* Wayne Salamon (wsalamonat_private) wrote: > > > I am proposing a set of hooks to allow client security information to be > reliably associated with a new socket connection. The security structure > is attached to the sock, and can be used to store information about the > client when a new connection is created. This information can then be > propagated to user space via the socket structure. > > SELinux uses these hooks to provide the security ID of the connecting > client to the server via the extended socket calls. The patch files > include the necessary SELinux changes. After brief review I'll need to dig in deeper and understand how this is useful. I was initially confused by the naming, since it's really done on the accepting side of a stream rather than the connecting side (at least the socket_sock_connect bit, but the unix_stream_connect is called from the client side of the socket, right?). Of course, I must ask...is there no other way? ;-) It seems reasonable to keep label from skb up through socket. I am not clear that SCM isn't useful enough in the AF_UNIX family, but like I said, I haven't looked at this very thoroughly. General comments: - the save/restore bit seems a little funky - if (sk != NULL ), just do if (sk) (which is already checked above, although collapsing into one check might not be worth it considering the zero_it.) thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 19:07:46 PDT