[redhat-lspp] Re: [RFC] [MLSXFRM 02/04] Add enforcement to SE Linux LSM
Trent Jaeger
tjaeger at cse.psu.edu
Tue Jun 20 21:35:58 UTC 2006
On Jun 20, 2006, at 2:39 PM, Venkat Yekkirala wrote:
>> What you are saying makes sense. I will take a last look at
>> the code
>> tomorrow, and give OK (assuming optimism).
>
> FYI- I have sent a revised set out to netdev and selinux for broader
> exposure
> pending your final review. Thanks.
I have a question: if the sock type does not match the policy type
(xfrm_lookup hook on output step (2)), can we send the packet?
It seems on output the socket and policy types must match, but this
is not the case on input (input step (3) checks socket access and
flow type is from sa). Nor was it the case in the original patch.
Output step (4) checks that the socket can send to the specific sa
type which is right.
The extra level of indirection provided by the flow makes things a
bit harder to follow, so I think that this should be made clear in
documentation somehow. I am not sure if people will be able to
maintain this notion easily later. My understanding is below.
On input:
(1) get flow label from sa via packet
(2) authorize flow label matches policy (xfrm_lookup hook)
(3) authorize socket access to sa label (rcv_skb)
On output:
(1) get flow label from socket (xfrm_lookup)
(2) authorize flow label matches policy (xfrm_lookup hook)
(3) authorize sa matches policy (state_pol_flow)
(4) authorize flow label can send to state (flow_state_match)
Regards,
Trent.
----------------------------------------------
Trent Jaeger, Associate Professor
Pennsylvania State University, CSE Dept
346A IST Bldg, University Park, PA 16802
Email: tjaeger at cse.psu.edu
Ph: (814) 865-1042, Fax: (814) 865-3176
More information about the redhat-lspp
mailing list