RE: [PATCH v4 1/2] NetLabel: secid reconciliation support

Wed, 04 Oct 2006 10:02:09 -0700 

> @@ -3714,19 +3714,34 @@ static int selinux_skb_flow_in(struct sk
>       if (skb->dev == &loopback_dev)
>               return 1;
>  
> +     if (skb->secmark)
> +             loc_sid = skb->secmark;
> +     else
> +             loc_sid = SECINITSID_NETMSG;
> +
>       err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0);
>       BUG_ON(err);
> -
> -     err = avc_has_perm(xfrm_sid, skb->secmark? : SECINITSID_NETMSG,
> -                                     SECCLASS_PACKET,
> -                                     PACKET__FLOW_IN, NULL);
> +     err = selinux_netlbl_skb_sid(skb,
> +                                  xfrm_sid ? xfrm_sid : loc_sid,
> +                                  &nlbl_sid);
>       if (err)
>               goto out;
>  
> -     if (xfrm_sid)
> -             skb->secmark = xfrm_sid;
> +     if (nlbl_sid)
> +             ext_sid = nlbl_sid;
> +     else
> +             ext_sid = xfrm_sid;

There's a problem here in that it would require 2 different policies
depending on whether one is using netlabel or xfrm. Specifically, in
the absence of matching iptables contexts (secmark), the skb here
will get:

- 0 (xfrm case)
- network_t (netlabel)

This has implications for getpeercon() where it would

- fail with ENOPROTOOPT (xfrm case)
- returns network_t (netlabel)

I would still argue that the nature of the domain being carried by
the packet is still unlabeled_t as implied by the null secmark. While
I view secmark/point as specifying BOTH a flow control point and a
default domain (incidentally using the same label more because of
implementation constrainst), I view network_t as purely a flow control
point.

But I also realize there can be equally forceful arguments for what this
patch does.

What does the community think? We need to resolve it one way or the
other unless the above differences in behavior are desired or somehow
accounted for in policy and apps.

> +
> +     err = avc_has_perm(ext_sid,
> +                        loc_sid,
> +                        SECCLASS_PACKET,
> +                        PACKET__FLOW_IN,
> +                        NULL);
> +     if (err)
> +             goto out;
>  
> -     /* See if NetLabel can flow in thru the current secmark here */
> +     if (ext_sid)
> +             skb->secmark = ext_sid;
>  
>  out:
>       return err ? 0 : 1;
> 
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to