[PATCH v13 19/25] NET: Store LSM netlabel data in a lsmblob

Casey Schaufler casey at schaufler-ca.com
Tue Jan 7 21:58:16 UTC 2020


On 1/7/2020 11:25 AM, Stephen Smalley wrote:
> On 12/24/19 6:59 PM, Casey Schaufler wrote:
>> Netlabel uses LSM interfaces requiring an lsmblob and
>> the internal storage is used to pass information between
>> these interfaces, so change the internal data from a secid
>> to a lsmblob. Update the netlabel interfaces and their
>> callers to accommodate the change. This requires that the
>> modules using netlabel use the lsm_id.slot to access the
>> correct secid when using netlabel.
>>
>> Reviewed-by: Kees Cook <keescook at chromium.org>
>> Reviewed-by: John Johansen <john.johansen at canonical.com>
>> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
>
> Why is this needed for stacking AppArmor?  AA doesn't use NetLabel, at least not upstream AFAICS.

Netlabel uses LSM interfaces that provide/require blobs,
security_secid_to_secctx() and security_secctx_to_secid()
in particular. Either the data maintained needs to be converted
to blobs or it needs extensive scaffolding. The scaffolding would
require a mechanism to identify the lsmblob slot to be used in
netlabel. You can't always use slot 0 because it would be possible
to put AppArmor on the module list ahead of SELinux or Smack. That
would be the only case where the slot number is needed outside the
security sub-system. Since converting the netlabel data to blobs
will be necessary eventually anyway, I want to avoid having to
provide a mechanism whereby netlabel can identify which slot to
use. This is especially true since Paul has nixed the idea of
assigning netlabel to a particular security module.





More information about the Linux-security-module-archive mailing list