Hello.
James Morris wrote:
> From memory, one approach under discussion was to add netfilter hooks to
> the transport layer, which could be invoked correctly by each type of
> protocol when the target process is selected.
>
> If this is done for netfilter, then an LSM hook is probably not neede
Tetsuo Handa <[EMAIL PROTECTED]> writes:
> Hello.
>
> James Morris wrote:
>> From memory, one approach under discussion was to add netfilter hooks to
>> the transport layer, which could be invoked correctly by each type of
>> protocol when the target process is selected.
>>
>> If this is done f
Hello.
Thank you for detailed explanation.
Samir Bellabes wrote:
> By "filtering", you should mean "packets filtring", shouldn't you ?
> because this hook is able to deny the accept() syscall for a process, so
> it's a kind of "filtring" too.
Yes, you are right.
> No, it's performed from the use
Hello.
Samir Bellabes wrote:
> at security_socket_accept(), the user only accept the fact that the
> application is able to go to sock->ops->accept(). That's the purpose of
> this hook.
Yes. This hook can't perform filtering.
> After, when packet are coming, we can catch them with
> libnetfilter_
Hello.
Thank you for feedback.
I have some questions.
(1) Your module uses "struct security_operations" and
is registered with register_security().
TOMOYO also uses "struct security_operations" and
must be registered with register_security().
Can your module and TOMOYO coexist?
Tetsuo Handa <[EMAIL PROTECTED]> writes:
> Hello.
>
> Thank you for feedback.
>
> I have some questions.
>
> (1) Your module uses "struct security_operations" and
> is registered with register_security().
>
> TOMOYO also uses "struct security_operations" and
> must be registered with r
Tetsuo Handa <[EMAIL PROTECTED]> writes:
> Hello.
>
> Samir Bellabes wrote:
>> at security_socket_accept(), the user only accept the fact that the
>> application is able to go to sock->ops->accept(). That's the purpose of
>> this hook.
> Yes. This hook can't perform filtering.
By "filtering", you
Tetsuo Handa <[EMAIL PROTECTED]> writes:
> Hello.
> Thank you for detailed explanation.
> Samir Bellabes wrote:
>
>> No, it's performed from the userspace. the goal is to don't touch the
>> network stack at all.
> OK. One thing I'm worrying.
> Use of userspace process assumes that it shall not be
Hello, Samir.
Did you receive the following messages?
Since these messages were dropped at vger.kernel.org ,
I'm worrying that you couldn't receive the following messages.
Tetsuo Handa wrote:
> Hello.
>
> Samir Bellabes wrote:
> > >> what differences between you approach and netfilter in this c
Tetsuo Handa <[EMAIL PROTECTED]> writes:
> Hello, Samir.
>
> Did you receive the following messages?
> Since these messages were dropped at vger.kernel.org ,
> I'm worrying that you couldn't receive the following messages.
Yes, I got it.
I will take time to investigate your example.
--
To unsubsc
10 matches
Mail list logo
