From: Paul Moore <paul.moore@hp.com>
To: David Miller <davem@davemloft.net>
Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
netdev@vger.kernel.org
Subject: Re: [RFC PATCH v1 1/3] lsm: Relocate the IPv4 security_inet_conn_request() hooks
Date: Fri, 13 Mar 2009 15:39:30 -0400 [thread overview]
Message-ID: <200903131539.30903.paul.moore@hp.com> (raw)
In-Reply-To: <20090313.115458.168786837.davem@davemloft.net>
On Friday 13 March 2009 02:54:58 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Thu, 12 Mar 2009 12:22:57 -0400
>
> > The current placement of the security_inet_conn_request() hooks do not
> > allow individual LSMs to override the IP options of the connection's
> > request_sock. This is a problem as both SELinux and Smack have the
> > ability to use labeled networking protocols which make use of IP options
> > to carry security attributes and the inability to set the IP options at
> > the start of the TCP handshake is problematic.
> >
> > This patch moves the IPv4 security_inet_conn_request() hooks past the
> > code where the request_sock's IP options are set/reset so that the LSM
> > can safely manipulate the IP options as needed. This patch intentionally
> > does not change the related IPv6 hooks as IPv6 based labeling protocols
> > which use IPv6 options are not currently implemented, once they are we
> > will have a better idea of the correct placement for the IPv6 hooks.
>
> This looks OK to me:
>
> Acked-by: David S. Miller <davem@davemloft.net>
Great, thanks for taking a look.
--
paul moore
linux @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: Paul Moore <paul.moore@hp.com>
To: David Miller <davem@davemloft.net>
Cc: linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov,
netdev@vger.kernel.org
Subject: Re: [RFC PATCH v1 1/3] lsm: Relocate the IPv4 security_inet_conn_request() hooks
Date: Fri, 13 Mar 2009 15:39:30 -0400 [thread overview]
Message-ID: <200903131539.30903.paul.moore@hp.com> (raw)
In-Reply-To: <20090313.115458.168786837.davem@davemloft.net>
On Friday 13 March 2009 02:54:58 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Thu, 12 Mar 2009 12:22:57 -0400
>
> > The current placement of the security_inet_conn_request() hooks do not
> > allow individual LSMs to override the IP options of the connection's
> > request_sock. This is a problem as both SELinux and Smack have the
> > ability to use labeled networking protocols which make use of IP options
> > to carry security attributes and the inability to set the IP options at
> > the start of the TCP handshake is problematic.
> >
> > This patch moves the IPv4 security_inet_conn_request() hooks past the
> > code where the request_sock's IP options are set/reset so that the LSM
> > can safely manipulate the IP options as needed. This patch intentionally
> > does not change the related IPv6 hooks as IPv6 based labeling protocols
> > which use IPv6 options are not currently implemented, once they are we
> > will have a better idea of the correct placement for the IPv6 hooks.
>
> This looks OK to me:
>
> Acked-by: David S. Miller <davem@davemloft.net>
Great, thanks for taking a look.
--
paul moore
linux @ hp
next prev parent reply other threads:[~2009-03-13 19:39 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-12 16:22 [RFC PATCH v1 0/3] Fix a problem with incoming TCP connections and NetLabel Paul Moore
2009-03-12 16:22 ` Paul Moore
2009-03-12 16:22 ` [RFC PATCH v1 1/3] lsm: Relocate the IPv4 security_inet_conn_request() hooks Paul Moore
2009-03-12 16:22 ` Paul Moore
2009-03-13 18:54 ` David Miller
2009-03-13 19:39 ` Paul Moore [this message]
2009-03-13 19:39 ` Paul Moore
2009-03-12 16:23 ` [RFC PATCH v1 2/3] netlabel: Label incoming TCP connections correctly in SELinux Paul Moore
2009-03-12 16:23 ` Paul Moore
2009-03-12 16:23 ` [RFC PATCH v1 3/3] netlabel: Label incoming TCP connections correctly in Smack Paul Moore
2009-03-12 16:23 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200903131539.30903.paul.moore@hp.com \
--to=paul.moore@hp.com \
--cc=davem@davemloft.net \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.