[PATCH 0/3] Add LSM/SELinux support for GPRS Tunneling Protocol (GTP)
Pablo Neira Ayuso
pablo at netfilter.org
Wed Sep 30 12:30:16 UTC 2020
On Wed, Sep 30, 2020 at 01:20:41PM +0100, Richard Haines wrote:
> On Wed, 2020-09-30 at 12:17 +0200, Pablo Neira Ayuso wrote:
> > On Wed, Sep 30, 2020 at 10:49:31AM +0100, Richard Haines wrote:
> > > These patches came about after looking at 5G open source in
> > > particular
> > > the updated 5G GTP driver at [1]. As this driver is still under
> > > development, added the LSM/SELinux hooks to the current stable GTP
> > > version in kernel selinux-next [2]. Similar hooks have also been
> > > implemented in [1] as it uses the same base code as the current 3G
> > > version (except that it handles different packet types).
> >
> > Yes, [1] looks like it is based on the existing 3G driver in the
> > Linux
> > tree.
>
> After a few fixes to [1], I now have the gtp5g version driver running
> on 5.9 with security hooks and passing their couple of tests.
>
> >
> > > To test the 3G GTP driver there is an RFC patch for the selinux-
> > > testsuite
> > > at [3].
> > >
> > > To enable the selinux-testsuite GTP tests, the libgtpnl [4] library
> > > and
> > > tools needed to be modified to:
> > > Return ERRNO on error to detect EACCES, Add gtp_match_tunnel
> > > function,
> > > Allow gtp-link to specify port numbers for multiple instances to
> > > run in the same namespace.
> > >
> > > A patch for libgtpnl is supplied in the selinux-testsuite patch as
> > > well
> > > as setup/test instructions (libgtpnl is not packaged by Fedora)
> > >
> > > These patches were tested on Fedora 32 with kernel [2] using the
> > > 'targeted' policy. Also ran the Linux Kernel GTP-U basic tests [5].
> >
> > I don't remember to have seen anything similar in the existing tunnel
> > net_devices.
> >
> > Why do you need this?
>
> I don't actually have a use for this, I only did it out of idle
> curiosity. If it is useful to the community then okay. Given the
> attemped move to Open 5G I thought adding MAC support might be useful
> somewhere along the line.
No worries.
I'd suggest you send us patches to integrate missing code into the
existing driver, probably leaving the SELinux support aside - until we
learn how to use it or we understand the original motivation to make
it, I currently don't find any.
Thanks.
More information about the Linux-security-module-archive
mailing list