* VSOCK & getpeercon() @ 2021-01-16 12:48 Marc-André Lureau 2021-01-22 16:27 ` Paul Moore 0 siblings, 1 reply; 4+ messages in thread From: Marc-André Lureau @ 2021-01-16 12:48 UTC (permalink / raw) To: selinux; +Cc: Gerd Hoffmann, Stefano Garzarella, paul Hi, getpeercon() isn't implemented for VSOCK. Note, I am not very familiar with SELinux, but I was porting some applications that uses AF_UNIX to AF_VSOCK and reached that point. I found some previous discussions about VSOCK & LSM from 2013, but the reasons it was abandoned don't seem so clear or valid to me: https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/ To me, SELinux could always associate a VSOCK with a process context, at the very least, and thus enforce some communication policies. No? thanks -- Marc-André Lureau ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VSOCK & getpeercon() 2021-01-16 12:48 VSOCK & getpeercon() Marc-André Lureau @ 2021-01-22 16:27 ` Paul Moore 2021-01-22 17:13 ` Casey Schaufler 0 siblings, 1 reply; 4+ messages in thread From: Paul Moore @ 2021-01-22 16:27 UTC (permalink / raw) To: Marc-André Lureau; +Cc: selinux, Gerd Hoffmann, Stefano Garzarella On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau <marcandre.lureau@gmail.com> wrote: > Hi, > > getpeercon() isn't implemented for VSOCK. Note, I am not very familiar > with SELinux, but I was porting some applications that uses AF_UNIX to > AF_VSOCK and reached that point. > > I found some previous discussions about VSOCK & LSM from 2013, but the > reasons it was abandoned don't seem so clear or valid to me: > https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/ Hi, my apologies for the slow reply. The SELinux/LSM VSOCK support wasn't abandoned due to any significant roadblocks, it was simply a matter of time - I seemed to be the only one who was interested in working on it, and I couldn't find enough time to work on it ;) If you are interested in spending some time on adding proper LSM/SELinux VSOCK support my gut feeling is that it would still be a good thing. However, I would suggest spending some time investigating the current state of things, while you may get lucky, I believe it is safer to assume that anything from 2013 is horribly out of date. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VSOCK & getpeercon() 2021-01-22 16:27 ` Paul Moore @ 2021-01-22 17:13 ` Casey Schaufler 2021-01-22 19:02 ` Paul Moore 0 siblings, 1 reply; 4+ messages in thread From: Casey Schaufler @ 2021-01-22 17:13 UTC (permalink / raw) To: Paul Moore, Marc-André Lureau Cc: selinux, Gerd Hoffmann, Stefano Garzarella, Linux Security Module list On 1/22/2021 8:27 AM, Paul Moore wrote: > On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau > <marcandre.lureau@gmail.com> wrote: >> Hi, >> >> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar >> with SELinux, but I was porting some applications that uses AF_UNIX to >> AF_VSOCK and reached that point. >> >> I found some previous discussions about VSOCK & LSM from 2013, but the >> reasons it was abandoned don't seem so clear or valid to me: >> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/ > Hi, my apologies for the slow reply. > > The SELinux/LSM VSOCK support wasn't abandoned due to any significant > roadblocks, it was simply a matter of time - I seemed to be the only > one who was interested in working on it, and I couldn't find enough > time to work on it ;) > > If you are interested in spending some time on adding proper > LSM/SELinux VSOCK support my gut feeling is that it would still be a > good thing. However, I would suggest spending some time investigating > the current state of things, while you may get lucky, I believe it is > safer to assume that anything from 2013 is horribly out of date. That's a pretty safe statement. You really have four options at this point: - netfilter to set the secmark - CIPSO/CALIPSO if the protocol supports or can support options - examining the peer process as is done with AF_UNIX - eBPF *I think* but you never really know with something that new There may be something else out there that hasn't gobsmacked me in the stacking work, so that I wouldn't know about it. BTW: Please include the (CCed) Linux Security Module list <linux-security-module@vger.kernel.org> in discussions like this. > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VSOCK & getpeercon() 2021-01-22 17:13 ` Casey Schaufler @ 2021-01-22 19:02 ` Paul Moore 0 siblings, 0 replies; 4+ messages in thread From: Paul Moore @ 2021-01-22 19:02 UTC (permalink / raw) To: Casey Schaufler Cc: Marc-André Lureau, selinux, Gerd Hoffmann, Stefano Garzarella, Linux Security Module list On Fri, Jan 22, 2021 at 12:13 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 1/22/2021 8:27 AM, Paul Moore wrote: > > On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau > > <marcandre.lureau@gmail.com> wrote: > >> Hi, > >> > >> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar > >> with SELinux, but I was porting some applications that uses AF_UNIX to > >> AF_VSOCK and reached that point. > >> > >> I found some previous discussions about VSOCK & LSM from 2013, but the > >> reasons it was abandoned don't seem so clear or valid to me: > >> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/ > > Hi, my apologies for the slow reply. > > > > The SELinux/LSM VSOCK support wasn't abandoned due to any significant > > roadblocks, it was simply a matter of time - I seemed to be the only > > one who was interested in working on it, and I couldn't find enough > > time to work on it ;) > > > > If you are interested in spending some time on adding proper > > LSM/SELinux VSOCK support my gut feeling is that it would still be a > > good thing. However, I would suggest spending some time investigating > > the current state of things, while you may get lucky, I believe it is > > safer to assume that anything from 2013 is horribly out of date. > > That's a pretty safe statement. You really have four options at > this point: > > - netfilter to set the secmark > - CIPSO/CALIPSO if the protocol supports or can support options > - examining the peer process as is done with AF_UNIX > - eBPF *I think* but you never really know with something that new I don't believe CIPSO, CALIPSO, labeled IPsec and other IP-based labeling protocols aren't really options here since VSOCK doesn't rely on IP. I vaguely recall thinking it was much more analogous to UNIX/LOCAL sockets, but it has been ~seven years since I thought about this last. The use of secmark could be interesting assuming there are useful labeling points for VSOCK and netfilter (secmark'ing a packet doesn't rely on IP so it should be okay from that perspective). Of course eBPF support would be interesting, but that is like saying SELinux, Smack, and AppArmor support would be interesting. I think the important part is making sure the important objects include the necessary opaque security blobs (we are probably okay there already), and making sure we have the LSM hooks in the right places in the code (also, we *may* be okay there). Once those things are done, it's a matter of adding the necessary support to each LSM. > There may be something else out there that hasn't gobsmacked me > in the stacking work, so that I wouldn't know about it. > > BTW: Please include the (CCed) Linux Security Module list > <linux-security-module@vger.kernel.org> in discussions like this. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-01-22 19:35 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-01-16 12:48 VSOCK & getpeercon() Marc-André Lureau 2021-01-22 16:27 ` Paul Moore 2021-01-22 17:13 ` Casey Schaufler 2021-01-22 19:02 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.