> -----Original Message----- > From: linux-security-module-adminat_private > [mailto:linux-security-module-adminat_private]On Behalf Of > David Wagner > Sent: Thursday, August 09, 2001 2:27 PM > To: linux-security-moduleat_private > Subject: Re: Support for IPSOs > > > Lachlan McIlroy wrote: > >The attached patch adds a hook for decoding IP security > >options that we will need for CIPSO support. Currently, > >Linux drops packets with security options which isn't > >very helpful. > > Interesting. Note that this patch changes the existing Linux security > policy: If there is no LSM installed, it now accepts packets with the > CIPSO option. I don't see any reason why this should be problematic, > but I'm not familiar enough with why Linux currently drops > these packets: > Does accepting CIPSO packets introduce any new security risks? None that I can see, maybe I can preserve the original behaviour when there is no LSM installed. > > (We'd probably like to preserve the argument that our hooks aren't > likely to add any new security holes to Linux that weren't > already there, > and so I'd just like to understand better about why this > change is ok.) > > _______________________________________________ > linux-security-module mailing list > linux-security-moduleat_private > http://mail.wirex.com/mailman/listinfo/linux-security-module > --- Lachlan McIlroy Phone: +61 3 9596 4155 Trusted Linux Fax: +61 3 9596 2960 Adacel Technologies Ltd www.adacel.com _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 22:48:33 PDT