New sock security patches

• Previous message: Crispin Cowan: "Re: Stacking - anyone care how to report module id's?"
• Next in thread: Brett Clark: "Re: New sock security patches"
• Reply: Brett Clark: "Re: New sock security patches"
• Reply: Chris Wright: "Re: New sock security patches"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Attached are two patches to support new functionality based on the sock
security structure. I've added a parameter to the
tcp_create_openreq_child() hook to add the listening sock.

  SELinux uses this change to label a new sock created from an accept()
call with the security label from the listening sock. Any packets sent
from the new sock before the user-space socket structure is attached will
be labeled correctly. Previously, these packets were labeled with a
default TCP socket SID.

  The SELinux post_create() hook was also changed to label a new sock with
the SID of the user-space socket. It is possible within the network stack
to have packets sent from a sock after being detached from the user
socket. These packets were previously labeled with the default TCP SID, but
now are labeled with the SID of the user socket.

  I've also attached, as separate patches, updates to LIDS and DTE for
this patch and the previous sock security patch.

  Wayne

-- 
Wayne Salamon
wsalamonat_private

• TEXT/PLAIN attachment: patch-2.5.32-lids_dte

• TEXT/PLAIN attachment: patch-2.5.32

• TEXT/PLAIN attachment: patch-2.4.19-lids_dte

• TEXT/PLAIN attachment: patch-2.4.19

• Next message: Eric Gingras (LMC): "(no subject)"
• Previous message: Crispin Cowan: "Re: Stacking - anyone care how to report module id's?"
• Next in thread: Brett Clark: "Re: New sock security patches"
• Reply: Brett Clark: "Re: New sock security patches"
• Reply: Chris Wright: "Re: New sock security patches"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 08:19:40 PDT