From: James Morris <[EMAIL PROTECTED]>
Date: Wed, 28 Jun 2006 10:00:48 -0400 (EDT)
> On Wed, 28 Jun 2006, Catherine Zhang wrote:
>
> > Hi,
> >
> > Minor fix (un-export selinux_get_sock_sid()).
>
> Thanks, looks ok to me.
>
> Acked-by: James Morris <[EMAIL PROTECTED]>
Applied, thanks a lot.
-
Thank you all for your help! It's been great working with you.
Catherine
David Miller <[EMAIL PROTECTED]> wrote on 06/29/2006 03:28:00 PM:
> From: James Morris <[EMAIL PROTECTED]>
> Date: Wed, 28 Jun 2006 10:00:48 -0400 (EDT)
>
> > On Wed, 28 Jun 2006, Catherine Zhang wrote:
> >
> > > Hi,
> >
On Wed, 28 Jun 2006, Catherine Zhang wrote:
> Hi,
>
> Minor fix (un-export selinux_get_sock_sid()).
Thanks, looks ok to me.
Acked-by: James Morris <[EMAIL PROTECTED]>
--
James Morris
<[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a mes
Hi,
Minor fix (un-export selinux_get_sock_sid()).
thanks,
Catherine
--
From: [EMAIL PROTECTED]
This patch implements an API whereby an application can determine the
label of its peer's Unix datagram sockets via the auxiliary data mechanism of
recvmsg.
Patch purpose:
This patch enables a se
Got it. Will send a new patch soon.
Catherine
James Morris <[EMAIL PROTECTED]> wrote on 06/27/2006 10:13:48 PM:
> On Tue, 27 Jun 2006, Xiaolan Zhang wrote:
>
> > > Just one more thing, we don't need to export this function now.
> >
> > You mean moving it to security/selinux/hooks.c and making
On Tue, 27 Jun 2006, James Morris wrote:
> > I think conceptually this is where it should reside -- auditing system
> > might need it in the future, for example.
>
> We can export it then.
To clarify, we can export it if the audit system needs it, in the future.
- James
--
James Morris
<[EM
On Tue, 27 Jun 2006, Xiaolan Zhang wrote:
> > Just one more thing, we don't need to export this function now.
>
> You mean moving it to security/selinux/hooks.c and making it static?
Yep.
> I think conceptually this is where it should reside -- auditing system
> might need it in the future, fo
James Morris <[EMAIL PROTECTED]> wrote on 06/27/2006 09:33:17 PM:
> On Tue, 27 Jun 2006, Catherine Zhang wrote:
>
> > diff -puN security/selinux/exports.c~lsm-secpeer-unix
> security/selinux/exports.c
> > --- linux-2.6.17-rc6-mm2-JM/security/selinux/exports.c~lsm-
> secpeer-unix 2006-06-27 18:
On Tue, 27 Jun 2006, Catherine Zhang wrote:
> diff -puN security/selinux/exports.c~lsm-secpeer-unix
> security/selinux/exports.c
> --- linux-2.6.17-rc6-mm2-JM/security/selinux/exports.c~lsm-secpeer-unix
> 2006-06-27 18:15:10.914669944 -0400
> +++ linux-2.6.17-rc6-mm2-JM-cxzhang/security/se
Hi,
This patch combines all previous updates. Many thanks to James, Dave,
and Stephen for their modifications and comments!
cheers,
Catherine
--
From: [EMAIL PROTECTED]
This patch implements an API whereby an application can determine the
label of its peer's Unix datagram sockets via the aux
Some more fixes:
> diff -purN -X dontdiff linux-2.6.o/net/unix/af_unix.c linux-2.6.
> w/net/unix/af_unix.c
> --- linux-2.6.o/net/unix/af_unix.c 2006-06-21 00:02:30.0 -0400
> +++ linux-2.6.w/net/unix/af_unix.c 2006-06-27 09:30:12.0 -0400
> @@ -128,6 +128,28 @@ static atomic_t u
Hi,
Thanks for the updates. I am testing the code now. Some minor fixes (so
far):
changed all
#ifdef CONFIG_SECURITY_NETWORKING
to
#ifdef CONFIG_SECURITY_NETWORK
cheers,
Catherine
James Morris <[EMAIL PROTECTED]> wrote on 06/27/2006 09:57:15 AM:
> On Tue, 27 Jun 2006, Stephen Smalley wr
On Tue, 27 Jun 2006, Stephen Smalley wrote:
> What about saving the u32 seclen with the secdata, and using it later
> rather than recomputing strlen(secdata)? That also avoids encoding an
> assumption in the af_unix code about the content of the data (i.e.
> NUL-terminated string), leaving that t
On Tue, 2006-06-27 at 03:16 -0400, James Morris wrote:
> On Tue, 27 Jun 2006, James Morris wrote:
>
> > I'll address that in a patch to follow. Could you please test these
> > updated patches? Thanks.
> >
>
>
> Below is a relative patch which only compiles this stuff into the core
> network
On Tue, 27 Jun 2006, Catherine Zhang wrote:
> Again, comments are welcome!
Got this warning while compiling.
security/selinux/exports.c: In function #selinux_get_sock_sid#:
security/selinux/exports.c:79: warning: passing argument 1 of #SOCK_INODE#
discards qualifiers from pointer target type
I
On Tue, 27 Jun 2006, James Morris wrote:
> I'll address that in a patch to follow. Could you please test these
> updated patches? Thanks.
>
Below is a relative patch which only compiles this stuff into the core
networking code when appropriate kernel config is selected.
Please review.
--
Hi,
One major change as per James' comment -- calls to get the security
context of a peer is done through the hook socket_getpeersec_dgram().
Again, comments are welcome!
thanks,
Catherine
--
From: [EMAIL PROTECTED]
This patch implements an API whereby an application can determine the
label
James Morris <[EMAIL PROTECTED]> wrote on 06/18/2006 04:04:06 AM:
> On Sun, 18 Jun 2006, Catherine Zhang wrote:
>
> I'd also mention here that this is to complement the SO_PEERSEC option
for
> stream sockets.
>
OK.
> There's an implementation issue, which I'm sure has been mentioned
> prev
On Sun, 18 Jun 2006, Catherine Zhang wrote:
> Patch purpose:
>
> This patch enables a security-aware application to retrieve the
> security context of the peer of a Unix datagram socket. The application
> can then use this security context to determine the security context for
> processing on
Hi,
I added one file (include/linux/selinux.h) which was omitted from the
previous patch, and removed a couple of unnecessary changes.
Again, comments are welcome!
thanks,
Catherine
--
From: [EMAIL PROTECTED]
This patch implements an API whereby an application can determine the
label of its
On 6/17/06, James Morris <[EMAIL PROTECTED]> wrote:
On Fri, 16 Jun 2006, Stephen Hemminger wrote:
> This is so short, it would make sense to put it in scm.h
> and why not have it return the value instead of call by reference?
> Same goes for selinux_get_inode_sid
Actually, all of the SELinux AP
On Fri, 16 Jun 2006, Stephen Hemminger wrote:
> This is so short, it would make sense to put it in scm.h
> and why not have it return the value instead of call by reference?
> Same goes for selinux_get_inode_sid
Actually, all of the SELinux API functions are like this, and I'm not sure
why for v
On Sat, 17 Jun 2006, Xiaolan Zhang wrote:
> Hi, Stephen,
>
> It appears that selinux_enabled is defined inside selinux module and not
> visible to the rest of the kernel...
Yes, these are SELinux API functions, they belong in
security/selinux/exports.c
But what about Stephens question on the
Hi, Stephen,
It appears that selinux_enabled is defined inside selinux module and not
visible to the rest of the kernel...
thanks,
Catherine
Stephen Hemminger <[EMAIL PROTECTED]> wrote on 06/17/2006 12:16:03 AM:
> O
> >
> > +void selinux_get_sock_sid(const struct socket *sock, u32 *sid)
> > +
O
>
> +void selinux_get_sock_sid(const struct socket *sock, u32 *sid)
> +{
> + if (selinux_enabled) {
> + const struct inode *inode = SOCK_INODE(sock);
> + selinux_get_inode_sid(inode, sid);
> + return;
> + }
> + *sid = 0;
> +}
> +
This is so short
Hi,
Enclosed please find the updated AF_UNIX patch, incorporating comments from
James, Stephen, Dave, Chris, Andrew and others.
The patch is now built upon the newly added SELinux functions exported in
selinux/exports.c, which are also used by the auditing subsystem. One
function, selinux_get_s
Stephen and Andrew,
Many thanks for your comments! Will incorporate your suggestions and
resubmit.
thanks,
Catherine
Stephen Smalley <[EMAIL PROTECTED]> wrote on 04/10/2006 09:11:47 AM:
> On Fri, 2006-04-07 at 19:30 -0400, Catherine Zhang wrote:
> > Hi, James, Stephen, Dave and Chris,
> >
>
On Fri, 2006-04-07 at 19:30 -0400, Catherine Zhang wrote:
> Hi, James, Stephen, Dave and Chris,
>
> Enclosed please find the updated AF_UNIX patch. It addressed three major
> issues in the previous patch.
>
> 1. No directly calling of the SELINUX function security_sid_to_context().
>The fix
Catherine Zhang <[EMAIL PROTECTED]> wrote:
>
> Enclosed please find the updated AF_UNIX patch.
>
> ...
>
> --- linux-2.6.17-rc1/include/asm-alpha/socket.h~lsm-secpeer-unix
> 2006-04-03 18:19:47.0 -0400
> +++ linux-2.6.17-rc1-cxzhang/include/asm-alpha/socket.h 2006-04-03
> 18:20
Hi, James, Stephen, Dave and Chris,
Enclosed please find the updated AF_UNIX patch. It addressed three major
issues in the previous patch.
1. No directly calling of the SELINUX function security_sid_to_context().
The fix is to export this and other similar functions through
wrapper functio
30 matches
Mail list logo
