Re: [patch] Socket Receive Hook

From: Greg KH (gregat_private)
Date: Fri Aug 10 2001 - 19:40:29 PDT

  • Next message: jmjonesat_private: "Re: Possible system call interface for LSM"

    On Sat, Aug 11, 2001 at 11:54:55AM +1000, James Morris wrote:
    > On Fri, 10 Aug 2001, Chris Vance wrote:
    > 
    > 
    > > To recap, this patch defines one new hook and places it in two places in
    > > the network input path (one for TCP and one for UDP/RAW/etc). We use it to
    > > check receive, connect, and accept permissions once the socket has been
    > > associated with the incoming skbuff.
    > 
    > It's probably worth noting that if developers need to access the IP header
    > from this hook, that it has been 'pulled' from the skb by this stage.
    > 
    > It may be tempting to poke around inside the skb and find the IP header
    > (currently, it will probably still be there), but this breaks skb API
    > encapsulation and is not guaranteed.
    > 
    > The "correct" way of doing this is to use the skb security blob to store
    > network layer information (e.g. IP header fields) at some hook in the
    > network layer, then retrieve it at the transport or application layer as
    > needed.
    > 
    > This then facilitates policies such as:
    > 
    > "allow user fred receive tcp,udp from 10.1.2.3"
    
    That's exactly what NetDomain does, now if only WireX would publish
    their code, so others could use it :)
    
    I don't understand, are you saying Chris's proposed hook allows you to
    do this, or doesn't allow it?  And if not, should this patch not be
    applied?
    
    Man I need to learn the network stack code someday...
    
    greg k-h
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 19:43:39 PDT