I agree with the need for tcp_create_openreq_child() to have both the accepting socket and the newly allocated socket for an incoming connection so that any security data can be associated with the new sock structure. Thanks for this recommended change. - Brett Wayne Salamon wrote: > Attached are two patches to support new functionality based on the sock >security structure. I've added a parameter to the >tcp_create_openreq_child() hook to add the listening sock. > > SELinux uses this change to label a new sock created from an accept() >call with the security label from the listening sock. Any packets sent >from the new sock before the user-space socket structure is attached will >be labeled correctly. Previously, these packets were labeled with a >default TCP socket SID. > > The SELinux post_create() hook was also changed to label a new sock with >the SID of the user-space socket. It is possible within the network stack >to have packets sent from a sock after being detached from the user >socket. These packets were previously labeled with the default TCP SID, but >now are labeled with the SID of the user socket. > > I've also attached, as separate patches, updates to LIDS and DTE for >this patch and the previous sock security patch. > > Wayne > -- _______________________________________________________________ ( Brett Clark Org : Internet and System ) | Hewlett-Packard Company Security Lab | | 20 Perimeter Summit Blvd. Phone: 404.648.9510 | | Mailstop 1109 Fax : 404.648.9516 | | Atlanta, GA 30319-1417 email: brett_clarkat_private | (_______________________________________________________________) _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 17:09:45 PDT