Re: [PATCH 1/1] Allow LSM to use IP address/port number.
--- Tetsuo Handa [EMAIL PROTECTED] wrote: Hello. Patrick McHardy wrote: Quoting Tetsuo: So, my approach is not using security context associated with a socket but security context associated with a process. Isn't the socket context derived from the process context? Not so regarding my case. static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t priority) { sk-sk_security = current-security; return 0; } will not help what I want to do. So, I'm not planning to use sk-sk_security. Before you go too far down this path please note that the quoted code is bad* because back pointers from sockets to tasks can't be reliable. See later versions for more reasonable behavior. I'm planning to use current-security at accept()/recvmsg() time. The delivery of packets and the completion of these syscalls are related but independent events. Be careful about the relationship between the events and the placement of your checks. * Stephen had good comments on the details on list earlier. Casey Schaufler [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/1] Allow LSM to use IP address/port number.
On Sat, 21 Jul 2007, Tetsuo Handa wrote: I can't use netfilter infrastructure because it is too early to know who the recipant process of the packet is. I think the way forward on this is to re-visit the idea of providing a proper solution for the incoming packet/user match problem. I posted one possible solution a couple of years ago (skfilter): http://lwn.net/Articles/157137/ I think there has been some recent discussion by netfilter developers about this issue, so perhaps you could talk to them (cd'd Patrick). - James -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/1] Allow LSM to use IP address/port number.
James Morris wrote: On Sat, 21 Jul 2007, Tetsuo Handa wrote: I can't use netfilter infrastructure because it is too early to know who the recipant process of the packet is. I think the way forward on this is to re-visit the idea of providing a proper solution for the incoming packet/user match problem. I posted one possible solution a couple of years ago (skfilter): http://lwn.net/Articles/157137/ I think there has been some recent discussion by netfilter developers about this issue, so perhaps you could talk to them (cd'd Patrick) Even with socket filters netfilter doesn't know the final receipient process, that is not known until it calls recvmsg and the data is read, which is too late for netfilter. Quoting Tetsuo: So, my approach is not using security context associated with a socket but security context associated with a process. Isn't the socket context derived from the process context? - To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html