Re: Low-level network hooks and rtnetlink

From: Stephen Smalley (sdsat_private)
Date: Thu Aug 02 2001 - 12:41:07 PDT

  • Next message: Greg KH: "Re: Making forward progress"

    On Fri, 3 Aug 2001, James Morris wrote:
    > However, things become more complicated if the kernel is configured with
    > rtnetlink enabled.  This is a separate mechanism for managing the same set
    > of objects (see rtnetlink(7)), as well as a few others which may also need
    > access/audit hooks for some implementations.
    SELinux handles rtnetlink sockets like other sockets - it defines a
    distinct security class that identifies the kind of socket 
    (netlink_socket), and it checks a permission based on the process
    label, the socket label, and the socket security class for each
    socket operation.  So, the existing socket layer hooks by Chris Vance
    should enable us to control the ability of a process to create and 
    use a rtnetlink socket.  That doesn't provide the level of granularity
    that you mention, and it does mean that we end up with different
    checks being performed depending on whether you access the
    routing table via the socket or via ioctl, but it may be
    Stephen D. Smalley, NAI Labs
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 12:42:46 PDT