From: Casey Schaufler <casey@schaufler-ca.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
netdev@vger.kernel.org, davem@davemloft.net
Cc: linux-security-module@vger.kernel.org,
netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH net-2.6.25] Add packet filtering based on process's security context.
Date: Tue, 22 Jan 2008 08:49:47 -0800 (PST) [thread overview]
Message-ID: <634344.24836.qm@web36604.mail.mud.yahoo.com> (raw)
In-Reply-To: <200801230016.EGG34399.QFtVHFSJFMOOLO@I-love.SAKURA.ne.jp>
--- Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> ...
>
> Currently, there is no way to directly map security context from incoming
> packet to user process. This is because the creator or owner of a socket is
> not always the receiver of an incoming packet. The userland process who
> receives the incoming packet is not known until a process calls
> sys_recvmsg().
> So, I want to add a LSM hook to give a security module a chance to control
> after the recipient of the incoming packet is known.
Do you have a real situation where two user processes with different
security contexts share a socket? How do you get into that situation,
and is it appropriate to have that situation in your security scheme?
Can this occur without using privilege?
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2008-01-22 16:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-22 15:16 [PATCH net-2.6.25] Add packet filtering based on process's security context Tetsuo Handa
2008-01-22 16:49 ` Casey Schaufler [this message]
2008-01-23 1:26 ` [PATCH net-2.6.25] Add packet filtering based on process\'s " Tetsuo Handa
2008-01-24 11:47 ` [PATCH net-2.6.25] Add packet filtering based on process's " Tetsuo Handa
2008-01-24 15:03 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2007-12-31 6:21 Tetsuo Handa
2007-11-21 12:30 [PATCH] " Tetsuo Handa
2007-11-22 13:35 ` [PATCH net-2.6.25] " Tetsuo Handa
2007-11-22 23:29 ` James Morris
2007-12-03 7:58 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=634344.24836.qm@web36604.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.