On Sat, Aug 11, 2001 at 11:54:55AM +1000, James Morris wrote: > On Fri, 10 Aug 2001, Chris Vance wrote: > > > > To recap, this patch defines one new hook and places it in two places in > > the network input path (one for TCP and one for UDP/RAW/etc). We use it to > > check receive, connect, and accept permissions once the socket has been > > associated with the incoming skbuff. > > It's probably worth noting that if developers need to access the IP header > from this hook, that it has been 'pulled' from the skb by this stage. > > It may be tempting to poke around inside the skb and find the IP header > (currently, it will probably still be there), but this breaks skb API > encapsulation and is not guaranteed. > > The "correct" way of doing this is to use the skb security blob to store > network layer information (e.g. IP header fields) at some hook in the > network layer, then retrieve it at the transport or application layer as > needed. > > This then facilitates policies such as: > > "allow user fred receive tcp,udp from 10.1.2.3" That's exactly what NetDomain does, now if only WireX would publish their code, so others could use it :) I don't understand, are you saying Chris's proposed hook allows you to do this, or doesn't allow it? And if not, should this patch not be applied? Man I need to learn the network stack code someday... greg k-h _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 19:43:39 PDT