From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4511C4A8.2090709@hp.com> Date: Wed, 20 Sep 2006 18:46:00 -0400 From: Paul Moore MIME-Version: 1.0 To: Venkat Yekkirala Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, jmorris@namei.org, sds@tycho.nsa.gov, Chad Hanson Subject: Re: [PATCH 7/7] secid reconciliation-v02: Enforcement for SELinux References: <36282A1733C57546BE392885C061859201573267@chaos.tcs.tcs-sec.com> In-Reply-To: <36282A1733C57546BE392885C061859201573267@chaos.tcs.tcs-sec.com> Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Venkat Yekkirala wrote: >>>+static int selinux_skb_policy_check(struct sk_buff *skb, >> >>unsigned short >> >>>family) +{ >>>+ u32 xfrm_sid, trans_sid; >>>+ int err; >>>+ >>>+ if (selinux_compat_net) >>>+ return 1; >>>+ >>>+ err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0); >>>+ BUG_ON(err); >> >>First, any reason against including the "struct sock *" in >>the LSM hook? At a >>quick glance it looks like it is available at each place >>security_skb_policy_check() is invoked? If there are no >>objections I would >>like to see it included in the hook. > > There's no sock available (NULL) for forward, no-sock, time-wait cases, etc. ... which would be why I should have taken a closer look :) > What you are trying to accomplish with the sock here anyway? Actually this is no longer an issue because of something else - you can ignore this now. -- paul moore linux security @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH 7/7] secid reconciliation-v02: Enforcement for SELinux Date: Wed, 20 Sep 2006 18:46:00 -0400 Message-ID: <4511C4A8.2090709@hp.com> References: <36282A1733C57546BE392885C061859201573267@chaos.tcs.tcs-sec.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov, jmorris@namei.org, sds@tycho.nsa.gov, Chad Hanson Return-path: Received: from atlrel6.hp.com ([156.153.255.205]:41417 "EHLO atlrel6.hp.com") by vger.kernel.org with ESMTP id S932433AbWITWqC (ORCPT ); Wed, 20 Sep 2006 18:46:02 -0400 To: Venkat Yekkirala In-Reply-To: <36282A1733C57546BE392885C061859201573267@chaos.tcs.tcs-sec.com> Sender: netdev-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Venkat Yekkirala wrote: >>>+static int selinux_skb_policy_check(struct sk_buff *skb, >> >>unsigned short >> >>>family) +{ >>>+ u32 xfrm_sid, trans_sid; >>>+ int err; >>>+ >>>+ if (selinux_compat_net) >>>+ return 1; >>>+ >>>+ err = selinux_xfrm_decode_session(skb, &xfrm_sid, 0); >>>+ BUG_ON(err); >> >>First, any reason against including the "struct sock *" in >>the LSM hook? At a >>quick glance it looks like it is available at each place >>security_skb_policy_check() is invoked? If there are no >>objections I would >>like to see it included in the hook. > > There's no sock available (NULL) for forward, no-sock, time-wait cases, etc. ... which would be why I should have taken a closer look :) > What you are trying to accomplish with the sock here anyway? Actually this is no longer an issue because of something else - you can ignore this now. -- paul moore linux security @ hp