RE: Networking Patch (outline)

["Venkatesh Yekkirala" <vyekkirala@TrustedCS.com>]

> > If we want to flow-control just once, another option to 
> consider would be
> > using rcv_skb for locally destined traffic and a new hook 
> into ip_forward()
> > for flow-control of forwarded traffic coming-in.
> 
> Yeah, that's an option, I'm just a little adverse to having 
> to add hooks in 
> the different *_rcv_skb() functions; I'd much prefer them to 
> be at a lower 
> level where we would need less hooks.  Although, we could 
> just piggyback on 
> the existing sk_filter/security_sock_recv_skb() hook since it 
> appears in most 
> of the *_rcv_skb() functions I've looked at (I suspect it's 
> in all, but 
> haven't bothered to check yet).

Piggybacking is what I meant ("using" rcv_skb and a "new" hook
into ip_forward() :).

> 
> Time to go for a walk and think about this some more ...
> 

Actually, postroute_last would be hit for each xfrm as well.
So, perhaps a separate LSM hook into say ip_output() ...

> > > > +	/* See if skb can flow in thru the interface */
> > > > +	err = sel_netif_sids(skb->dev, &if_sid, NULL);
> > > > +	if (err)
> > > > +		goto out;
> > > > +
> > > > +	err = avc_has_perm(skb->secid, if_sid,
> > > > +					SECCLASS_NETIF,
> > > > +					NETIF__FLOW_IN, &ad);
> > >
> > > I assume this is where the host/node check would go?  Would
> > > it make sense to
> > > create a combined interface/network label and check so that
> > > we could do one
> > > lookup and one access check instead of two?
> >
> > I believe it does make sense. I will ask around here to see
> > if anyone can figure out a case where it wouldn't work.
> 
> Great, thanks.  The fewer the permission checks the better I think.
> 
> -- 
> paul moore
> linux security @ hp
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.