| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Jul 2007 17:44:19 +0200 From: Patrick McHardy <kaber@...sh.net> To: James Morris <jmorris@...ei.org> CC: Tetsuo Handa <from-netdev@...ove.SAKURA.ne.jp>, shemminger@...ux-foundation.org, netdev@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [PATCH 1/1] Allow LSM to use IP address/port number. James Morris wrote: > On Sat, 21 Jul 2007, Tetsuo Handa wrote: > > >> I can't use netfilter infrastructure because >> it is too early to know who the recipant process of the packet is. >> > > I think the way forward on this is to re-visit the idea of providing a > proper solution for the incoming packet/user match problem. > > I posted one possible solution a couple of years ago (skfilter): > http://lwn.net/Articles/157137/ > > I think there has been some recent discussion by netfilter developers > about this issue, so perhaps you could talk to them (cd'd Patrick) > Even with socket filters netfilter doesn't know the final receipient process, that is not known until it calls recvmsg and the data is read, which is too late for netfilter. Quoting Tetsuo: > > So, my approach is not using security context associated with a socket > > but security context associated with a process. Isn't the socket context derived from the process context? - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists