On Mon, 30 Sep 2002, Olaf Dietsche wrote: > Even SELinux would benefit from this new hook, since they could move > the protocol specific part away from socket_bind() to ip_prot_sock(). > Thus, they could gain _real_ fine grained control over who has access > and who has not. In the original SELinux kernel patch, we did place the name_bind check directly in inet_bind with the existing Linux check, although we still only supported augmenting the existing check. When we migrated to LSM, we tried to further minimize the invasiveness of our code by using the abstract socket layer hooks when possible (along with using the Netfilter hooks and a few additional network layer hooks). Notice that "augmenting the existing check" aka "restrictive" is a design characteristic of LSM, as discussed in the published LSM papers. SELinux does provide fine-grained control over what processes can bind to a particular port based on the security domain. However, I understand your point and don't object to your hook, except to suggest that you not pass both the port and the (address, addrlen) pair to it. You could drop the latter without harm to SELinux, but it would be more general to drop the port and pass the full address. My only other concern is whether the kernel developers will object to having a LSM hook in both sys_bind and inet_bind. -- Stephen D. Smalley, NAI Labs ssmalleyat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 11:16:26 PDT