Received: by 10.192.165.148 with SMTP id m20csp3658365imm; Mon, 23 Apr 2018 10:06:12 -0700 (PDT) X-Google-Smtp-Source: AIpwx482QVOMGtP96p1cSECTOBtpTOziRdl+aHg+0JwWwLzqNXajcRyveif+8LlLH4Yzx/JypDqJ X-Received: by 10.98.31.20 with SMTP id f20mr20916995pff.196.1524503172881; Mon, 23 Apr 2018 10:06:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524503172; cv=none; d=google.com; s=arc-20160816; b=crv8n+4FRboHJqmpr1LVE1l9HC56bqDwY6kntNZ+XF7Lh+QscjrD16qhki/Jy+WpNR yKEB1f9pa29V5ZEsTvmpj/Gfw4Og6GMeqCwDQiB1sv7Cx+EEvV+7711ada4fMXRGt96l 9AdivxxbPB0JM7a2QTpWh6MvuA349UQhEgzsZiH2kUT4gwsApthBAhQEUqyCFlIHYI2H SRDPApe7jemk+ah5xENnhSXpYfkLYM/rmWzsjj7oRWCBlq7Br1p8vRq5YK2Tf6KHZ+68 myWfiBr6DdmiZBnoAl+Zb5srZoobV3rfenm3zdwVcg2YYgeXqhXcVfnc1RwzJbGM6j2/ cC+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=ibSd7J9OVd8dG9fIcaM8v3m49R0ErC8R/2dC9WUInzU=; b=svpoGjn8sueVhObHajaV3AGe+Iu6KHbJ2KF33FwArI0ONddVHGxpEWVFiovN+sdD9V o1va6MEE5RXl1XvD0uDcjLPAhT+AzAG8dk5jgPAd2jhbz69nz2NpHw0P3rYPPUnx9BPi mcrEMJ5Fz6yu4tGdXL698wQ2dlkEQrflHdrpBRyfUfLTFiijBwxYb4gLigdSZL6hjWs7 7tPeR9Xy1Q6nVZChKc4IjVMURaozHHFu5WFrD3LakqQNpuVA3RNqnilFM+hmo+p0zblb nk1ru6cCyEw/wYz4a3hqWQ+H3Mv0ajHQldhWb7yuRD9hMRdqkEwWy1JduaJLE+rsAsxZ KvPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=nAqxdoDZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g185si9946881pgc.155.2018.04.23.10.05.57; Mon, 23 Apr 2018 10:06:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=nAqxdoDZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932204AbeDWREc (ORCPT + 99 others); Mon, 23 Apr 2018 13:04:32 -0400 Received: from sonic316-19.consmr.mail.bf2.yahoo.com ([74.6.130.193]:44071 "EHLO sonic316-19.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932129AbeDWRE2 (ORCPT ); Mon, 23 Apr 2018 13:04:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1524503067; bh=ibSd7J9OVd8dG9fIcaM8v3m49R0ErC8R/2dC9WUInzU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=nAqxdoDZWsW9yNl5zxEbZsl3vT/HB9M6dvZ5qpjUf5583iocw4fdjMr9AmK8iejclFR9UE75IhDnxmp3f8lBRFaanGG0uE6jPyi4Ox8oHo78EvgbIxul7LGsI3wABqN/3F6d0HTsa5Ray8SinJaUWhpBsBc4pfjONEhQZKHKCJS3mfZ/xXUkGXo8LC9IUiTaLkC2BaVHMztRstJWDOifU+ynvEIhQhSLAV+O26pikmyx2tuneFCqvoMFZ1n4VfDzBcrxM6lRLY7YFSktsdFuanHdYPuihutrFUnv2Vt563vjBgUCKRY4K8FOYaCfXjdnM9KbI+3rBFpL7Tn81Bmw4w== X-YMail-OSG: wYXbXiQVM1nvDuu1aB.L7oeT7zipbGNQWi29vGUJi4Zf_9W2WTCbsoyKKufmtVQ hzwvQWuShbHyCn0NCRPAlIiEZ9ysMZxsWN8PhBv1TlmGZPkC4X_dfZzQrNVYKNm39e.JFVg7MNwM 6Do8gboDdM0wwHRnZK8l5CdRF.mItmsUW6EYwy2eOSG8fGkY7EWKZ0ATUI.mmMsY9nLaPlaAym44 I1oXYUSxypds9brLMdzlPne6McFLQQ0mObpJ_Zx1Ez1nDZnkexA_EwbLj0sD3r8gS2HLyo6FPvr. CAztrc14vfWek.KZd_bUl62kdHK2vnQld9Tb_d9zMfWQK2BnjAec1wKuzAdh5O4Olw3Z7w80juPn tG1LFhzqbCb2EDsw92vpoop82Tlvj35d93IdqTykpXqx1FJ2vZ4l3eM4mJHF41MBohIghQdfZHkl SUUzNJrELwpkGtmT6V4.Ez2mc8DNPlzBbix4b4BAnk7aVJlID.nkS883CMSUL5.T3dPmtxc2ats7 Wmt1W7b_uYHywNiGPt4yk_ckaTGgVQkG3R8mXRcQWGftaILnZgM2b89KWUb5cG7p5FUmW3NYRrvz YvkI- Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Mon, 23 Apr 2018 17:04:27 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224]) by smtp404.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e0acf8b286068b32b416b018aedd4e1d; Mon, 23 Apr 2018 17:04:23 +0000 (UTC) Subject: Re: [PATCH 0/3] Introduce LSM-hook for socketpair(2) To: David Herrmann , linux-kernel@vger.kernel.org Cc: James Morris , Paul Moore , teg@jklm.no, Stephen Smalley , selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org, Eric Paris , serge@hallyn.com, davem@davemloft.net, netdev@vger.kernel.org, Casey Schaufler References: <20180423133015.5455-1-dh.herrmann@gmail.com> From: Casey Schaufler Message-ID: <32eea1d6-450c-bc68-59d6-74bc5011ead2@schaufler-ca.com> Date: Mon, 23 Apr 2018 10:04:19 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180423133015.5455-1-dh.herrmann@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/23/2018 6:30 AM, David Herrmann wrote: > Hi > > This series adds a new LSM hook for the socketpair(2) syscall. The idea > is to allow SO_PEERSEC to be called on AF_UNIX sockets created via > socketpair(2), and return the same information as if you emulated > socketpair(2) via a temporary listener socket. Right now SO_PEERSEC > will return the unlabeled credentials for a socketpair, rather than the > actual credentials of the creating process. > > ... > > This series only adds SELinux backends, since that is what we need for > RHEL. I will gladly extend the other LSMs if needed. I would be very happy to see a proposed patch for Smack. It shouldn't be much different from the SELinux version, with the exception that it will use pointers to smk_known structures instead of secids. It would be a big help, as someone just threw a whole new species of scorpion into this pit. > > Thanks > David > > [1] https://github.com/bus1/dbus-broker/blob/master/src/util/test-peersec.c > [2] https://www.spinics.net/lists/selinux/msg22674.html > > David Herrmann (3): > security: add hook for socketpair(AF_UNIX, ...) > net/unix: hook unix_socketpair() into LSM > selinux: provide unix_stream_socketpair callback > > include/linux/lsm_hooks.h | 8 ++++++++ > include/linux/security.h | 7 +++++++ > net/unix/af_unix.c | 5 +++++ > security/security.c | 6 ++++++ > security/selinux/hooks.c | 14 ++++++++++++++ > 5 files changed, 40 insertions(+) >