These patches came about after looking at 5G open source in particular
the updated 5G GTP driver at [1]. As this driver is still under
development, added the LSM/SELinux hooks to the current stable GTP
version in kernel selinux-next [2]. Similar hooks have also been
implemented in [1] as it uses the same base code as the current 3G
version (except that it handles different packet types).
To test the 3G GTP driver there is an RFC patch for the selinux-testsuite
at [3].
To enable the selinux-testsuite GTP tests, the libgtpnl [4] library and
tools needed to be modified to:
Return ERRNO on error to detect EACCES, Add gtp_match_tunnel function,
Allow gtp-link to specify port numbers for multiple instances to
run in the same namespace.
A patch for libgtpnl is supplied in the selinux-testsuite patch as well
as setup/test instructions (libgtpnl is not packaged by Fedora)
These patches were tested on Fedora 32 with kernel [2] using the
'targeted' policy. Also ran the Linux Kernel GTP-U basic tests [5].
[1] https://github.com/PrinzOwO/gtp5g
[2] https://github.com/SELinuxProject/selinux-kernel
[3] https://lore.kernel.org/selinux/20200924085314.6120-1-richard_c_haines@btin…
[4] git://git.osmocom.org/libgtpnl.git
[5] https://osmocom.org/projects/linux-kernel-gtp-u/wiki/Basic_Testing
Changes from RFC patches:
1) Rework the LSM hook names and contents as suggested by Casey Schaufler.
This resulted in moving the gtp_dev struct from gtp.c to include/net/gtp.h
so that it is visible to the LSM modules for storing the security blob.
2) Remove pr_debug's from gtp.c security_* calls.
3) Minor GTP.rst updates.
4) Added netdev to distribution list.
Richard Haines (3):
security: Add GPRS Tunneling Protocol (GTP) security hooks
gtp: Add LSM hooks to GPRS Tunneling Protocol (GTP)
selinux: Add SELinux GTP support
Documentation/security/GTP.rst | 100 ++++++++++++++++++++++++++++
Documentation/security/index.rst | 1 +
drivers/net/gtp.c | 50 +++++++++-----
include/linux/lsm_hook_defs.h | 3 +
include/linux/lsm_hooks.h | 13 ++++
include/linux/security.h | 22 ++++++
include/net/gtp.h | 21 ++++++
security/security.c | 18 +++++
security/selinux/hooks.c | 66 ++++++++++++++++++
security/selinux/include/classmap.h | 2 +
security/selinux/include/objsec.h | 4 ++
11 files changed, 284 insertions(+), 16 deletions(-)
create mode 100644 Documentation/security/GTP.rst
--
2.26.2
Hi,
with the new NS2 code [1] the vty keep compatible. However the new NS2
code is more flexible and support more use cases except the old vty
doesn't allow it.
I've created an osmocom ticket [2] to experiment and write a draft of
the new VTY commands.
I would be nice if you can give me some feedback here.
Best,
lynxis
[1] NS <> NS2. it's still the same protocol, just a second
implementation of NS.
[2] https://osmocom.org/issues/4770
new vty example:
1.1. sgsn with udp bind - ipa style
1.2. sgsn with udp bind - with persistent nsvc
1.3. sgsn with sns listen on all interfaces
1.4. sgsn with sns listen on specific interface
1.5. sgsn with fr
2.1. TODO: pcu with binds to use when receiving info ind
2.2. TODO: pcu with static configuration
<pre>
;; 1.1. sgsn with udp bind - dynamic with ipa style
ns
bind udp some
listen 192.168.0.2 23000
allow-block-reset-nsvci
</pre>
<pre>
;; 1.2. sgsn with udp bind - no dynamic connection - only vty
configured NSE (persistent)
ns
bind udp some
listen 192.168.0.2 23000
nsei 1001
nsvc udp some 10.0.1.2 23000
</pre>
<pre>
;; 1.2. sgsn with udp bind - no dynamic connection - only vty
configured NSE (persistent)
ns
bind udp some
listen 192.168.0.2 23000
bind udp other
listen 192.168.1.2 23000
nsei 1001
;; will use all bindings
nsvc udp * 10.0.1.2 23000
nsei 1002
nsvc udp other 10.0.1.3 23000
nsvc udp some 10.0.1.3 23000
</pre>
<pre>
;; 1.3. sgsn with sns listen on all interfaces
ns
bind udp some
listen 192.168.0.2 23000
allow-sns group all
bind udp other
listen 192.168.1.2 23000
allow-sns group all
</pre>
<pre>
;; 1.4. sgsn with sns listen on specific interface
ns
bind udp some
listen 192.168.0.2 23000
allow-sns group alice
bind udp other
listen 192.168.1.2 23000
allow-sns group bob
</pre>
<pre>
;; 1.5. sgsn with fr
fr
link hdlc1
link hdlc2
ns
nsei 1002
nsvc fr hdlc1 dlci 10
nsvc fr hdlc2 dlci 10
</pre>
--
Alexander Couzens
mail: lynxis(a)fe80.eu
jabber: lynxis(a)fe80.eu
gpg: 390D CF78 8BF9 AA50 4F8F F1E2 C29E 9DA6 A0DF 8604
These tests were performed on Fedora 32 Workstation with the 'targeted'
policy using an updated kernel with the GTP RFC kernel patches.
See the tests/gtp/GTP-README for detailed setup/testing.
The libgtpnl patch is at:
tests/gtp/Update-libgtpnl-for-SELinux-testsuite-GTP-tests.patch
The basic process is:
1) Build kernel with RFC LSM/GTP/SELinux patches (use the
selinux-testsuite/defconfig file to set correct config if required).
2) Setup the selinux-testsuite and add the GTP test patch.
3) Build/install the libgtpnl library using a patch from the
selinux-testsuite as this will allow errors to be returned by the
library functions.
4) Build/run selinux-testsuite for all SELinux tests (sets up the
environment).
5) Run the GTP tests locally to see more info.
6) Remove the selinux-testsuite policy.
Richard Haines (1):
selinux-testsuite: Add GTP tests
defconfig | 4 +
policy/Makefile | 5 +
policy/test_gtp.cil | 18 +
policy/test_gtp.te | 96 +++++
tests/Makefile | 4 +
tests/gtp/.gitignore | 2 +
tests/gtp/GTP-README | 123 ++++++
tests/gtp/Makefile | 8 +
...tpnl-for-SELinux-testsuite-GTP-tests.patch | 366 ++++++++++++++++++
tests/gtp/gtp-link.c | 134 +++++++
tests/gtp/gtp-tunnel.c | 263 +++++++++++++
tests/gtp/test | 169 ++++++++
12 files changed, 1192 insertions(+)
create mode 100644 policy/test_gtp.cil
create mode 100644 policy/test_gtp.te
create mode 100644 tests/gtp/.gitignore
create mode 100644 tests/gtp/GTP-README
create mode 100644 tests/gtp/Makefile
create mode 100644 tests/gtp/Update-libgtpnl-for-SELinux-testsuite-GTP-tests.patch
create mode 100644 tests/gtp/gtp-link.c
create mode 100644 tests/gtp/gtp-tunnel.c
create mode 100755 tests/gtp/test
--
2.26.2