VSOCK & getpeercon()

[Casey Schaufler]

On 1/22/2021 8:27 AM, Paul Moore wrote:
> On Sat, Jan 16, 2021 at 7:48 AM Marc-André Lureau
> <marcandre.lureau at gmail.com> wrote:
>> Hi,
>>
>> getpeercon() isn't implemented for VSOCK. Note, I am not very familiar
>> with SELinux, but I was porting some applications that uses AF_UNIX to
>> AF_VSOCK and reached that point.
>>
>> I found some previous discussions about VSOCK & LSM from 2013, but the
>> reasons it was abandoned don't seem so clear or valid to me:
>> https://lore.kernel.org/selinux/1803195.0cVPJuGAEx@sifl/
> Hi, my apologies for the slow reply.
>
> The SELinux/LSM VSOCK support wasn't abandoned due to any significant
> roadblocks, it was simply a matter of time - I seemed to be the only
> one who was interested in working on it, and I couldn't find enough
> time to work on it ;)
>
> If you are interested in spending some time on adding proper
> LSM/SELinux VSOCK support my gut feeling is that it would still be a
> good thing.  However, I would suggest spending some time investigating
> the current state of things, while you may get lucky, I believe it is
> safer to assume that anything from 2013 is horribly out of date.

That's a pretty safe statement. You really have four options at
this point:

- netfilter to set the secmark
- CIPSO/CALIPSO if the protocol supports or can support options
- examining the peer process as is done with AF_UNIX
- eBPF *I think* but you never really know with something that new

There may be something else out there that hasn't gobsmacked me
in the stacking work, so that I wouldn't know about it.

BTW: Please include the (CCed) Linux Security Module list
<linux-security-module at vger.kernel.org> in discussions like this.

>