* James Morris (jmorrisat_private) wrote: > On Tue, 4 Feb 2003, Stephen D. Smalley wrote: > > > Hasn't skb->dev been cleared before we reach the sk_filter call? We can't > > infer a security label for the packet without knowing the receiving device. > > As mentioned off-list, I'm going to try moving the sk_filter() call so > that we get called before skb->dev has been cleared. A snapshot of the > network patchset is online at: > > http://www.intercode.com.au/jmorris/patches/lsm/ > > Just waiting for some feedback from the maintainers on this. I think this will cover our needs in SubDomain. The only issue we'd have is with not knowing the route at the outbound socket hooks. But I think the NetFilter hook will know the skb->sock->socket->inode, so this should work fine. Of course, the socket_sock_rcv_skb hook is needed for our inbound checks. Looks good to me. Thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 02:01:47 PST