* VSOCK & getpeercon()
@ 2021-01-16 12:48 Marc-André Lureau
2021-01-22 16:27 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Marc-André Lureau @ 2021-01-16 12:48 UTC (permalink / raw)
To: selinux; +Cc: Gerd Hoffmann, Stefano Garzarella, paul
Hi,
getpeercon() isn't implemented for VSOCK. Note, I am not very familiar
with SELinux, but I was porting some applications that uses AF_UNIX to
AF_VSOCK and reached that point.
I found some previous discussions about VSOCK & LSM from 2013, but the
reasons it was abandoned don't seem so clear or valid to me:
https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/
To me, SELinux could always associate a VSOCK with a process context,
at the very least, and thus enforce some communication policies. No?
thanks
--
Marc-André Lureau
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VSOCK & getpeercon()
2021-01-16 12:48 VSOCK & getpeercon() Marc-André Lureau
@ 2021-01-22 16:27 ` Paul Moore
2021-01-22 17:13 ` Casey Schaufler
0 siblings, 1 reply; 4+ messages in thread
From: Paul Moore @ 2021-01-22 16:27 UTC (permalink / raw)
To: Marc-André Lureau; +Cc: selinux, Gerd Hoffmann, Stefano Garzarella
On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau
<marcandre.lureau@gmail.com> wrote:
> Hi,
>
> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar
> with SELinux, but I was porting some applications that uses AF_UNIX to
> AF_VSOCK and reached that point.
>
> I found some previous discussions about VSOCK & LSM from 2013, but the
> reasons it was abandoned don't seem so clear or valid to me:
> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/
Hi, my apologies for the slow reply.
The SELinux/LSM VSOCK support wasn't abandoned due to any significant
roadblocks, it was simply a matter of time - I seemed to be the only
one who was interested in working on it, and I couldn't find enough
time to work on it ;)
If you are interested in spending some time on adding proper
LSM/SELinux VSOCK support my gut feeling is that it would still be a
good thing. However, I would suggest spending some time investigating
the current state of things, while you may get lucky, I believe it is
safer to assume that anything from 2013 is horribly out of date.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VSOCK & getpeercon()
2021-01-22 16:27 ` Paul Moore
@ 2021-01-22 17:13 ` Casey Schaufler
2021-01-22 19:02 ` Paul Moore
0 siblings, 1 reply; 4+ messages in thread
From: Casey Schaufler @ 2021-01-22 17:13 UTC (permalink / raw)
To: Paul Moore, Marc-André Lureau
Cc: selinux, Gerd Hoffmann, Stefano Garzarella, Linux Security Module list
On 1/22/2021 8:27 AM, Paul Moore wrote:
> On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau
> <marcandre.lureau@gmail.com> wrote:
>> Hi,
>>
>> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar
>> with SELinux, but I was porting some applications that uses AF_UNIX to
>> AF_VSOCK and reached that point.
>>
>> I found some previous discussions about VSOCK & LSM from 2013, but the
>> reasons it was abandoned don't seem so clear or valid to me:
>> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/
> Hi, my apologies for the slow reply.
>
> The SELinux/LSM VSOCK support wasn't abandoned due to any significant
> roadblocks, it was simply a matter of time - I seemed to be the only
> one who was interested in working on it, and I couldn't find enough
> time to work on it ;)
>
> If you are interested in spending some time on adding proper
> LSM/SELinux VSOCK support my gut feeling is that it would still be a
> good thing. However, I would suggest spending some time investigating
> the current state of things, while you may get lucky, I believe it is
> safer to assume that anything from 2013 is horribly out of date.
That's a pretty safe statement. You really have four options at
this point:
- netfilter to set the secmark
- CIPSO/CALIPSO if the protocol supports or can support options
- examining the peer process as is done with AF_UNIX
- eBPF *I think* but you never really know with something that new
There may be something else out there that hasn't gobsmacked me
in the stacking work, so that I wouldn't know about it.
BTW: Please include the (CCed) Linux Security Module list
<linux-security-module@vger.kernel.org> in discussions like this.
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VSOCK & getpeercon()
2021-01-22 17:13 ` Casey Schaufler
@ 2021-01-22 19:02 ` Paul Moore
0 siblings, 0 replies; 4+ messages in thread
From: Paul Moore @ 2021-01-22 19:02 UTC (permalink / raw)
To: Casey Schaufler
Cc: Marc-André Lureau, selinux, Gerd Hoffmann,
Stefano Garzarella, Linux Security Module list
On Fri, Jan 22, 2021 at 12:13 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
> On 1/22/2021 8:27 AM, Paul Moore wrote:
> > On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau
> > <marcandre.lureau@gmail.com> wrote:
> >> Hi,
> >>
> >> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar
> >> with SELinux, but I was porting some applications that uses AF_UNIX to
> >> AF_VSOCK and reached that point.
> >>
> >> I found some previous discussions about VSOCK & LSM from 2013, but the
> >> reasons it was abandoned don't seem so clear or valid to me:
> >> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/
> > Hi, my apologies for the slow reply.
> >
> > The SELinux/LSM VSOCK support wasn't abandoned due to any significant
> > roadblocks, it was simply a matter of time - I seemed to be the only
> > one who was interested in working on it, and I couldn't find enough
> > time to work on it ;)
> >
> > If you are interested in spending some time on adding proper
> > LSM/SELinux VSOCK support my gut feeling is that it would still be a
> > good thing. However, I would suggest spending some time investigating
> > the current state of things, while you may get lucky, I believe it is
> > safer to assume that anything from 2013 is horribly out of date.
>
> That's a pretty safe statement. You really have four options at
> this point:
>
> - netfilter to set the secmark
> - CIPSO/CALIPSO if the protocol supports or can support options
> - examining the peer process as is done with AF_UNIX
> - eBPF *I think* but you never really know with something that new
I don't believe CIPSO, CALIPSO, labeled IPsec and other IP-based
labeling protocols aren't really options here since VSOCK doesn't rely
on IP. I vaguely recall thinking it was much more analogous to
UNIX/LOCAL sockets, but it has been ~seven years since I thought about
this last.
The use of secmark could be interesting assuming there are useful
labeling points for VSOCK and netfilter (secmark'ing a packet doesn't
rely on IP so it should be okay from that perspective).
Of course eBPF support would be interesting, but that is like saying
SELinux, Smack, and AppArmor support would be interesting. I think
the important part is making sure the important objects include the
necessary opaque security blobs (we are probably okay there already),
and making sure we have the LSM hooks in the right places in the code
(also, we *may* be okay there). Once those things are done, it's a
matter of adding the necessary support to each LSM.
> There may be something else out there that hasn't gobsmacked me
> in the stacking work, so that I wouldn't know about it.
>
> BTW: Please include the (CCed) Linux Security Module list
> <linux-security-module@vger.kernel.org> in discussions like this.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-22 19:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-16 12:48 VSOCK & getpeercon() Marc-André Lureau
2021-01-22 16:27 ` Paul Moore
2021-01-22 17:13 ` Casey Schaufler
2021-01-22 19:02 ` Paul Moore
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.