Re: [RFC] SO_PEERSEC - security credentials for Unix stream sockets

From: David S. Miller (davem@private)
Date: Wed Dec 10 2003 - 14:56:52 PST

  • Next message: Michael Halcrow: "Re: new security_settime patch"

    On Wed, 10 Dec 2003 11:33:53 -0500 (EST)
    James Morris <jmorris@private> wrote:
    > Three new LSM hooks have been implemented:
    > - socket_getpeersec() is the getsockopt interface.
    > - sk_alloc_security() and sk_free_security() facilitate the use of an
    >   sk_security field, which is used to store the security credentials of 
    >   the Unix peer.  We can't use an existing security field for this (e.g. 
    >   inode), as we need the security credentials of the server's child 
    >   socket.  This follows the same general scheme used for managing existing 
    >   Unix peer credentials.
    > Comments?
    I'm fine with this conceptually, although the earliest I could put
    this into the tree is 2.6.1 although I have a hunch that I'll be
    asked to defer something like this to 2.6.2, but who knows.
    The one thing I don't like is the ifdef conditionalized member of
    the sock struct.  We should move away from config variables changing
    structure layouts.  Even a "void *sk_security;" would be better.

    This archive was generated by hypermail 2b30 : Wed Dec 10 2003 - 15:01:05 PST