On Thu, Jul 9, 2020 at 12:28 PM John Johansen
wrote:
>
> On 7/9/20 9:11 AM, Stephen Smalley wrote:
> > On Wed, Jul 8, 2020 at 8:23 PM Casey Schaufler
> > wrote:
> >>
> >> Change the data used in UDS SO_PEERSEC processing from a
> >> secid
On Wed, Jul 8, 2020 at 8:23 PM Casey Schaufler wrote:
>
> Change the data used in UDS SO_PEERSEC processing from a
> secid to a more general struct lsmblob. Update the
> security_socket_getpeersec_dgram() interface to use the
> lsmblob. There is a small amount of scaffolding code
> that will come
On Thu, May 14, 2020 at 7:25 PM Casey Schaufler wrote:
>
> Change the data used in UDS SO_PEERSEC processing from a
> secid to a more general struct lsmblob. Update the
> security_socket_getpeersec_dgram() interface to use the
> lsmblob. There is a small amount of scaffolding code
> that will come
On 5/8/19 2:27 PM, Marcelo Ricardo Leitner wrote:
On Wed, May 08, 2019 at 02:13:17PM -0400, Stephen Smalley wrote:
On 5/8/19 2:12 PM, Stephen Smalley wrote:
On 5/8/19 9:32 AM, Paolo Abeni wrote:
calling connect(AF_UNSPEC) on an already connected TCP socket is an
established way to disconnect
On 5/8/19 2:12 PM, Stephen Smalley wrote:
On 5/8/19 9:32 AM, Paolo Abeni wrote:
calling connect(AF_UNSPEC) on an already connected TCP socket is an
established way to disconnect() such socket. After commit 68741a8adab9
("selinux: Fix ltp test connect-syscall failure") it no longer wor
On 5/8/19 9:32 AM, Paolo Abeni wrote:
calling connect(AF_UNSPEC) on an already connected TCP socket is an
established way to disconnect() such socket. After commit 68741a8adab9
("selinux: Fix ltp test connect-syscall failure") it no longer works
and, in the above scenario connect() fails with EAF
On 2/14/19 1:00 PM, Nazarov Sergey wrote:
Hi, Paul!
I've found the problem and testing it with some very specific custom lsm
module. The test case was simple:
standard TCP/IP client-server application, where server opens CIPSO labeled TCP
socket, and client connecting
to this socket with forbid
On 05/09/2018 11:01 AM, Paul Moore wrote:
> On Wed, May 9, 2018 at 8:37 AM, Stephen Smalley wrote:
>> On 05/08/2018 08:25 PM, Paul Moore wrote:
>>> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley wrote:
>>>> On 05/08/2018 01:05 PM, Paul Moore wrote:
>>>>
On 05/08/2018 08:25 PM, Paul Moore wrote:
> On Tue, May 8, 2018 at 2:40 PM, Stephen Smalley wrote:
>> On 05/08/2018 01:05 PM, Paul Moore wrote:
>>> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev
>>> wrote:
>>>> Commit d452930fd3b9 ("selinux: Add SCTP
On 05/08/2018 01:05 PM, Paul Moore wrote:
> On Tue, May 8, 2018 at 10:05 AM, Alexey Kodanev
> wrote:
>> Commit d452930fd3b9 ("selinux: Add SCTP support") breaks compatibility
>> with the old programs that can pass sockaddr_in with AF_UNSPEC and
>> INADDR_ANY to bind(). As a result, bind() returns
On 04/23/2018 09:30 AM, David Herrmann wrote:
> Make sure to implement the new unix_stream_socketpair callback so the
> SO_PEERSEC call on socketpair(2)s will return correct information.
>
> Signed-off-by: David Herrmann
Acked-by: Stephen Smalley
> ---
> security/se
On Wed, 2017-11-29 at 09:34 -0800, Eric Dumazet wrote:
> On Wed, Nov 29, 2017 at 9:31 AM, Stephen Smalley
> wrote:
> > On Wed, 2017-11-29 at 21:26 +1100, James Morris wrote:
> > > I'm seeing a kernel stack corruption bug (detected via gcc) when
> > > running
&g
On Wed, 2017-11-29 at 21:26 +1100, James Morris wrote:
> I'm seeing a kernel stack corruption bug (detected via gcc) when
> running
> the SELinux testsuite on a 4.15-rc1 kernel, in the 2nd inet_socket
> test:
>
> https://github.com/SELinuxProject/selinux-testsuite/blob/master/tests
> /inet_socket
On Tue, 2017-11-28 at 14:39 -0500, Stephen Smalley wrote:
> On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote:
> > The SELinux SCTP implementation is explained in:
> > Documentation/security/SELinux-sctp.rst
> >
> > Signed-off-by: Richard Haines
> > ---
&g
On Mon, 2017-11-27 at 19:32 +, Richard Haines wrote:
> The SELinux SCTP implementation is explained in:
> Documentation/security/SELinux-sctp.rst
>
> Signed-off-by: Richard Haines
> ---
> Documentation/security/SELinux-sctp.rst | 104
> security/selinux/hooks.c|
Hi,
4.14 is failing the selinux-testsuite labeled IPSEC tests despite
having just been fixed in commit cf37966751747727 ("xfrm: do
unconditional template resolution before pcpu cache check"). The
breaking commit is the very next one, commit c9f3f813d462c72d ("xfrm:
Fix stack-out-of-bounds read in
On Mon, 2017-11-13 at 17:40 -0500, Paul Moore wrote:
> On Mon, Nov 13, 2017 at 5:05 PM, Richard Haines
> wrote:
> > On Mon, 2017-11-06 at 19:09 -0500, Paul Moore wrote:
> > > On Tue, Oct 17, 2017 at 9:59 AM, Richard Haines
> > > wrote:
> > > > The SELinux SCTP implementation is explained in:
> >
On Wed, 2017-11-01 at 17:39 -0400, Paul Moore wrote:
> On Tue, Oct 31, 2017 at 7:08 PM, Florian Westphal
> wrote:
> > Paul Moore wrote:
> > > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > > gov> wrote:
> > > > matching before (as in this patc
On Wed, 2017-11-01 at 00:08 +0100, Florian Westphal wrote:
> Paul Moore wrote:
> > On Mon, Oct 30, 2017 at 10:58 AM, Stephen Smalley > v> wrote:
> > > matching before (as in this patch) or after calling
> > > xfrm_bundle_ok()?
> >
> > I would probabl
On Tue, 2017-10-31 at 09:43 -0400, Stephen Smalley wrote:
> On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> > Stephen Smalley wrote:
> > > Since 4.14-rc1, the selinux-testsuite has been encountering
> > > sporadic
> > > failures during testing of
On Tue, 2017-10-31 at 12:11 +0100, Florian Westphal wrote:
> Stephen Smalley wrote:
> > Since 4.14-rc1, the selinux-testsuite has been encountering
> > sporadic
> > failures during testing of labeled IPSEC. git bisect pointed to
> > commit ec30d78c14a813db39a647b6a348
try. With these changes,
the selinux-testsuite passes all tests again.
Fixes: ec30d78c14a813db39a647b6a348b4286ba4abf5 ("xfrm: add xdst pcpu cache")
Signed-off-by: Stephen Smalley
---
This is an RFC because I am not entirely confident in the fix, e.g. is it
sufficient to perform this
On Tue, 2017-10-17 at 14:59 +0100, Richard Haines wrote:
> The SELinux SCTP implementation is explained in:
> Documentation/security/SELinux-sctp.txt
>
> Signed-off-by: Richard Haines
> ---
> Documentation/security/SELinux-sctp.txt | 108 +
> security/selinux/hooks.c|
On Thu, 2017-10-12 at 13:55 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Introduce a bpf object related check when sending and receiving files
> through unix domain socket as well as binder. It checks if the
> receiving
> process have privilege to read/write the bpf map or use the bpf
> prog
heck only works when the BPF_SYSCALL is
> configured.
>
> Signed-off-by: Chenbo Feng
Acked-by: Stephen Smalley
> ---
> include/linux/bpf.h | 3 +++
> kernel/bpf/syscall.c | 4 ++--
> security/selinux/hooks.c | 49
>
try to access the object,
> selinux will check if processes have the right privileges. The
> creation
> of eBPF object are also checked at the general bpf check hook and new
> cmd introduced to eBPF domain can also be checked there.
>
> Signed-off-by: Chenbo Feng
> Acked-by:
On Wed, 2017-10-11 at 13:43 -0700, Chenbo Feng via Selinux wrote:
> On Wed, Oct 11, 2017 at 5:54 AM, Stephen Smalley
> wrote:
> > On Tue, 2017-10-10 at 17:09 -0700, Chenbo Feng wrote:
> > > From: Chenbo Feng
> > >
> > > Introduce a bpf object related check
On Tue, 2017-10-10 at 10:54 -0700, Chenbo Feng via Selinux wrote:
> On Tue, Oct 10, 2017 at 7:52 AM, Stephen Smalley
> wrote:
> > On Tue, 2017-10-10 at 10:18 -0400, Stephen Smalley wrote:
> > > On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote:
>
On Tue, 2017-10-10 at 17:09 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Introduce a bpf object related check when sending and receiving files
> through unix domain socket as well as binder. It checks if the
> receiving
> process have privilege to read/write the bpf map or use the bpf
> prog
On Tue, 2017-10-10 at 10:48 -0700, Chenbo Feng wrote:
> On Tue, Oct 10, 2017 at 7:24 AM, Stephen Smalley
> wrote:
> > On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote:
> > > From: Chenbo Feng
> > >
> > > Introduce a bpf object related check
On Tue, 2017-10-10 at 10:18 -0400, Stephen Smalley wrote:
> On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote:
> > From: Chenbo Feng
> >
> > Implement the actual checks introduced to eBPF related syscalls.
> > This
> > implementation use the security field ins
On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Introduce a bpf object related check when sending and receiving files
> through unix domain socket as well as binder. It checks if the
> receiving
> process have privilege to read/write the bpf map or use the bpf
> prog
On Mon, 2017-10-09 at 15:20 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Implement the actual checks introduced to eBPF related syscalls. This
> implementation use the security field inside bpf object to store a
> sid that
> identify the bpf object. And when processes try to access the objec
On Thu, 2017-10-05 at 09:37 -0400, Stephen Smalley wrote:
> On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
> > From: Chenbo Feng
> >
> > Introduce a bpf object related check when sending and receiving
> > files
> > through unix domain socket as
On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Introduce a bpf object related check when sending and receiving files
> through unix domain socket as well as binder. It checks if the
> receiving
> process have privilege to read/write the bpf map or use the bpf
> prog
On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Implement the actual checks introduced to eBPF related syscalls. This
> implementation use the security field inside bpf object to store a
> sid that
> identify the bpf object. And when processes try to access the objec
On Tue, 2017-09-05 at 15:24 -0700, Chenbo Feng via Selinux wrote:
> On Fri, Sep 1, 2017 at 5:50 AM, Stephen Smalley
> wrote:
> > On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote:
> > > From: Chenbo Feng
> > >
> > > Introduce 5 LSM hooks to provide f
On Thu, 2017-08-31 at 13:56 -0700, Chenbo Feng wrote:
> From: Chenbo Feng
>
> Introduce 5 LSM hooks to provide finer granularity controls on eBPF
> related operations including create eBPF maps, modify and read eBPF
> maps
> content and load eBPF programs to the kernel. Hooks use the new
> securi
On Fri, 2017-08-25 at 12:52 -0700, Chenbo Feng via Selinux wrote:
> On Fri, Aug 25, 2017 at 12:45 PM, Jeffrey Vander Stoep com> wrote:
> > On Fri, Aug 25, 2017 at 12:26 PM, Stephen Smalley > v> wrote:
> > > On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep vi
On Fri, 2017-08-25 at 11:01 -0700, Jeffrey Vander Stoep via Selinux
wrote:
> I’d like to get your thoughts on adding LSM permission checks on BPF
> objects.
>
> By default, the ability to create and use eBPF maps/programs requires
> CAP_SYS_ADMIN [1]. Alternatively, all processes can be granted ac
On 10/21/2016 12:47 AM, Cong Wang wrote:
> On Thu, Oct 20, 2016 at 4:35 PM, Cong Wang wrote:
>> Since you want to test SELinux anyway, please test the attached one.
>>
>
> Finally my kernel config is friendly to SELinux, and now there are several
> tests fails:
>
>
> Test Summary Report
> -
d_sigiotask() -> ... -> audit_log() -> ... ->
peernet2id()
>
> Fixes: bc51dddf98c9 ("netns: avoid disabling irq for netns id")
> Reported-by: Stephen Smalley
> Reported-by: Elad Raz
> Tested-by: Paul Moore
> Signed-off-by: Cong Wang
> ---
> net/cor
d this patch, but I wanted to mention this now in
>> case others are seeing the same problem.
>>
>
> Thanks for the report. Please try following fix.
>
> sk_filter() got additional features like the skb_pfmemalloc() things and
> security_sock_rcv_skb()
This resolved t
e from the parent socket.
Reported-by: Tim Shearer
Signed-off-by: Stephen Smalley
Acked-by: Paul Moore
---
net/tipc/socket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 46b6ed5..3a7567f 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
UNIXSID macro.
Motivated by https://bugzilla.redhat.com/show_bug.cgi?id=1224211,
where systemd was using SCM_CREDENTIALS and assumed wrongly that
SCM_SECURITY was also supported on Unix stream sockets.
Signed-off-by: Stephen Smalley
Acked-by: Paul Moore
---
include/net/af_unix.h | 1 -
net/unix
also wanted to conversely ask what harm exists if we did
> a full-context compare in the event the sids didn't match?
>
> Are we just trying to generally avoid extra code?
More complexity and overhead for no real gain.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
icates in rare circumstances?
Does it break any assumptions in the rest of the logic?
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
; a simple "sid1 == sid2" since the security server shouldn't be creating
> duplicate SID/secid values for identical contexts, I think. Did you run into
> something in testing that would indicate otherwise?
Such duplication can occur among the initial SIDs. Not sure though when
that would apply here, and it would only apply if both SIDs were initial
SIDs.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
s for either case and we are just waiting to
> hear from others.
I don't understand the argument for network_t, and it seems to violate
our goals of 1) having consistent policy regardless of network labeling
mechanism, and 2) having getpeercon() always return a subject label that
can
&nlbl_sid);
> + BUG_ON(err);
> +
> + if (nlbl_sid)
> + skb->secmark = nlbl_sid;
Similar comments as above.
> }
> - err = avc_has_perm(skb->secmark, SECINITSID
on interface), and from
the underlying selinux functions. That would simplify
selinux_xfrm_sec_ctx_alloc() a bit and make the logic clearer.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
skb->secmark, SECCLASS_PACKET,
> > + PACKET__FLOW_IN, NULL);
> > + if (err)
> > + goto out;
> > +
> > + if (xfrm_sid)
> > + skb->secmark = xfrm_sid;
> > +
> > + /* See if NetLabel can
On Fri, 2006-09-29 at 10:33 -0400, James Morris wrote:
> On Fri, 29 Sep 2006, Stephen Smalley wrote:
>
> > However, since the transition was removed in the flow_out case, it would
> > be logical to remove it from the flow_in case as well, and that would
> > have the side
On Fri, 2006-09-29 at 10:00 -0400, Joshua Brindle wrote:
> On Fri, 2006-09-29 at 08:59 -0400, Stephen Smalley wrote:
> > On Thu, 2006-09-28 at 23:52 -0400, Joshua Brindle wrote:
> > > Venkat Yekkirala wrote:
> > > >
> > > > +
> > >
freedom to define transitions on the
secmark label if desired, and those transitions can still yield subject
labels.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
s the security context and the latter
> releases it. A hook is required for releasing the security context because
> it is up to the security module to decide how that's done. In the case of
> Selinux, it's a simple kfree operation.
Acked-by: Step
_attach_fds(siocb->scm, skb);
> -
> - unix_get_peersec_dgram(skb);
> +#ifdef CONFIG_SECURITY_NETWORK
> + memcpy(UNIXSID(skb), &siocb->scm->sid, sizeof(u32));
> +#endif /* CONFIG_SECURITY_NETWORK */
You want to retain the static inlines, and just update their c
; + BUG_ON(selinux_xfrm_decode_session(skb, &peersid, 0));
Doesn't seem suitable for a BUG_ON.
> +
> + err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
> + if (err) {
> + printk(KERN_ERR "ERROR: security_sid_mls_copy failed.");
n sksec->sid, why don't you change sock_rcv_skb to always
use it, and eliminate the need for the isec and the sk_callback_lock
there? Similarly for postroute_last's use of isec->sid. With direct
labeling of the sock, it is no longer necessary to extract the isec.
--
Stephen Smalley
Nat
0;
> +
> + err = security_socket_getpeersec_dgram(skb, UNIXSEC(skb), &tmp);
tmp should actually be u32 not int (also wrong in the original patch),
and it seems odd to throw it away rather than saving it and using it for
the put_cmsg.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
ssible.
Signed-off-by: Darrel Goeddel <[EMAIL PROTECTED]>
Signed-off-by: Stephen Smalley <[EMAIL PROTECTED]>
Acked-by: James Morris <[EMAIL PROTECTED]>
---
include/linux/security.h| 13 +++--
kernel/audit.c |8
net/core/rtnetlink.c
erver applications, which
> inherit the connection fd. In this case, flush_unauthorized_files() will
> ensure that the new domain is authorized to access the fd.
>
> Stephen, can you confirm this?
That doesn't help, as that is just a check based on the socket label,
which will alwa
ation. Hence, you need to look to the patches on
linux-audit or viro's audit-current git tree (lspp.b6 or possibly newer)
to ensure consistency with the interfaces that they will be introducing
there, particularly since that work would likely be going in during the
same time frame as your w
On Tue, 2006-03-21 at 08:32 -0500, Stephen Smalley wrote:
> > I don't expect security_sk_sid() to be terribly expensive. It's not
> > an AVC check, it's just propagating a label. But I've not done any
> > benchmarking on that.
>
> No permission chec
e, as these users are specifically looking
for functionality provided only by SELinux.
> I don't expect security_sk_sid() to be terribly expensive. It's not
> an AVC check, it's just propagating a label. But I've not done any
> benchmarking on that.
No permission check th
> to setcontext.
> >
> > This is intended to be a correction to the 2.6.16 tree.
>
> Signed-off-by: Trent Jaeger <[EMAIL PROTECTED]>
Acked-by: Stephen Smalley <[EMAIL PROTECTED]>
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: s
66 matches
Mail list logo
