On Wed, 2020-09-30 at 12:17 +0200, Pablo Neira Ayuso wrote:
On Wed, Sep 30, 2020 at 10:49:31AM +0100, Richard
Haines wrote:
These patches came about after looking at 5G open
source in
particular
the updated 5G GTP driver at [1]. As this driver is still under
development, added the LSM/SELinux hooks to the current stable GTP
version in kernel selinux-next [2]. Similar hooks have also been
implemented in [1] as it uses the same base code as the current 3G
version (except that it handles different packet types).
Yes, [1] looks like it is based on the existing 3G driver in the
Linux
tree.
After a few fixes to [1], I now have the gtp5g version driver running
on 5.9 with security hooks and passing their couple of tests.
To test the 3G GTP driver there is an RFC patch
for the selinux-
testsuite
at [3].
To enable the selinux-testsuite GTP tests, the libgtpnl [4] library
and
tools needed to be modified to:
Return ERRNO on error to detect EACCES, Add gtp_match_tunnel
function,
Allow gtp-link to specify port numbers for multiple instances to
run in the same namespace.
A patch for libgtpnl is supplied in the selinux-testsuite patch as
well
as setup/test instructions (libgtpnl is not packaged by Fedora)
These patches were tested on Fedora 32 with kernel [2] using the
'targeted' policy. Also ran the Linux Kernel GTP-U basic tests [5].
I don't remember to have seen anything similar in the existing tunnel
net_devices.
Why do you need this?
I don't actually have a use for this, I only did it out of idle
curiosity. If it is useful to the community then okay. Given the
attemped move to Open 5G I thought adding MAC support might be useful
somewhere along the line.