Re: selinux: support IPPROTO_SMC in socket_type_to_security_class()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Aug 16, 2024 at 7:42 AM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Fri, Aug 16, 2024 at 7:21 AM Stephen Smalley
> <stephen.smalley.work@xxxxxxxxx> wrote:
> >
> > On Thu, Aug 15, 2024 at 11:57 PM Jeongjun Park <aha310510@xxxxxxxxx> wrote:
> > >
> > > Paul Moore wrote:
> > > >
> > > > On Thu, Aug 15, 2024 at 4:32 AM Jeongjun Park <aha310510@xxxxxxxxx> wrote:
> > > > >
> > > > > IPPROTO_SMC feature has been added to net/smc. It is now possible to
> > > > > create smc sockets in the following way:
> > > > >
> > > > >   /* create v4 smc sock */
> > > > >   v4 = socket(AF_INET, SOCK_STREAM, IPPROTO_SMC);
> > > > >
> > > > >   /* create v6 smc sock */
> > > > >   v6 = socket(AF_INET6, SOCK_STREAM, IPPROTO_SMC);
> > > > >
> > > > > Therefore, we need to add code to support IPPROTO_SMC in
> > > > > socket_type_to_security_class().
> > > > >
> > > > > Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx>
> > > > > ---
> > > > >  security/selinux/hooks.c | 2 ++
> > > > >  1 file changed, 2 insertions(+)
> > > >
> > > > I'm a little concerned that the small patch below might not be all
> > > > that is needed to properly support SMC in SELinux.  Can you explain
> > > > what testing you've done with SMC on a SELinux system?
> > >
> > > I don't have much knowledge about smc, so I can't tested everything, but
> > > I created a socket, performed setsockopt, and tested two sockets
> > > communicating with each other. When I tested it, performing smc-related
> > > functions worked well without any major problems.
> > >
> > > And after analyzing it myself, I didn't see any additional patches needed
> > > to support IPPROTO_SMC in selinux other than this patch. So you don't
> > > have to worry.
> >
> > Note that Jeongjun is not introducing SELinux support for SMC sockets
> > for the first time here; he is just updating the already existing
> > support to correctly map the new IPPROTO_SMC to the already existing
> > SECCLASS_SMC_SOCKET. We were already handling such sockets created via
> > socket(AF_SMC, ...); what changed was that they added support for
> > creating them via socket(AF_INET, SOCK_STREAM, IPPROTO_SMC) too.
>
> Also, the extent of the support is limited to just the socket layer
> checks, but this is not a change and is no different than many of the
> other AF_* families besides the small number that have been more
> specifically instrumented for SELinux.

Normally, this would be exercised by
selinux-testsuite/tests/extended_socket_class but we didn't include
SMC testing there originally because SMC sockets depend on INFINIBAND.
However, looking at the kconfig options, it appears that perhaps we
could test it locally via CONFIG_SMC_LO=y if we enable that along with
CONFIG_SMC and CONFIG_INFINIBAND in the selinux-testsuite/defconfig.





[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux