Hi Richard,
I don't fully understand in which context you need / use those SELinux GTP hooks,
however one comment from the point of view of somebody who is working on GGSN/P-GW
software using the GTP kernel module:
On Wed, Sep 30, 2020 at 10:49:34AM +0100, Richard Haines wrote:
> +selinux_gtp_dev_cmd()
> +~~~~~~~~~~~~~~~~~~~~~
> +Validate if the caller (current SID) and the GTP device SID have the required
> +permission to perform the operation. The GTP/SELinux permission map is
> +as follow::
> +
> + GTP_CMD_NEWPDP = gtp { add }
> + GTP_CMD_DELPDP = gtp { del }
> + GTP_CMD_GETPDP = gtp { get }
Wouldn't it make sense to differentiate between:
a) add/del/get on the GTP netdev
b) add/del/get on the indivudual PDP wihin the GTP netdev
'a' is typically only created once at startup of a GGSN/P-GW software, or is
done even at system stat-up time.
'b' is performed frequently during runtime as the GGSN/P-GW function runs, as
subscribers attach to / detach from the cellular network.
By differentiating between those two, one could further constrain the permissions
required at runtime.
--
- Harald Welte <laforge@xxxxxxxxxxxx> http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
