From: Casey Schaufler <casey@schaufler-ca.com>
To: "Paul Moore" <paul@paul-moore.com>,
"Marc-André Lureau" <marcandre.lureau@gmail.com>
Cc: selinux@vger.kernel.org, Gerd Hoffmann <kraxel@redhat.com>,
Stefano Garzarella <sgarzare@redhat.com>,
Linux Security Module list
<linux-security-module@vger.kernel.org>
Subject: Re: VSOCK & getpeercon()
Date: Fri, 22 Jan 2021 09:13:36 -0800 [thread overview]
Message-ID: <3b5a02e0-1361-6fe5-9a2e-2a9113e99d2b@schaufler-ca.com> (raw)
In-Reply-To: <CAHC9VhSCmhkcRgWtGQNhSr8SQueHWtw3qW9SEtNnEgC=AyzVZg@mail.gmail.com>
On 1/22/2021 8:27 AM, Paul Moore wrote:
> On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau
> <marcandre.lureau@gmail.com> wrote:
>> Hi,
>>
>> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar
>> with SELinux, but I was porting some applications that uses AF_UNIX to
>> AF_VSOCK and reached that point.
>>
>> I found some previous discussions about VSOCK & LSM from 2013, but the
>> reasons it was abandoned don't seem so clear or valid to me:
>> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/
> Hi, my apologies for the slow reply.
>
> The SELinux/LSM VSOCK support wasn't abandoned due to any significant
> roadblocks, it was simply a matter of time - I seemed to be the only
> one who was interested in working on it, and I couldn't find enough
> time to work on it ;)
>
> If you are interested in spending some time on adding proper
> LSM/SELinux VSOCK support my gut feeling is that it would still be a
> good thing. However, I would suggest spending some time investigating
> the current state of things, while you may get lucky, I believe it is
> safer to assume that anything from 2013 is horribly out of date.
That's a pretty safe statement. You really have four options at
this point:
- netfilter to set the secmark
- CIPSO/CALIPSO if the protocol supports or can support options
- examining the peer process as is done with AF_UNIX
- eBPF *I think* but you never really know with something that new
There may be something else out there that hasn't gobsmacked me
in the stacking work, so that I wouldn't know about it.
BTW: Please include the (CCed) Linux Security Module list
<linux-security-module@vger.kernel.org> in discussions like this.
>
next prev parent reply other threads:[~2021-01-22 17:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-16 12:48 VSOCK & getpeercon() Marc-André Lureau
2021-01-22 16:27 ` Paul Moore
2021-01-22 17:13 ` Casey Schaufler [this message]
2021-01-22 19:02 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3b5a02e0-1361-6fe5-9a2e-2a9113e99d2b@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=kraxel@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=marcandre.lureau@gmail.com \
--cc=paul@paul-moore.com \
--cc=selinux@vger.kernel.org \
--cc=sgarzare@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).