10/05/2017 03:28 PM, Stephen Smalley wrote: [...] +static int selinux_bpf_prog(struct bpf_prog *prog) +{ + u32 sid = current_sid(); + struct bpf_security_struct *bpfsec; + + bpfsec = prog->aux->security; I haven't looked closely at the bpf code, but is it guaranteed that

Re: [RFC 09/10] selinux: add a selinuxfs interface to unshare selinux namespace

On Thu, 2017-10-05 at 11:27 -0400, Stephen Smalley wrote: > On Mon, 2017-10-02 at 11:58 -0400, Stephen Smalley wrote: > > Provide a userspace API to unshare the selinux namespace. > > Currently implemented via a selinuxfs node. This could be > > coupled with unsharing of other namespaces (e.g.  

Re: [RFC 09/10] selinux: add a selinuxfs interface to unshare selinux namespace

On Mon, 2017-10-02 at 11:58 -0400, Stephen Smalley wrote: > Provide a userspace API to unshare the selinux namespace. > Currently implemented via a selinuxfs node. This could be > coupled with unsharing of other namespaces (e.g.  mount namespace, > network namespace) that will always be needed or

Re: [RFC 05/10] selinux: support per-task/cred selinux namespace

On Mon, 2 Oct 2017, Stephen Smalley wrote: > An alternative would be to hang the selinux namespace off of the > user namespace, which itself is associated with the cred. This > seems undesirable however since DAC and MAC are orthogonal, and > there appear to be real use cases where one will want

Re: [PATCH net-next 4/4] selinux: bpf: Add addtional check for bpf object file receive

On Thu, 2017-10-05 at 09:37 -0400, Stephen Smalley wrote: > On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote: > > From: Chenbo Feng > > > > Introduce a bpf object related check when sending and receiving > > files > > through unix domain socket as well as binder. It checks

Re: [RFC 04/10] netns, selinux: create the selinux netlink socket per network namespace

On Mon, 2 Oct 2017, Stephen Smalley wrote: > This change presumes that one will always unshare the network namespace > when unsharing a new selinux namespace (the reverse is not required). > Otherwise, the same inconsistencies could arise between the notifications > and the relevant policy. At