Re: Low-level network hooks and rtnetlink

• Previous message: Stephen Smalley: "Re: Possible system call interface for LSM"
• In reply to: James Morris: "Re: Low-level network hooks and rtnetlink"
• Next in thread: James Morris: "Re: Low-level network hooks and rtnetlink"
• Reply: James Morris: "Re: Low-level network hooks and rtnetlink"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 10 Aug 2001, James Morris wrote:

> Stephen, can selinux make do with just this level of granularity?

I think SELinux is ok without finer-grained hooks.  The original SELinux
prototype only had coarse-grained controls on objects like the ARP table
and routing table.

> I'd like to propose that we kill the ioctl() calls in netdev_ops, and use
> the existing CAP_NET_ADMIN checks for controlling access to: netdevices,
> routing tables, neighbour operations (e.g. ARP) and packet
> schedulers/classifiers.

Actually, I would prefer to keep the netdev_ops ioctl hook call in
devinet_ioctl.  At that point, the interface name has been copied into
the kernel, so we can use it to control the ability of an application
to configure a particular network interface.

--
Stephen D. Smalley, NAI Labs
ssmalleyat_private





_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Stephen Smalley: "Re: Possible system call interface for LSM"
• Previous message: Stephen Smalley: "Re: Possible system call interface for LSM"
• In reply to: James Morris: "Re: Low-level network hooks and rtnetlink"
• Next in thread: James Morris: "Re: Low-level network hooks and rtnetlink"
• Reply: James Morris: "Re: Low-level network hooks and rtnetlink"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 06:09:35 PDT