All of lore.kernel.org
 help / color / mirror / Atom feed
From: Paul Moore <paul@paul-moore.com>
To: Guido Trentalancia <guido@trentalancia.net>
Cc: selinux@tycho.nsa.gov
Subject: Re: [PATCH v4] Classify AF_ALG sockets
Date: Mon, 22 Aug 2016 18:36:59 -0400	[thread overview]
Message-ID: <CAHC9VhQKE3+9KEkPHv4TadChOMsoHovm0pSYwwkAMYY33fDbPw@mail.gmail.com> (raw)
In-Reply-To: <1471899875.19333.3.camel@trentalancia.net>

On Mon, Aug 22, 2016 at 5:04 PM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Modify the SELinux kernel code so that it is able to classify sockets with
> the new AF_ALG namespace (used for the user-space interface to the kernel
> Crypto API).
>
> A companion patch has been created for the Reference Policy and it will be
> posted to its mailing list, once this patch is merged.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  security/selinux/hooks.c            |    5 +++++
>  security/selinux/include/classmap.h |    2 ++
>  security/selinux/include/security.h |    2 ++
>  security/selinux/ss/services.c      |    3 +++
>  4 files changed, 12 insertions(+)

You are still missing the policy capability code for
security/selinux/selinuxfs.c.  I think it would also be a good idea to
write a test for this and add it to the selinux-testsuite; not only
will this help us confirm this code works as expected, but it will
demonstrate what the new policy would look like and help establish a
regression test for future use.

 * https://github.com/SELinuxProject/selinux-testsuite

> diff -pru linux-4.7.2-orig/security/selinux/hooks.c linux-4.7.2/security/selinux/hooks.c
> --- linux-4.7.2-orig/security/selinux/hooks.c   2016-08-22 22:31:27.737767819 +0200
> +++ linux-4.7.2/security/selinux/hooks.c        2016-08-22 22:40:29.102526024 +0200
> @@ -1315,6 +1315,11 @@ static inline u16 socket_type_to_securit
>                 return SECCLASS_KEY_SOCKET;
>         case PF_APPLETALK:
>                 return SECCLASS_APPLETALK_SOCKET;
> +       case PF_ALG:
> +               if (selinux_policycap_algsocket)
> +                       return SECCLASS_ALG_SOCKET;
> +               else
> +                       return SECCLASS_SOCKET;
>         }
>
>         return SECCLASS_SOCKET;
> diff -pru linux-4.7.2-orig/security/selinux/include/classmap.h linux-4.7.2/security/selinux/include/classmap.h
> --- linux-4.7.2-orig/security/selinux/include/classmap.h        2016-08-22 22:31:27.754768030 +0200
> +++ linux-4.7.2/security/selinux/include/classmap.h     2016-08-22 22:32:14.795355585 +0200
> @@ -144,6 +144,8 @@ struct security_class_mapping secclass_m
>           { COMMON_SOCK_PERMS, NULL } },
>         { "appletalk_socket",
>           { COMMON_SOCK_PERMS, NULL } },
> +       { "alg_socket",
> +         { COMMON_SOCK_PERMS, NULL } },
>         { "packet",
>           { "send", "recv", "relabelto", "forward_in", "forward_out", NULL } },
>         { "key",
> diff -pru linux-4.7.2-orig/security/selinux/include/security.h linux-4.7.2/security/selinux/include/security.h
> --- linux-4.7.2-orig/security/selinux/include/security.h        2016-03-14 05:28:54.000000000 +0100
> +++ linux-4.7.2/security/selinux/include/security.h     2016-08-22 22:53:57.911660238 +0200
> @@ -75,6 +75,7 @@ enum {
>         POLICYDB_CAPABILITY_OPENPERM,
>         POLICYDB_CAPABILITY_REDHAT1,
>         POLICYDB_CAPABILITY_ALWAYSNETWORK,
> +       POLICYDB_CAPABILITY_ALGSOCKET,
>         __POLICYDB_CAPABILITY_MAX
>  };
>  #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
> @@ -82,6 +83,7 @@ enum {
>  extern int selinux_policycap_netpeer;
>  extern int selinux_policycap_openperm;
>  extern int selinux_policycap_alwaysnetwork;
> +extern int selinux_policycap_algsocket;
>
>  /*
>   * type_datum properties
> diff -pru linux-4.7.2-orig/security/selinux/ss/services.c linux-4.7.2/security/selinux/ss/services.c
> --- linux-4.7.2-orig/security/selinux/ss/services.c     2016-08-05 21:27:22.275588616 +0200
> +++ linux-4.7.2/security/selinux/ss/services.c  2016-08-22 22:56:58.616187510 +0200
> @@ -73,6 +73,7 @@
>  int selinux_policycap_netpeer;
>  int selinux_policycap_openperm;
>  int selinux_policycap_alwaysnetwork;
> +int selinux_policycap_algsocket;
>
>  static DEFINE_RWLOCK(policy_rwlock);
>
> @@ -2016,6 +2017,8 @@ static void security_load_policycaps(voi
>                                                   POLICYDB_CAPABILITY_OPENPERM);
>         selinux_policycap_alwaysnetwork = ebitmap_get_bit(&policydb.policycaps,
>                                                   POLICYDB_CAPABILITY_ALWAYSNETWORK);
> +       selinux_policycap_algsocket = ebitmap_get_bit(&policydb.policycaps,
> +                                                 POLICYDB_CAPABILITY_ALGSOCKET);
>  }
>
>  static int security_preserve_bools(struct policydb *p);

-- 
paul moore
www.paul-moore.com

  reply	other threads:[~2016-08-22 22:37 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-20 16:18 [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket Guido Trentalancia
2016-08-20 17:17 ` Paul Moore
2016-08-20 17:39   ` Guido Trentalancia
2016-08-20 18:44     ` Paul Moore
2016-08-20 19:09       ` Guido Trentalancia
2016-08-21  3:24         ` Paul Moore
2016-08-21 17:17           ` [PATCH v2] " Guido Trentalancia
2016-08-22 13:02             ` [PATCH v3] Classify AF_ALG sockets (was: Differentiate between Unix Stream Socket and Sequential Packet Socket) Guido Trentalancia
2016-08-22 20:17               ` Paul Moore
2016-08-22 21:07                 ` Guido Trentalancia
2016-08-22 21:04               ` [PATCH v4] Classify AF_ALG sockets Guido Trentalancia
2016-08-22 22:36                 ` Paul Moore [this message]
2016-08-23 13:05                   ` Stephen Smalley
2016-08-23 13:35                     ` Paul Moore
2016-08-23 14:14                 ` [PATCH v5] " Guido Trentalancia
2016-08-23 14:42                   ` Stephen Smalley
2016-08-23 15:21                     ` [PATCH] Update libsepol to support the policy capability for " Guido Trentalancia
2016-08-23 22:02                     ` [PATCH v5] Classify " Paul Moore
2016-08-23 23:03                       ` Guido Trentalancia
2016-08-21 17:31           ` [PATCH] Differentiate between Unix Stream Socket and Sequential Packet Socket Guido Trentalancia
2016-08-21 17:32           ` Guido Trentalancia

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHC9VhQKE3+9KEkPHv4TadChOMsoHovm0pSYwwkAMYY33fDbPw@mail.gmail.com \
    --to=paul@paul-moore.com \
    --cc=guido@trentalancia.net \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.