Received: by 10.192.165.148 with SMTP id m20csp3658365imm;
        Mon, 23 Apr 2018 10:06:12 -0700 (PDT)
X-Google-Smtp-Source: AIpwx482QVOMGtP96p1cSECTOBtpTOziRdl+aHg+0JwWwLzqNXajcRyveif+8LlLH4Yzx/JypDqJ
X-Received: by 10.98.31.20 with SMTP id f20mr20916995pff.196.1524503172881;
        Mon, 23 Apr 2018 10:06:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1524503172; cv=none;
        d=google.com; s=arc-20160816;
        b=crv8n+4FRboHJqmpr1LVE1l9HC56bqDwY6kntNZ+XF7Lh+QscjrD16qhki/Jy+WpNR
         yKEB1f9pa29V5ZEsTvmpj/Gfw4Og6GMeqCwDQiB1sv7Cx+EEvV+7711ada4fMXRGt96l
         9AdivxxbPB0JM7a2QTpWh6MvuA349UQhEgzsZiH2kUT4gwsApthBAhQEUqyCFlIHYI2H
         SRDPApe7jemk+ah5xENnhSXpYfkLYM/rmWzsjj7oRWCBlq7Br1p8vRq5YK2Tf6KHZ+68
         myWfiBr6DdmiZBnoAl+Zb5srZoobV3rfenm3zdwVcg2YYgeXqhXcVfnc1RwzJbGM6j2/
         cC+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature
         :arc-authentication-results;
        bh=ibSd7J9OVd8dG9fIcaM8v3m49R0ErC8R/2dC9WUInzU=;
        b=svpoGjn8sueVhObHajaV3AGe+Iu6KHbJ2KF33FwArI0ONddVHGxpEWVFiovN+sdD9V
         o1va6MEE5RXl1XvD0uDcjLPAhT+AzAG8dk5jgPAd2jhbz69nz2NpHw0P3rYPPUnx9BPi
         mcrEMJ5Fz6yu4tGdXL698wQ2dlkEQrflHdrpBRyfUfLTFiijBwxYb4gLigdSZL6hjWs7
         7tPeR9Xy1Q6nVZChKc4IjVMURaozHHFu5WFrD3LakqQNpuVA3RNqnilFM+hmo+p0zblb
         nk1ru6cCyEw/wYz4a3hqWQ+H3Mv0ajHQldhWb7yuRD9hMRdqkEwWy1JduaJLE+rsAsxZ
         KvPQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@yahoo.com header.s=s2048 header.b=nAqxdoDZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g185si9946881pgc.155.2018.04.23.10.05.57;
        Mon, 23 Apr 2018 10:06:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@yahoo.com header.s=s2048 header.b=nAqxdoDZ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932204AbeDWREc (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Mon, 23 Apr 2018 13:04:32 -0400
Received: from sonic316-19.consmr.mail.bf2.yahoo.com ([74.6.130.193]:44071
        "EHLO sonic316-19.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S932129AbeDWRE2 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 23 Apr 2018 13:04:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1524503067; bh=ibSd7J9OVd8dG9fIcaM8v3m49R0ErC8R/2dC9WUInzU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=nAqxdoDZWsW9yNl5zxEbZsl3vT/HB9M6dvZ5qpjUf5583iocw4fdjMr9AmK8iejclFR9UE75IhDnxmp3f8lBRFaanGG0uE6jPyi4Ox8oHo78EvgbIxul7LGsI3wABqN/3F6d0HTsa5Ray8SinJaUWhpBsBc4pfjONEhQZKHKCJS3mfZ/xXUkGXo8LC9IUiTaLkC2BaVHMztRstJWDOifU+ynvEIhQhSLAV+O26pikmyx2tuneFCqvoMFZ1n4VfDzBcrxM6lRLY7YFSktsdFuanHdYPuihutrFUnv2Vt563vjBgUCKRY4K8FOYaCfXjdnM9KbI+3rBFpL7Tn81Bmw4w==
X-YMail-OSG: wYXbXiQVM1nvDuu1aB.L7oeT7zipbGNQWi29vGUJi4Zf_9W2WTCbsoyKKufmtVQ
 hzwvQWuShbHyCn0NCRPAlIiEZ9ysMZxsWN8PhBv1TlmGZPkC4X_dfZzQrNVYKNm39e.JFVg7MNwM
 6Do8gboDdM0wwHRnZK8l5CdRF.mItmsUW6EYwy2eOSG8fGkY7EWKZ0ATUI.mmMsY9nLaPlaAym44
 I1oXYUSxypds9brLMdzlPne6McFLQQ0mObpJ_Zx1Ez1nDZnkexA_EwbLj0sD3r8gS2HLyo6FPvr.
 CAztrc14vfWek.KZd_bUl62kdHK2vnQld9Tb_d9zMfWQK2BnjAec1wKuzAdh5O4Olw3Z7w80juPn
 tG1LFhzqbCb2EDsw92vpoop82Tlvj35d93IdqTykpXqx1FJ2vZ4l3eM4mJHF41MBohIghQdfZHkl
 SUUzNJrELwpkGtmT6V4.Ez2mc8DNPlzBbix4b4BAnk7aVJlID.nkS883CMSUL5.T3dPmtxc2ats7
 Wmt1W7b_uYHywNiGPt4yk_ckaTGgVQkG3R8mXRcQWGftaILnZgM2b89KWUb5cG7p5FUmW3NYRrvz
 YvkI-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Mon, 23 Apr 2018 17:04:27 +0000
Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.105]) ([67.169.65.224])
          by smtp404.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID e0acf8b286068b32b416b018aedd4e1d;
          Mon, 23 Apr 2018 17:04:23 +0000 (UTC)
Subject: Re: [PATCH 0/3] Introduce LSM-hook for socketpair(2)
To:     David Herrmann <dh.herrmann@gmail.com>,
        linux-kernel@vger.kernel.org
Cc:     James Morris <jmorris@namei.org>, Paul Moore <paul@paul-moore.com>,
        teg@jklm.no, Stephen Smalley <sds@tycho.nsa.gov>,
        selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org,
        Eric Paris <eparis@parisplace.org>, serge@hallyn.com,
        davem@davemloft.net, netdev@vger.kernel.org,
        Casey Schaufler <casey@schaufler-ca.com>
References: <20180423133015.5455-1-dh.herrmann@gmail.com>
From:   Casey Schaufler <casey@schaufler-ca.com>
Message-ID: <32eea1d6-450c-bc68-59d6-74bc5011ead2@schaufler-ca.com>
Date:   Mon, 23 Apr 2018 10:04:19 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <20180423133015.5455-1-dh.herrmann@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 4/23/2018 6:30 AM, David Herrmann wrote:
> Hi
>
> This series adds a new LSM hook for the socketpair(2) syscall. The idea
> is to allow SO_PEERSEC to be called on AF_UNIX sockets created via
> socketpair(2), and return the same information as if you emulated
> socketpair(2) via a temporary listener socket. Right now SO_PEERSEC
> will return the unlabeled credentials for a socketpair, rather than the
> actual credentials of the creating process.
>
> ...
>
> This series only adds SELinux backends, since that is what we need for
> RHEL. I will gladly extend the other LSMs if needed.

I would be very happy to see a proposed patch for Smack. It shouldn't
be much different from the SELinux version, with the exception that it
will use pointers to smk_known structures instead of secids. It would be
a big help, as someone just threw a whole new species of scorpion into
this pit.

>
> Thanks
> David
>
> [1] https://github.com/bus1/dbus-broker/blob/master/src/util/test-peersec.c
> [2] https://www.spinics.net/lists/selinux/msg22674.html
>
> David Herrmann (3):
>   security: add hook for socketpair(AF_UNIX, ...)
>   net/unix: hook unix_socketpair() into LSM
>   selinux: provide unix_stream_socketpair callback
>
>  include/linux/lsm_hooks.h |  8 ++++++++
>  include/linux/security.h  |  7 +++++++
>  net/unix/af_unix.c        |  5 +++++
>  security/security.c       |  6 ++++++
>  security/selinux/hooks.c  | 14 ++++++++++++++
>  5 files changed, 40 insertions(+)
>