Attached is a patch which adds two hooks that were required by SELinux to support labeled networking. Does anyone have any suggestions, comments, or criticism? * post_accept - placed in sockets.c:sys_accept, just before return. This allows us to update socket labels for the newly created socket. The original listening socket is relabeled in the sock_rcv_skb hook during the handshake (peer label updated). This information needs to be copied into the newly created socket after the accept. * recv_datagram - placed in datagram.c:skb_recv_datagram just before the skb is returned (non-null/non-error case only). This seems to be the only time that there is a association between the current process, the socket, and the skb. SELinux will use this to copy the socket source SID and the socket message SID into the process security structure so that it may be returned by extended socket calls (recvmsg_secure and recvfrom_secure). It is possible that the transmit side will also require additional hooks, but we haven't explored all alternatives not requiring new hooks. Yes, the patch doesn't make the necessary changes to the SELinux module, my tree is sufficiently different right now that a patch would just confuse the issue. We can commit this patch to the LSM tree once there are no outstanding issues. Thanks, chris.
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 08:43:56 PST