On Thu, 9 Aug 2001, Lachlan McIlroy wrote: > The attached patch adds a hook for decoding IP security > options that we will need for CIPSO support. Currently, > Linux drops packets with security options which isn't > very helpful. The kernel does not normally drop packets with unknown options -- can you track down exactly where in the stack this is happening? The correct (and seemingly implemented) behaviour is for IP and TCP/UDP to pass IP options up to the application layer, silently ignoring options which they don't understand. It would be interesting to see a tcpdump of a session where these packets are being dropped. Also, I feel that the patch does introduce a new security issue, in that the CAP_NET_RAW check which would have previously been done when a user sets security options is now bypassed. This changes the behaviour for the default case, as well as for LSM modules which don't do anything special with networking. It may be more flexible to simply put the LSM hook after the existing capable() call, which would catch all "unknown" IP options, and not require further changes to the main kernel. - James -- James Morris <jmorrisat_private> _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 19:41:34 PDT