| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Mar 2009 11:54:58 -0700 (PDT) From: David Miller <davem@...emloft.net> To: paul.moore@...com Cc: linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov, netdev@...r.kernel.org Subject: Re: [RFC PATCH v1 1/3] lsm: Relocate the IPv4 security_inet_conn_request() hooks From: Paul Moore <paul.moore@...com> Date: Thu, 12 Mar 2009 12:22:57 -0400 > The current placement of the security_inet_conn_request() hooks do not allow > individual LSMs to override the IP options of the connection's request_sock. > This is a problem as both SELinux and Smack have the ability to use labeled > networking protocols which make use of IP options to carry security attributes > and the inability to set the IP options at the start of the TCP handshake is > problematic. > > This patch moves the IPv4 security_inet_conn_request() hooks past the code > where the request_sock's IP options are set/reset so that the LSM can safely > manipulate the IP options as needed. This patch intentionally does not change > the related IPv6 hooks as IPv6 based labeling protocols which use IPv6 options > are not currently implemented, once they are we will have a better idea of > the correct placement for the IPv6 hooks. This looks OK to me: Acked-by: David S. Miller <davem@...emloft.net> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists