James Morris wrote:
On Sat, 21 Jul 2007, Tetsuo Handa wrote:
I can't use netfilter infrastructure because
it is too early to know who the recipant process of the packet is.
I think the way forward on this is to re-visit the idea of providing a
proper solution for the incoming packet/user match problem.
I posted one possible solution a couple of years ago (skfilter):
http://lwn.net/Articles/157137/
I think there has been some recent discussion by netfilter developers
about this issue, so perhaps you could talk to them (cd'd Patrick)
Even with socket filters netfilter doesn't know the final receipient
process, that is not known until it calls recvmsg and the data is read,
which is too late for netfilter.
Quoting Tetsuo:
> > So, my approach is not using security context associated with a socket
> but security context associated with a process.
Isn't the socket context derived from the process context?
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
