Re: [PATCH 3/3] selinux: Add SELinux GTP support
From: Harald Welte <laforge@gnumonks.org>
Date: 2020-09-30 11:03:45
Also in:
netdev, selinux
Hi Richard, I don't fully understand in which context you need / use those SELinux GTP hooks, however one comment from the point of view of somebody who is working on GGSN/P-GW software using the GTP kernel module: On Wed, Sep 30, 2020 at 10:49:34AM +0100, Richard Haines wrote:
+selinux_gtp_dev_cmd()
+~~~~~~~~~~~~~~~~~~~~~
+Validate if the caller (current SID) and the GTP device SID have the required
+permission to perform the operation. The GTP/SELinux permission map is
+as follow::
+
+ GTP_CMD_NEWPDP = gtp { add }
+ GTP_CMD_DELPDP = gtp { del }
+ GTP_CMD_GETPDP = gtp { get }Wouldn't it make sense to differentiate between: a) add/del/get on the GTP netdev b) add/del/get on the indivudual PDP wihin the GTP netdev 'a' is typically only created once at startup of a GGSN/P-GW software, or is done even at system stat-up time. 'b' is performed frequently during runtime as the GGSN/P-GW function runs, as subscribers attach to / detach from the cellular network. By differentiating between those two, one could further constrain the permissions required at runtime. -- - Harald Welte [off-list ref] http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)