> > This is only true wart I see in the patch set from my > > perspective. > > > > You have security_post_accept_hook(), which gets the parent and > > the child socket which is all the information you need, and it > > seems to be invoked at the correct location. > > > > So can you please hook into this location using the security > > level hook we already have? Just check sock->sk->sk_family is > > PF_INET at the top of that hook if you only want to handle > > ipv4 sockets, or something like that. > > > > Could this work? > > > > When preparing and argument stating why this won't work, please > > suggest a nicer name for this af_inet.c hook or some way to make > > it more generic and palatable to us. > > The only reason for having this new hook in inet_accept() is to catch > all the in-kernel "daemons" who do not go through the LSM hooked > accept() code path. I debated putting this hook into the patchset and > in the end figured it was at least worth a shot.
If I understand the patch correctly, the openreq inherits cipso from the incoming syn and the syn-ack is then sent with this option. I further see that the child sock inherits options from the openreq already. Could you then please elaborate on the need for explicitly copying options from parent to child? - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
