Revert "net: Reset secmark when scrubbing packet"

Message ID	20150416081253.GA13595@gondor.apana.org.au
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Date: Thu, 16 Apr 2015 16:12:53 +0800 From: Herbert Xu <herbert@gondor.apana.org.au> To: James Morris <jmorris@namei.org> Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>, netdev@vger.kernel.org, "Eric W. Biederman" <ebiederm@xmission.com>, linux-security-module@vger.kernel.org, Thomas Graf <tgraf@suug.ch>, Flavio Leitner <fbl@sysclose.org> Subject: Revert "net: Reset secmark when scrubbing packet" Message-ID: <20150416081253.GA13595@gondor.apana.org.au> References: <20150415100107.GA3655@gondor.apana.org.au> <552E3B7A.2040701@6wind.com> <20150415102229.GA3917@gondor.apana.org.au> <20150415135739.GA5534@gondor.apana.org.au> <552E86A6.9000101@6wind.com> <20150416010326.GA10864@gondor.apana.org.au> <alpine.LRH.2.11.1504161700130.23392@namei.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <alpine.LRH.2.11.1504161700130.23392@namei.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

20150416081253.GA13595@gondor.apana.org.au

State

Accepted, archived

Delegated to:

David Miller

Headers

Date: Thu, 16 Apr 2015 16:12:53 +0800
From: Herbert Xu <herbert@gondor.apana.org.au>
To: James Morris <jmorris@namei.org>
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>, netdev@vger.kernel.org,
	"Eric W. Biederman" <ebiederm@xmission.com>,
	linux-security-module@vger.kernel.org, Thomas Graf <tgraf@suug.ch>,
	Flavio Leitner <fbl@sysclose.org>
Subject: Revert "net: Reset secmark when scrubbing packet"
Message-ID: <20150416081253.GA13595@gondor.apana.org.au>
References: <20150415100107.GA3655@gondor.apana.org.au>
	<552E3B7A.2040701@6wind.com>
	<20150415102229.GA3917@gondor.apana.org.au>
	<20150415135739.GA5534@gondor.apana.org.au>
	<552E86A6.9000101@6wind.com>
	<20150416010326.GA10864@gondor.apana.org.au>
	<alpine.LRH.2.11.1504161700130.23392@namei.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.LRH.2.11.1504161700130.23392@namei.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Herbert Xu April 16, 2015, 8:12 a.m. UTC

On Thu, Apr 16, 2015 at 05:02:15PM +1000, James Morris wrote:
> 
> They don't support namespaces, and maintaining the label is critical for 
> SELinux, at least, which mediates security for the system as a whole.

Thanks for the confirmation James, I thought this looked a bit
dodgy :)

---8<---
This patch reverts commit b8fb4e0648a2ab3734140342002f68fb0c7d1602
because the secmark must be preserved even when a packet crosses
namespace boundaries.  The reason is that security labels apply to
the system as a whole and is not per-namespace.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Comments

Thomas Graf April 16, 2015, 8:32 a.m. UTC | #1

On 04/16/15 at 04:12pm, Herbert Xu wrote:
> On Thu, Apr 16, 2015 at 05:02:15PM +1000, James Morris wrote:
> > 
> > They don't support namespaces, and maintaining the label is critical for 
> > SELinux, at least, which mediates security for the system as a whole.
> 
> Thanks for the confirmation James, I thought this looked a bit
> dodgy :)
> 
> ---8<---
> This patch reverts commit b8fb4e0648a2ab3734140342002f68fb0c7d1602
> because the secmark must be preserved even when a packet crosses
> namespace boundaries.  The reason is that security labels apply to
> the system as a whole and is not per-namespace.

No objection to reverting, _BUT_ just because security labels
apply to the system as a whole does not mean that both the packet
in the underlay and overlay belong to the same context.

The point here was to not blindly inherit the security context of a
packet based on the outer or inner header. Someone tagging all
packets addressed to the host itself with a SElinux context may not
expect that SELinux context to be preserved into a namespaced tenant.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller April 16, 2015, 6:21 p.m. UTC | #2

From: Herbert Xu <herbert@gondor.apana.org.au>
Date: Thu, 16 Apr 2015 16:12:53 +0800

> On Thu, Apr 16, 2015 at 05:02:15PM +1000, James Morris wrote:
>> 
>> They don't support namespaces, and maintaining the label is critical for 
>> SELinux, at least, which mediates security for the system as a whole.
> 
> Thanks for the confirmation James, I thought this looked a bit
> dodgy :)
> 
> ---8<---
> This patch reverts commit b8fb4e0648a2ab3734140342002f68fb0c7d1602
> because the secmark must be preserved even when a packet crosses
> namespace boundaries.  The reason is that security labels apply to
> the system as a whole and is not per-namespace.
> 
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Applied and queued up for -stable.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a185427..d1967da 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4130,7 +4130,6 @@  void skb_scrub_packet(struct sk_buff *skb, bool xnet)
 	skb->ignore_df = 0;
 	skb_dst_drop(skb);
 	skb_sender_cpu_clear(skb);
-	skb_init_secmark(skb);
 	secpath_reset(skb);
 	nf_reset(skb);
 	nf_reset_trace(skb);

Revert "net: Reset secmark when scrubbing packet"

Commit Message

Comments

Patch