On Fri, 10 Aug 2001, Chris Vance wrote: > To recap, this patch defines one new hook and places it in two places in > the network input path (one for TCP and one for UDP/RAW/etc). We use it to > check receive, connect, and accept permissions once the socket has been > associated with the incoming skbuff. It's probably worth noting that if developers need to access the IP header from this hook, that it has been 'pulled' from the skb by this stage. It may be tempting to poke around inside the skb and find the IP header (currently, it will probably still be there), but this breaks skb API encapsulation and is not guaranteed. The "correct" way of doing this is to use the skb security blob to store network layer information (e.g. IP header fields) at some hook in the network layer, then retrieve it at the transport or application layer as needed. This then facilitates policies such as: "allow user fred receive tcp,udp from 10.1.2.3" - James -- James Morris <jmorrisat_private> _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 18:57:34 PDT