> To have the socket_sock_rcv_skb() hook accepted, it had to be made more > generic (i.e. cover all important protocols) and at the suggestion of Dave > Miller, encapsulated within sk_filter(). This has also led to a nice > cleanup of some of the core networking code, removing some #ifdef junk. > Not yet done is addition of an sk_filter() call to the SCTP code, which > I'm still looking into and may supply as an additional patch (this is a > 'bug' in the existing code which we may have to inherit briefly :-). <snip> > Stephen: would you please let me know if the placement of the sk_filter() > hook within tcp_ipv4.c will be workable with SELinux? It changes the > placement of the socket_sock_rcv_skb() hook, but AFAICT, should still be > ok (we can't change the sk_filter() placement, btw). Hasn't skb->dev been cleared before we reach the sk_filter call? We can't infer a security label for the packet without knowing the receiving device. -- Stephen Smalley, NSA sdsat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 08:44:54 PST