James Morris <[EMAIL PROTECTED]> wrote on 06/18/2006 04:04:06 AM:
> On Sun, 18 Jun 2006, Catherine Zhang wrote:
>
> I'd also mention here that this is to complement the SO_PEERSEC option
for
> stream sockets.
>
OK.
> There's an implementation issue, which I'm sure has been mentioned
> previously. This code should not be calling SELinux API functions.
>
> > @@ -62,6 +70,12 @@ static __inline__ void scm_recv(struct s
> > if (test_bit(SOCK_PASSCRED, &sock->flags))
> > put_cmsg(msg, SOL_SOCKET, SCM_CREDENTIALS,
> sizeof(scm->creds), &scm->creds);
> >
> > + if (test_bit(SOCK_PASSSEC, &sock->flags)) {
> > + err = selinux_ctxid_to_string(scm->sid, &scontext,
> &scontext_len);
>
>
I remember this issue being discussed, but no conclusion was made. The
reason that we cannot use socket_getpeersec_dgram directly is that it
passes skb as the argument, instead of socket. If we want to reuse the
same hook for UNIX, then we have to make change to the interface. I was
debating on whether I should add another hook for the UNIX domain...
Let me check whether it'll be possible to reuse socket_getpeersec_dgram
without too much disruption/complicaiton and I will repost.
thanks,
Catherine
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
