Re: Patch: Socket hooks

From: Chris Vance (cvanceat_private)
Date: Fri Jul 20 2001 - 13:09:31 PDT

  • Next message: Greg KH: "Re: Patch: Socket hooks"

    Something escaped my first pass.  Note that two of these hooks have
    parameters that are user-space variables - accept and setsockopt.  In the
    first case, accept, they should be removed. In the second case,
    setsockopt, it's not clear whether an LSM module would care precisely what
    value is being set.  It would need to be copied into kernel memory and the
    possibly of a race condition exists. 
    
    Perhaps removing these paramters would be the safest thing to do.
    
    chris.
    
    On Fri, 20 Jul 2001, Chris Vance wrote:
    
    > Attached is a patch for review.  It contains hooks to implement
    > socket-level security checks.  The patch was generated from our cvs
    > repository, but should apply cleanly against the July 6 LSM tree (2.4.6
    > kernel).
    > 
    > This patch makes no attempts to secure skbuffs or network devices.  We are
    > still working towards an implementation that is most likely to be accepted
    > by the kernel folks. To that end, we are going to see what we can do with
    > the netfilter code rather than directly modifying the ip input/ouput
    > routines or modifying the sk_buff structure (which apparently would be
    > difficult to gain approval for).  If anyone has any relevant insight, I
    > would welcome it.  
    > 
    > What it does do is provide hooks for:
    > 	create & post_create	bind
    > 	connect			listen
    > 	accept			sendmsg
    > 	recvmsg			getsockname
    > 	getpeername		getsockopt
    > 	setsockopt		shutdown
    > 
    > In the cases of connect and accept, SELinux is likely to need something
    > more than the hooks provided here.  I'm still looking into the best way to
    > do what we need.
    
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 13:11:38 PDT