[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20071219220539.1626.46073.stgit@flek.americas.hpqcorp.net>
Date: Wed, 19 Dec 2007 17:20:54 -0500
From: Paul Moore <paul.moore@...com>
To: netdev@...r.kernel.org
Subject: [RFC PATCH] New LSM hook to catch outbound packets
Currently LSMs need to use a netfilter post routing hook to catch outbound
packets and subject them to access control. This works reasonably well but
has always been a bit awkward when IPsec or similar mechanisms were used
because the same packet would end up going through the same LSM hook multiple
times. For obvious reasons this often resulted in unnecessary overhead and
additional headaches when trying to determining the correct LSM security
policy.
This patch attempts to fix this problem by adding a new hook into both the
IPv4 and IPv6 output path. The motiviation behind this new hook is a request
from users to provide packet level ingress/egress access control for all
packets on the system, not just packets that are locally consumed or generated.
I know new networking LSM hooks are frowned upon but there has been a lot of
thought and discussion put into this and we haven't been able to find a better
solution. I've trimmed the rest of the patchset from this posting as it isn't
really relevant for this discussion (the full patchset has been under
discussion on the SELinux and LSM lists), but those who are curious can find
the patches online here (this will see another update later today):
* git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
Thanks.
--
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists