| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Oct 2008 19:55:49 +1000 (EST) From: James Morris <jmorris@...ei.org> To: Paul Moore <paul.moore@...com> cc: selinux@...ho.nsa.gov, linux-security-module@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [RFC PATCH v6 11/16] netlabel: Add functionality to set the security attributes of a packet On Tue, 16 Sep 2008, Paul Moore wrote: > This patch builds upon the new NetLabel address selector functionality by > providing the NetLabel KAPI and CIPSO engine support needed to enable the > new packet-based labeling. The only new addition to the NetLabel KAPI at > this point is shown below: > > * int netlbl_skbuff_setattr(skb, family, secattr) > > ... and is designed to be called from a Netfilter hook after the packet's > IP header has been populated such as in the FORWARD or LOCAL_OUT hooks. > > This patch also provides the necessary SELinux hooks to support this new > functionality. Smack support is not currently included due to uncertainty > regarding the permissions needed to expand the Smack network access controls. > > Signed-off-by: Paul Moore <paul.moore@...com> Reviewed-by: James Morris <jmorris@...ei.org> > + /* we overwrite any existing options to ensure that we have enough > + * room for the CIPSO option, the reason is that we _need_ to guarantee > + * that the security label is applied to the packet - we do the same > + * thing when using the socket options and it hasn't caused a problem, > + * if we need to we can always revisit this choice later */ .... > + /* we have to do the following because we are being called from a > + * netfilter hook which means the packet already has had the header > + * fields populated and the checksum calculated - yes this means we > + * are doing more work than needed but we do it to keep the core > + * stack clean and tidy */ It might be better in the long term to integrate this stuff more directly with the core networking. - James -- James Morris <jmorris@...ei.org> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists