On 1/22/2021 8:27 AM, Paul Moore wrote: > On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau > <marcandre.lureau@xxxxxxxxx> wrote: >> Hi, >> >> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar >> with SELinux, but I was porting some applications that uses AF_UNIX to >> AF_VSOCK and reached that point. >> >> I found some previous discussions about VSOCK & LSM from 2013, but the >> reasons it was abandoned don't seem so clear or valid to me: >> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/ > Hi, my apologies for the slow reply. > > The SELinux/LSM VSOCK support wasn't abandoned due to any significant > roadblocks, it was simply a matter of time - I seemed to be the only > one who was interested in working on it, and I couldn't find enough > time to work on it ;) > > If you are interested in spending some time on adding proper > LSM/SELinux VSOCK support my gut feeling is that it would still be a > good thing. However, I would suggest spending some time investigating > the current state of things, while you may get lucky, I believe it is > safer to assume that anything from 2013 is horribly out of date. That's a pretty safe statement. You really have four options at this point: - netfilter to set the secmark - CIPSO/CALIPSO if the protocol supports or can support options - examining the peer process as is done with AF_UNIX - eBPF *I think* but you never really know with something that new There may be something else out there that hasn't gobsmacked me in the stacking work, so that I wouldn't know about it. BTW: Please include the (CCed) Linux Security Module list <linux-security-module@xxxxxxxxxxxxxxx> in discussions like this. >
