On Fri, 13 Jul 2001, Greg KH wrote: > Hm, in looking at the code, and the recent proposals, it seems that our > existing TODO list is pretty small: > > - add socket operations With respect to this, I should have mentioned it on the list previously, but last week I began work to add LSM hooks to the network layer. At this point I have only placed a few hooks in net/socket.c. The goal I'm striving towards is to insert the minimal number of hooks at the highest layer possible -- and still be able to accomplish the goals of this list/group. To that end, I'm avoiding inserting security data in struct socket and struct sock. Since an inode is always available, we can use it's security field. As far as operations go, most will only require hooks at the "socket" level (as opposed to "sock" or ipv4/ipv6). However I expect there to be cases where we must link in at lower layers (like PF_UNIX sockets - we'll likely need the directory entry). While a complete patch is not yet ready, I have created a socket_ops and placed tentative LSM hooks for: create post_create bind connect listen getsockname getpeername getsockopt setsockopt shutdown I'll be working on the send/receive path today. If anyone else is working on the network layer, it is definitely appropriate to combine our efforts - so please let me know. Once the socket layer has been fully LSM'd, the next job will be to hook into skbuff and netdevice routines. chris. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 06:48:27 PDT