Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel mode

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Ahmed S. Darwish <darwish.07@...>, Casey Schaufler <casey@...>, Paul Moore <paul.moore@...>

Cc: <linux-security-module@...>, LKML <linux-kernel@...>, <netdev@...>, Andrew Morton <akpm@...>

Subject: Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel mode

Date: Friday, May 30, 2008 - 7:10 pm

--- "Ahmed S. Darwish" <darwish.07@gmail.com> wrote:

quoted text> Hi all,
> 
> In case of Smack 'unlabeled' netlabel option, Smack passes a _zero_
> initialized 'secattr' to label a packet/sock. This causes an 
> [unfound domain label error]/-ENOENT by netlbl_sock_setattr().
> Above Netlabel failure leads to Smack socket hooks failure causing 
> an always-on socket() -EPERM error.
> 
> Such packets should have a netlabel domain agreed with netlabel to 
> represent unlabeled packets. Fortunately Smack net ambient label 
> packets are agreed with netlabel to be treated as unlabeled packets. 
> 
> Treat all packets coming out from a 'unlabeled' Smack system as
> coming from the smack net ambient label.

To date the behavior of a Smack system running with nltype
unlabeled has been carefully undefined. The way you're defining
it will result in a system in which only processes running with
the ambient label will be able to use sockets, unless I'm reading
the code incorrectly. This seems like "correct" behavior, but
I don't think it is what those who've tried it would expect.


Casey Schaufler
casey@schaufler-ca.com
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel mode, Ahmed S. Darwish, (Fri May 30, 7:36 pm)

Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel ..., Casey Schaufler, (Fri May 30, 7:10 pm)

Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel ..., Ahmed S. Darwish, (Fri May 30, 8:58 pm)

Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel ..., Paul Moore, (Sat May 31, 9:08 am)

Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel ..., Casey Schaufler, (Fri May 30, 8:37 pm)

[PATCH BUGFIX -v2 -rc4] Smack: Respect 'unlabeled' netlabel ..., Ahmed S. Darwish, (Fri May 30, 7:57 pm)

Re: [PATCH BUGFIX -v2 -rc4] Smack: Respect 'unlabeled' netla..., Casey Schaufler, (Fri May 30, 7:45 pm)

Re: [PATCH BUGFIX -v2 -rc4] Smack: Respect 'unlabeled' netla..., Andrew Morton, (Fri May 30, 7:25 pm)

Re: [PATCH BUGFIX -v2 -rc4] Smack: Respect 'unlabeled' netla..., Ahmed S. Darwish, (Fri May 30, 9:12 pm)

Re: [PATCH BUGFIX -v2 -rc4] Smack: Respect 'unlabeled' netla..., Tetsuo Handa, (Fri May 30, 7:10 pm)


linux-kernel:
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
Greg Kroah-Hartman	[PATCH 005/196] Chinese: add translation of SubmittingDrivers
Thomas Kuther	IT821x: no DMA since 2.6.21
Andre Noll	Re: Linus 2.6.23-rc1
git:

linux-netdev:
Gerrit Renker	[PATCH 13/37] dccp: Deprecate Ack Ratio sysctl
Corey Minyard	[PATCH 3/3] Convert the UDP hash lock to RCU
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	[GIT]: Networking
openbsd-misc: