* Chris Vance (cvanceat_private) wrote: > > Attached is a patch which adds two hooks that were required by SELinux to > support labeled networking. Does anyone have any suggestions, comments, > or criticism? > > * post_accept - placed in sockets.c:sys_accept, just before return. This > allows us to update socket labels for the newly created socket. The > original listening socket is relabeled in the sock_rcv_skb hook during > the handshake (peer label updated). This information needs to be > copied into the newly created socket after the accept. this hooks makes sense to me, as it is similar to the post_foo hooks in the VFS layer. > * recv_datagram - placed in datagram.c:skb_recv_datagram just before the > skb is returned (non-null/non-error case only). This seems to be the > only time that there is a association between the current process, the > socket, and the skb. SELinux will use this to copy the socket source > SID and the socket message SID into the process security structure so > that it may be returned by extended socket calls (recvmsg_secure and > recvfrom_secure). i too could use such a hook. the sock_rcv_skb hook is not useful in conjunction with socket level recvmsg hook. we definitely need a way to to correlate the lower level labelling to the process context. is the inode reference not sufficient from sock_rcv_skb context? cheers, -chris _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Mar 18 2002 - 12:09:02 PST