On Mon, 18 Mar 2002, Chris Wright wrote: > i too could use such a hook. the sock_rcv_skb hook is not useful > in conjunction with socket level recvmsg hook. we definitely need a > way to to correlate the lower level labelling to the process context. > is the inode reference not sufficient from sock_rcv_skb context? Was Chris Vance's reply clear? We have a recvmsg_secure system call that allows an application to obtain the security label of a datagram as well as the datagram itself. The skb_recv_datagram hook is always called at the right point to copy the skb security information to the task security structure so that it can be obtained by the recvmsg_secure system call and returned to the calling process. The sock_rcv_skb hook occurs at the right point to mediate packet receipt on sockets, but not to have the receiving process context. Copying the skb security information into the inode is no good, since you may have multiple datagrams received before there is any process receive operation. You could try maintaining a queue of information in the inode security structure, but that seems wasteful since we already have the per-skb security information. We just need a hook at the right point to transfer that information to the receiving process context. Hence, the need for skb_recv_datagram. Any objections to adding these two new hooks? -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Mar 21 2002 - 09:06:04 PST