SELinux Archive on
 help / color / Atom feed
From: Casey Schaufler <>
To: David Miller <>
Subject: Re: New skb extension for use by LSMs (skb "security blob")?
Date: Fri, 23 Aug 2019 11:56:33 -0700
Message-ID: <> (raw)
In-Reply-To: <>

On 8/22/2019 3:36 PM, David Miller wrote:
> From: Casey Schaufler <>
> Date: Thu, 22 Aug 2019 15:34:44 -0700
>> On 8/22/2019 3:28 PM, David Miller wrote:
>>> From: Casey Schaufler <>
>>> Date: Thu, 22 Aug 2019 14:59:37 -0700
>>>> Sure, you *can* do that, but it would be insane to do so.
>>> We look up the neighbour table entries on every single packet we
>>> transmit from the kernel in the same exact way.
>>> And it was exactly to get rid of a pointer in a data structure.
>> I very much expect that the lifecycle management issues would
>> be completely different, but I'll admit to having little understanding
>> of the details of the neighbour table.
> Neighbour table entries can live anywhere from essentially forever down
> to several microseconds.
> If your hash is good, and you use RCU locking on the read side, it's a
> single pointer dereference in cost.

The secmark is the data used by the netfilter system.
While it would be (Turing compatible, after all) possible,
we're talking multiple attributes with different lifecycles
being managed in a table (list, whatever) that may expand
explosively. Using a single ID to reference into a table that
could contain:
	secmark from iptables for SELinux
	secmark from iptables for AppArmor
	SELinux secid/context for the packet
	AppArmor secid/context for the packet
will be hairy. In the netfilter processing we may have to
allocate a new table entry. There's no way to identify that
the entry is no longer necessary, as there is no lifecycle
on a secmark. Is it possible to come up with something that
will limp along? Possibly. If there's a blob pointer, we know
how to do all this effectively.

  reply index

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-21 22:00 Paul Moore
2019-08-21 22:50 ` David Miller
2019-08-22  3:27   ` Paul Moore
2019-08-22  3:54     ` David Miller
2019-08-22 18:50       ` Casey Schaufler
2019-08-22  7:03 ` Florian Westphal
2019-08-22 16:32   ` Paul Moore
2019-08-22 20:10     ` Casey Schaufler
2019-08-22 20:15       ` Florian Westphal
2019-08-22 20:35         ` Casey Schaufler
2019-08-22 21:18           ` David Miller
2019-08-22 21:59             ` Casey Schaufler
2019-08-22 22:28               ` David Miller
2019-08-22 22:34                 ` Casey Schaufler
2019-08-22 22:36                   ` David Miller
2019-08-23 18:56                     ` Casey Schaufler [this message]
2019-08-22 21:17       ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on

Archives are clonable:
	git clone --mirror selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ \
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone