From: Paul Moore <paul.moore@hp.com>
To: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov
Subject: Re: [PATCHSET RFC] selinux: rework labeled IPsec networking
Date: Mon, 14 Feb 2011 11:59:17 -0500 [thread overview]
Message-ID: <1297702757.5470.3.camel@sifl> (raw)
In-Reply-To: <20110214131651.GA15640@secunet.com>
On Mon, 2011-02-14 at 14:16 +0100, Steffen Klassert wrote:
> This patchset attempts to fix some problems I faced when I tried to use
> labeled IPsec and secmark. In particular, packet forwarding with labeled
> IPsec did not behave as I expected. I know, labeled IPsec was not designed
> to do packet forwarding in the first place, but it's possible to use it
> to secure packet forwarding too. I marked the patchset as RFC because
> I'd like to get some feedback before I continue to work on this.
>
> There is one issue on packet forwarding with labeled IPsec for which I
> found no easy solution. If we receive IPsec encrypted packets via some
> interface and want to forward it decrypted via some other interface, we
> can (and we do) check in the postrouting hook if the SA that decrypted the
> packet is allowed to talk to the sending interface. We can do this because
> we have the secpath of the decryption. The other way arround, If we receive
> plain IP packets via some interface and want to forward it, IPsec encrypted
> via some other interface, we can't do this check because we have no secpath
> in this case. The only solution I see here, is to implement a secpath for
> outbound IPsec packets. The secpath pointer in the skb is free in this case,
> so would be possible. But that's a bigger task and I don't want to start
> with something like that before I'm getting feedback on all of this.
>
> The patchset is also availabe at branch 'selinux-networking' of
>
> git://git.kernel.org/pub/scm/linux/kernel/git/klassert/linux-2.6-stk.git
Hi Steffen,
Thanks for the patches, I'm going to try and review them sometime today
or tomorrow (probably in a few different chunks).
For future reference, it was good that you sent these to the LSM list,
but you should probably also include the SELinux list (CC'd) on patches
that are SELinux specific (as I believe all of these are).
* http://www.nsa.gov/research/selinux/subscribe.shtml
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next parent reply other threads:[~2011-02-14 16:59 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110214131651.GA15640@secunet.com>
2011-02-14 16:59 ` Paul Moore [this message]
[not found] ` <20110215121900.GA25769@secunet.com>
2011-02-16 0:02 ` [PATCHSET RFC] selinux: rework labeled IPsec networking Paul Moore
[not found] ` <20110221115403.GA20852@secunet.com>
2011-02-21 15:28 ` Paul Moore
[not found] ` <20110214131739.GB15640@secunet.com>
2011-02-16 19:18 ` [PATCH 01/10] selinux: Fix check for xfrm selinux context algorithm Paul Moore
[not found] ` <20110214131815.GC15640@secunet.com>
2011-02-16 19:34 ` [PATCH 02/10] selinux: Perform postroute access control checks after IPsec transfomations Paul Moore
[not found] ` <20110222112334.GB20852@secunet.com>
2011-02-23 21:02 ` Paul Moore
2011-02-28 7:29 ` Steffen Klassert
[not found] ` <20110214131855.GD15640@secunet.com>
2011-02-16 19:39 ` [PATCH 03/10] selinux: Remove checks for xfrm transformations from selinux_xfrm_postroute_last Paul Moore
[not found] ` <20110214131934.GE15640@secunet.com>
2011-02-16 19:46 ` [PATCH 04/10] selinux: Fix wrong checks for selinux_policycap_netpeer Paul Moore
[not found] ` <20110214132009.GF15640@secunet.com>
2011-02-16 20:11 ` [PATCH 05/10] selinux: selinux_xfrm_decode_session check for socket sid Paul Moore
[not found] ` <20110222121143.GC20852@secunet.com>
2011-02-23 21:16 ` Paul Moore
2011-02-25 19:21 ` Joy Latten
2011-02-28 10:25 ` Steffen Klassert
2011-02-28 8:51 ` Steffen Klassert
[not found] ` <20110214132049.GG15640@secunet.com>
2011-02-16 20:19 ` [PATCH 06/10] selinux: Fix packet forwarding checks on postrouting Paul Moore
[not found] ` <20110214132122.GH15640@secunet.com>
2011-02-16 20:32 ` [PATCH 07/10] selinux: Check receiving against sending interface on packet forwarding Paul Moore
[not found] ` <20110222130409.GD20852@secunet.com>
2011-02-23 21:34 ` Paul Moore
2011-02-28 9:10 ` Steffen Klassert
[not found] ` <20110214132157.GI15640@secunet.com>
2011-02-16 20:57 ` [PATCH 08/10] selinux: Fix handling of kernel generated packets on labeled IPsec Paul Moore
[not found] ` <20110222133150.GE20852@secunet.com>
2011-02-23 21:45 ` Paul Moore
2011-02-25 20:50 ` Joy Latten
2011-02-28 10:33 ` Steffen Klassert
2011-03-01 18:41 ` Paul Moore
[not found] ` <20110214132312.GK15640@secunet.com>
2011-02-16 21:08 ` [PATCH 10/10] selinux: Perform xfrm checks for unlabeled access in any case Paul Moore
[not found] ` <20110222135217.GF20852@secunet.com>
2011-02-23 21:59 ` Paul Moore
2011-02-28 11:34 ` Steffen Klassert
2011-03-01 18:42 ` Paul Moore
[not found] ` <20110214132234.GJ15640@secunet.com>
[not found] ` <1297889991.25079.46.camel@sifl>
2011-02-16 22:08 ` [PATCH 09/10] selinux: xfrm - notify users on dropped packets James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1297702757.5470.3.camel@sifl \
--to=paul.moore@hp.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.