| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070709160538.289d8ac2@freepuppy.rosehill.hemminger.net> Date: Mon, 9 Jul 2007 16:05:38 -0700 From: Stephen Hemminger <shemminger@...ux-foundation.org> To: James Morris <jmorris@...ei.org> Cc: Tetsuo Handa <from-netdev@...ove.SAKURA.ne.jp>, davem@...emloft.net, netdev@...r.kernel.org, linux-security-module@...r.kernel.org Subject: Re: [RFC] Allow LSM to use IP address/port number. On Mon, 9 Jul 2007 18:50:27 -0400 (EDT) James Morris <jmorris@...ei.org> wrote: > On Mon, 9 Jul 2007, Tetsuo Handa wrote: > > > It drops messages from unwanted IP address/ports. > > (To be exact, it doesn't drop, it just tells userland process > > not to use received messages by returning errors.) > > This is broken. > > You need to properly fail the network operation and ensure that the peers > are appropriately notified using the standard failure paths, not just > arbitrarily propagate errors to the local user. Isn't it better to hook into existing netfilter infrastructure somehow? Just filtering by ports or IP addresses is tip of bigger security isolation issues. -- Stephen Hemminger <shemminger@...ux-foundation.org> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists