Lachlan McIlroy wrote: >The attached patch adds a hook for decoding IP security >options that we will need for CIPSO support. Currently, >Linux drops packets with security options which isn't >very helpful. Interesting. Note that this patch changes the existing Linux security policy: If there is no LSM installed, it now accepts packets with the CIPSO option. I don't see any reason why this should be problematic, but I'm not familiar enough with why Linux currently drops these packets: Does accepting CIPSO packets introduce any new security risks? (We'd probably like to preserve the argument that our hooks aren't likely to add any new security holes to Linux that weren't already there, and so I'd just like to understand better about why this change is ok.) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 22:09:51 PDT