On Thu, 11 Jul 2002, James Morris wrote: > > What about utilizing the zero_it argument to sk_alloc(), so that > sk_alloc_security() is not called if its value is zero. The only time > this is zero is during the allocation of the new sk in > tcp_create_openreq_child(), and in this case, an sk security field can > then be allocated explicitly during the new hook call. For SELinux, this > would be caught by extsocket_sock_precondition() in any case, right? > I have a concern with this approach. If we have the tcp_create_openreq_child() hook assume that there is no security structure on the sock, if the kernel logic ever changes to use zero_it from the tcp_create_openreq_child() function, we will leak memory. Also, what about IPV6? It looks like the sock is zero'd by sk_alloc then the fields are set. Are we going to support IPV6 in LSM? -- Wayne Salamon wsalamonat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 11 2002 - 04:38:54 PDT