From: Patrick McHardy <kaber@trash.net>
To: "Török Edwin" <edwin@gurde.com>
Cc: netfilter-devel@lists.netfilter.org,
fireflier-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org, martinmaurer@gmx.at
Subject: Re: [PATCH 2.6.15.4 1/1][RFC] ipt_owner: inode match supporting both incoming and outgoing packets
Date: Sat, 18 Feb 2006 21:07:47 +0100 [thread overview]
Message-ID: <43F77E93.9080305@trash.net> (raw)
In-Reply-To: <200602182203.41823.edwin@gurde.com>
Török Edwin wrote:
> On Saturday 18 February 2006 21:28, Patrick McHardy wrote:
>
>>Besides the tasklist_lock issues, there is no 1:1 relationship between
>>sockets and processes, which is why this can never work. You don't know
>>which process is going to receive a packet until it calls recvmsg().
>
> Can sockets be "labeled". Like creating a label for each process, and then
> apply a label to each socket they open. If a socket gets shared, then it gets
> multiple labels.
> I see that you talk about SELinux labels below, but is there a way to "label"
> anything without using SELinux? (Maybe by writing another LSM module that
> does just this socket labeling?)
> I could then just check the labels to see if a packet is allowed to pass/ or
> not.
I'm not familiar with SElinux, so I don't know.
>>There is some work in progress to solve this problem in a different way,
>>by adding new hooks to the protocols that get the socket as context,
>>and using SElinux labels instead of process names/inodes/whatever for
>>matching.
>
> Could you tell me on which thread/mailing list this discussion/(work in
> progress) is taking place? I'd like to follow it.
There has been some discussion on netdev and netfilter-devel. I'm
currently porting the patches to a current tree and fixing the
remaining problems, I'll probably post them to netdev in a week or
two.
next prev parent reply other threads:[~2006-02-18 20:07 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-18 12:20 [PATCH 2.6.15.4 1/1][RFC] ipt_owner: inode match supporting both incoming and outgoing packets Török Edwin
2006-02-18 19:28 ` Patrick McHardy
2006-02-18 20:03 ` Török Edwin
2006-02-18 20:07 ` Patrick McHardy [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-02-18 12:10 Török Edwin
2006-02-18 12:25 ` Christoph Hellwig
2006-02-18 12:32 ` Török Edwin
2006-02-18 12:37 ` Christoph Hellwig
2006-02-18 12:47 ` Török Edwin
2006-02-18 13:10 ` Arjan van de Ven
2006-02-18 14:15 ` Török Edwin
2006-02-20 16:26 ` James Morris
2006-02-20 16:42 ` Patrick McHardy
2006-02-20 16:42 ` Patrick McHardy
2006-02-20 17:40 ` Török Edwin
2006-02-20 20:06 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43F77E93.9080305@trash.net \
--to=kaber@trash.net \
--cc=edwin@gurde.com \
--cc=fireflier-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=martinmaurer@gmx.at \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.