linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Richard Haines <richard_c_haines@btinternet.com>
To: Paul Moore <paul@paul-moore.com>, Harald Welte <laforge@gnumonks.org>
Cc: pablo@netfilter.org, selinux@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	osmocom-net-gprs@lists.osmocom.org, netdev@vger.kernel.org,
	Stephen Smalley <stephen.smalley.work@gmail.com>,
	James Morris <jmorris@namei.org>
Subject: Re: [PATCH 3/3] selinux: Add SELinux GTP support
Date: Tue, 13 Oct 2020 17:38:16 +0100	[thread overview]
Message-ID: <77226ae9dc60113d1953c1f957849d6460c5096f.camel@btinternet.com> (raw)
In-Reply-To: <CAHC9VhTrSBsm-qVh95J2SzUq5=_pESwTUBRmVSjXOoyG+97jYA@mail.gmail.com>

On Tue, 2020-10-13 at 09:55 -0400, Paul Moore wrote:
> On Mon, Oct 12, 2020 at 5:40 AM Harald Welte <laforge@gnumonks.org>
> wrote:
> > Hi Paul,
> > 
> > On Sun, Oct 11, 2020 at 10:09:11PM -0400, Paul Moore wrote:
> > > Harald, Pablo - I know you both suggested taking a slow iterative
> > > approach to merging functionality, perhaps you could also help
> > > those
> > > of us on the SELinux side better understand some of the common
> > > GTP use
> > > cases?
> > 
> > There really only is one use case for this code:  The GGSN or P-GW
> > function
> > in the 3GPP network architecture ...
> > 
> > Hope this helps,
> >         Harald
> 
> It does, thank you.
> 
> It looks like this patchset is not really a candidate for merging in
> its current form, but I didn't want to lose this information (both
> the
> patches and Harald's comments) so I created a GH issue to track this
> at the URL below.
> 
> * https://github.com/SELinuxProject/selinux-kernel/issues/54
> 

While I was not expecting these patches to be excepted for the current
version, the main aim was to see what LSM security services could be
implemented on possible 5G components, bearing in mind the DARPA Open
Programmable Secure 5G (OPS-5G) initiative (probably 'jumping the gun'
here a bit though). 

There is in development a 5G version of GTP at [1]. I have added the
enhanced hooks to this (plus retrieve contexts via call-backs etc.),
and have it running on 5.9, passing their tests. I'm not sure how far
this development will go, but a starter ??.

The other component that seems to be widely used in these systems is
SCTP that I added hooks to a few years ago, also TCP/UDP etc. that are
already well catered for. Also there would be a large amount of
userspace code ....

Anyway food for thought.

[1] https://github.com/PrinzOwO/gtp5g



  reply	other threads:[~2020-10-13 16:38 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-30  9:49 [PATCH 0/3] Add LSM/SELinux support for GPRS Tunneling Protocol (GTP) Richard Haines
2020-09-30  9:49 ` [PATCH 1/3] security: Add GPRS Tunneling Protocol (GTP) security hooks Richard Haines
2020-09-30  9:49 ` [PATCH 2/3] gtp: Add LSM hooks to GPRS Tunneling Protocol (GTP) Richard Haines
2020-09-30  9:49 ` [PATCH 3/3] selinux: Add SELinux GTP support Richard Haines
2020-09-30 11:01   ` Harald Welte
2020-09-30 12:25     ` Richard Haines
2020-09-30 13:38       ` Harald Welte
2020-10-12  2:09         ` Paul Moore
2020-10-12  9:38           ` Harald Welte
2020-10-13 13:55             ` Paul Moore
2020-10-13 16:38               ` Richard Haines [this message]
2020-10-13 20:42                 ` Harald Welte
2020-09-30 10:17 ` [PATCH 0/3] Add LSM/SELinux support for GPRS Tunneling Protocol (GTP) Pablo Neira Ayuso
2020-09-30 12:20   ` Richard Haines
2020-09-30 12:30     ` Pablo Neira Ayuso
2020-09-30 15:56     ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=77226ae9dc60113d1953c1f957849d6460c5096f.camel@btinternet.com \
    --to=richard_c_haines@btinternet.com \
    --cc=jmorris@namei.org \
    --cc=laforge@gnumonks.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=osmocom-net-gprs@lists.osmocom.org \
    --cc=pablo@netfilter.org \
    --cc=paul@paul-moore.com \
    --cc=selinux@vger.kernel.org \
    --cc=stephen.smalley.work@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).