James Morris wrote:
> This patch adds a SECMARK target to xtables, allowing
> the admin to apply security marks to packets via both
> iptables and ip6tables.
>
> The target currently handles SELinux security marking,
> but can be extended for other purposes as needed.
The netfilter parts all look fine too me (just one question,
see below). Shall I add the userspace parts to SVN or do you
want to do it yourself?
> +static int checkentry_selinux(struct xt_secmark_target_info *info)
> +{
> + int err;
> + struct xt_secmark_target_selinux_info *sel = &info->u.sel;
> +
> + err = selinux_string_to_sid(sel->selctx, &sel->selsid);
> + if (err) {
> + if (err == -EINVAL)
> + printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
> + sel->selctx);
> + return 0;
> + }
> +
> + if (!sel->selsid) {
> + printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n",
> + sel->selctx);
> + return 0;
> + }
> +
> + return 1;
> +}
I wonder if the result of this check could be invalidated later
by removal of the selinux context and if it would matter, since
you reject contexts not known at initialization time.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
