From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: lkml <linux-kernel@vger.kernel.org>
Subject: Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c
Date: Thu, 9 Sep 2004 18:44:31 +0100 [thread overview]
Message-ID: <20040909174431.GE10046@lkcl.net> (raw)
In-Reply-To: <1094747347.22014.94.camel@moss-spartans.epoch.ncsc.mil>
On Thu, Sep 09, 2004 at 12:29:07PM -0400, Stephen Smalley wrote:
> On Thu, 2004-09-09 at 12:22, Luke Kenneth Casson Leighton wrote:
> > i do not believe it to be sensible to have the kernel
> > code doing that kind of checking (resolving the full
> > pathname of an executable) but hey, if anyone feels
> > otherwise, and knows of some pre-existing code to point
> > me in the direction of, i'll add it, because it might
> > be easier in the long run.
> <snip>
> > has someone already done this before now, and if so,
> > where?
>
> d_path() will give you a pathname given a (dentry, vfsmount) pair.
GREAT.
thank you, that means i _can_ put full path names into an
iptables rule, which will make life a lot easier from a userspace
perspective. i'm a bit worried about keeping the rules list
up-to-date if an inode changes.
fireflier already constructs the full path name of the executable
in its userspace code, for comparison against its rules.
_i_ accept the performance penalty (per per-packet) but some
people won't.... and such people will just have to live with
per-packet firewall rules (not per-packet per-program).
[or, and i mention this for the benefit of lkml people,
to create per-program SE/Linux network policy rules, as
already described by stephen on sel-ml last week]
l.
prev parent reply other threads:[~2004-09-09 17:45 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-09 16:22 [patch] update: _working_ code to add device+inode check to ipt_owner.c Luke Kenneth Casson Leighton
2004-09-09 16:19 ` Chris Wright
2004-09-09 18:10 ` Luke Kenneth Casson Leighton
2004-09-09 18:48 ` Chris Wright
2004-09-09 21:25 ` Luke Kenneth Casson Leighton
2004-09-09 23:04 ` Chris Wright
2004-09-10 0:08 ` Luke Kenneth Casson Leighton
2004-09-10 0:21 ` Chris Wright
2004-09-10 0:59 ` Luke Kenneth Casson Leighton
2004-09-10 1:08 ` Chris Wright
2004-09-10 1:34 ` Luke Kenneth Casson Leighton
2004-09-09 21:38 ` Luke Kenneth Casson Leighton
2004-09-09 23:41 ` Chris Wright
2004-09-10 0:10 ` Luke Kenneth Casson Leighton
2004-09-09 16:29 ` Stephen Smalley
2004-09-09 16:33 ` Stephen Smalley
2004-09-09 17:44 ` Luke Kenneth Casson Leighton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040909174431.GE10046@lkcl.net \
--to=lkcl@lkcl.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.