Re: New sock security patches

From: Brett Clark (bmcat_private)
Date: Thu Aug 29 2002 - 17:08:13 PDT

  • Next message: Chris Wright: "Re: New sock security patches"

    I agree with the need for tcp_create_openreq_child() to have both the
    accepting socket and the newly allocated socket for an incoming connection
    so that any security data can be associated with the new sock structure.
    
    Thanks for this recommended change.
    
    - Brett
    
    Wayne Salamon wrote:
    
    >  Attached are two patches to support new functionality based on the sock
    >security structure. I've added a parameter to the
    >tcp_create_openreq_child() hook to add the listening sock.
    >
    >  SELinux uses this change to label a new sock created from an accept()
    >call with the security label from the listening sock. Any packets sent
    >from the new sock before the user-space socket structure is attached will
    >be labeled correctly. Previously, these packets were labeled with a
    >default TCP socket SID.
    >
    >  The SELinux post_create() hook was also changed to label a new sock with
    >the SID of the user-space socket. It is possible within the network stack
    >to have packets sent from a sock after being detached from the user
    >socket. These packets were previously labeled with the default TCP SID, but
    >now are labeled with the SID of the user socket.
    >
    >  I've also attached, as separate patches, updates to LIDS and DTE for
    >this patch and the previous sock security patch.
    >
    >  Wayne
    >
    -- 
     _______________________________________________________________
    ( Brett Clark                   Org  : Internet and System      )
    | Hewlett-Packard Company                 Security Lab          |
    | 20 Perimeter Summit Blvd.     Phone: 404.648.9510             |
    | Mailstop 1109                 Fax  : 404.648.9516             |
    | Atlanta, GA 30319-1417        email: brett_clarkat_private       |
    (_______________________________________________________________)
    
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 17:09:45 PDT