On Wed, 10 Jul 2002, Wayne Salamon wrote: > In the original SELinux prototype, the client security info was > maintained in the sock struct. In the current LSM SELinux, we tried to > avoid using the sock structure and implemented a list of connection-SID > mappings, but this is prone to leak memory and is not very elegant, and > doesn't always work in the UNIX case. See > http://www.nsa.gov/selinux/doc/module/x2043.html for a detailed > discussion. So we decided to add security info to the sock struct in the > same manner as the original prototype. In particular, see the discussion of extsocket_post_accept in the Extended Socket Call Processing section. We need to be able to save peer SID (client SID) information on a per-connection basis, and the inode security blob of the listening socket is inadequate for this purpose. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 05:31:09 PDT