[redhat-lspp] Updated NetLabel patch
Venkat Yekkirala
vyekkirala at TrustedCS.com
Fri Jun 16 23:21:20 UTC 2006
> How is this being handled in the xfrm case (TCS folks cc'd)? The
> parallel is selection of the appropriate outbound SA for an accept'd
> socket.
The problem actually crops up earlier than accept, right at the time
a SYN comes in and a SYN needs to be returned at the peer's label using
an SA at that label. All that we have at this point is an openreq and
the return SYN is sent on behalf of the parent sock.
Solving this is probably going to require looking at the child sock
as more of an extension of the peer (at least for MLS labelling purposes),
and relying on selinux_socket_sendmsg and selinux_socket_recvmsg to
arbitrate process access to the child socket.
I was actually going to post an incremental patch (after cleanup) that did
the following:
- Label openreq with the parent sock's TE but with MLS taken from the peer
context.
- Propagate the label onto the flow for the return SYN; this would result in
the
flow using an SA that is at the peer's MLS label.
- Create the child sock (IP level sock) at the same label as the openreq.
- At accept time, graft the label on the IP sock onto the freshly created
and
as yet not user-land-accessible socket (into isec).
More information about the redhat-lspp
mailing list