On Saturday 29 July 2006 12:34 pm, Venkat Yekkirala wrote: > > > This is only true wart I see in the patch set from my > > > perspective. > > > > > > You have security_post_accept_hook(), which gets the parent and > > > the child socket which is all the information you need, and it > > > seems to be invoked at the correct location. > > > > > > So can you please hook into this location using the security > > > level hook we already have? Just check sock->sk->sk_family is > > > PF_INET at the top of that hook if you only want to handle > > > ipv4 sockets, or something like that. > > > > > > Could this work? > > > > > > When preparing and argument stating why this won't work, please > > > suggest a nicer name for this af_inet.c hook or some way to make > > > it more generic and palatable to us. > > > > The only reason for having this new hook in inet_accept() is to catch > > all the in-kernel "daemons" who do not go through the LSM hooked > > accept() code path. I debated putting this hook into the patchset and > > in the end figured it was at least worth a shot. > > If I understand the patch correctly, the openreq inherits cipso from > the incoming syn and the syn-ack is then sent with this option. I further > see that the child sock inherits options from the openreq already. > > Could you then please elaborate on the need for explicitly copying options > from parent to child?
The NetLabel patch allows administrators to assign specific a CIPSO DOI/configuration to each LSM "domain". Blindly using the CIPSO tag that the remote host sends could violate the administrator's NetLabel configuration. The current patch reads the CIPSO tag off the child socket, translating the tag according to the CIPSO DOI configuration to arrive at the correct/desired LSM security attributes. These LSM security attributes and the "domain" are then used to set the NetLabel on the socket. In the case where everyone is well behaved this should have no effect on the socket IP options and the packets sent across the wire. However, in the case of a not-nice remote host the outgoing CIPSO tag may change to match the administrators desired settings. It is important to note that the next patchset will be based against David's net-2.6.19 git tree which has the additional LSM hooks in the accept code path - which I plan to use - so expect the implementation to change as a result. Like I said earlier, these new LSM hooks are probably the proper way to do it, but I wanted to stick with the hooks that were present at the time I started working on NetLabel to minimize the impact on the kernel. -- paul moore linux security @ hp - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
