Re: [RFC] SO_PEERSEC - security credentials for Unix stream sockets

From: Chris Wright (chrisw@private)
Date: Fri Dec 12 2003 - 16:16:17 PST

  • Next message: James Morris: "Re: [RFC] SO_PEERSEC - security credentials for Unix stream sockets"

    * James Morris (jmorris@private) wrote:
    > Below is a patch against 2.6.0-test11 which implements a new socket option
    > SO_PEERSEC (defined for i386 only at this stage).
    
    Thanks for doing this James.  In your example demonstration, you simply
    print the peersec string.  Do you expect to use with simple comparison
    against something like data from procattr, or something else?  IOW,
    does this introduce any new namespace issues for apps?
    
    > +static inline int security_sk_alloc_security(struct sock *sk, int family, int priority)
    > +static inline void security_sk_free_security(struct sock *sk)
    
    minor nit.  these names are inconsistent with the existing analogous ones.
    how about simply, security_sk_alloc and security_sk_free?
    
    > +++ linux-2.6.0-test11.w2/net/core/sock.c	2003-12-10 09:55:39.378901360 -0500
    > @@ -564,6 +564,9 @@
    >  			v.val = sk->sk_state == TCP_LISTEN;
    >  			break;
    >  
    > +		case SO_PEERSEC:
    > +			return security_socket_getpeersec(sock, optval, len);
    > +
    
    Would it be useful to ask the module to update len as is done in some
    other cases.  Perhaps buffer is too small, can len be vector for that info?
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    



    This archive was generated by hypermail 2b30 : Fri Dec 12 2003 - 16:17:46 PST