| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Mar 2009 15:39:30 -0400 From: Paul Moore <paul.moore@...com> To: David Miller <davem@...emloft.net> Cc: linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov, netdev@...r.kernel.org Subject: Re: [RFC PATCH v1 1/3] lsm: Relocate the IPv4 security_inet_conn_request() hooks On Friday 13 March 2009 02:54:58 pm David Miller wrote: > From: Paul Moore <paul.moore@...com> > Date: Thu, 12 Mar 2009 12:22:57 -0400 > > > The current placement of the security_inet_conn_request() hooks do not > > allow individual LSMs to override the IP options of the connection's > > request_sock. This is a problem as both SELinux and Smack have the > > ability to use labeled networking protocols which make use of IP options > > to carry security attributes and the inability to set the IP options at > > the start of the TCP handshake is problematic. > > > > This patch moves the IPv4 security_inet_conn_request() hooks past the > > code where the request_sock's IP options are set/reset so that the LSM > > can safely manipulate the IP options as needed. This patch intentionally > > does not change the related IPv6 hooks as IPv6 based labeling protocols > > which use IPv6 options are not currently implemented, once they are we > > will have a better idea of the correct placement for the IPv6 hooks. > > This looks OK to me: > > Acked-by: David S. Miller <davem@...emloft.net> Great, thanks for taking a look. -- paul moore linux @ hp -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists