From: Paul Moore <pmoore@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, mvadkert@redhat.com,
selinux@tycho.nsa.gov, linux-security-module@vger.kernel.org
Subject: Re: [PATCH] tcp: assign the sock correctly to an outgoing SYNACK packet
Date: Tue, 09 Apr 2013 11:57:49 -0400 [thread overview]
Message-ID: <1874420.dSqDS2QrBc@sifl> (raw)
In-Reply-To: <1365521576.3887.147.camel@edumazet-glaptop>
On Tuesday, April 09, 2013 08:32:56 AM Eric Dumazet wrote:
> On Tue, 2013-04-09 at 11:17 -0400, Paul Moore wrote:
> > The "blob" is a void pointer, so 8 bytes. We're talking about removing
> > the "secmark" field (4 bytes) and adding a void pointer (8 bytes). I've
> > shown several different approaches that make this change without
> > increasing the overall size of the sk_buff struct.
>
> You want to use 4 extra bytes in sk_buff. You'll have to show us why we
> close the way for other valid uses of the current holes.
>
> I have no idea why its needed, and why it can't be solved in another
> way.
FWIW, I was focusing on arriving at a basic design that addressed the initial
reasons for not including a security blob in a sk_buff. In the beginning I
thought it was both the need for LSM hook in the skb management routines as
well as the memory overhead in the skb itself. During the course of our
discussion it became clear that the hooks were acceptable, it was the memory
overhead that was the concern, so that is what I (and Casey) focused on.
Based on your latest comment, it appears that we have some possible candidates
for adding a security blob (void *) to the sk_buff that address your technical
arguments, I wasn't aware we had reached that point, but it is indeed good
news. Now we just need to make our case that it is the "Right Thing to Do",
that is perfectly reasonable.
> It looks like _I_ have to do your work.
I don't believe I ever asked you to do anything other than to repost a patch
you posted to the LSM list so we could get it included upstream. A patch that
you created to counter my proposed fix for a SELinux regression. Further, I
tested your patch, and ACK'd it earlier this morning.
I suppose I also asked you to explain/clarify a few of your technical
objections a bit further so I could address them, but that just seems like
normal peer design review.
> Sorry, I have no more time to spend on this topic. You'll have to convince
> David, not me.
Well, thank you for your time; I'm sure we'll get to talk about this again in
the future. It looks like we've had enough of a conversation now that I can
start working on some patches.
--
paul moore
security and virtualization @ redhat
next prev parent reply other threads:[~2013-04-09 15:57 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-08 15:45 [PATCH] tcp: assign the sock correctly to an outgoing SYNACK packet Paul Moore
2013-04-08 16:14 ` David Miller
2013-04-08 17:22 ` Paul Moore
2013-04-08 17:36 ` Eric Dumazet
2013-04-08 17:40 ` Paul Moore
2013-04-08 17:47 ` Eric Dumazet
2013-04-08 18:01 ` Eric Dumazet
2013-04-08 18:12 ` Paul Moore
2013-04-08 18:21 ` Eric Dumazet
2013-04-08 18:26 ` Paul Moore
2013-04-08 18:34 ` Eric Dumazet
2013-04-08 18:30 ` Eric Dumazet
2013-04-08 20:37 ` Paul Moore
2013-04-08 20:44 ` David Miller
2013-04-08 20:53 ` Paul Moore
2013-04-08 20:55 ` Eric Dumazet
2013-04-08 21:09 ` Paul Moore
2013-04-08 21:14 ` David Miller
2013-04-08 21:17 ` Eric Dumazet
2013-04-09 3:58 ` [PATCH] selinux: add a skb_owned_by() hook Eric Dumazet
2013-04-09 4:29 ` Casey Schaufler
2013-04-09 4:41 ` David Miller
2013-04-09 5:14 ` Casey Schaufler
2013-04-09 11:39 ` Paul Moore
2013-04-09 6:24 ` Eric Dumazet
2013-04-09 11:45 ` Paul Moore
2013-04-09 7:38 ` James Morris
2013-04-09 12:06 ` Paul Moore
2013-04-09 17:23 ` David Miller
2013-04-08 18:32 ` [PATCH] tcp: assign the sock correctly to an outgoing SYNACK packet Paul Moore
2013-04-08 21:10 ` Paul Moore
2013-04-08 21:15 ` David Miller
2013-04-08 21:24 ` Paul Moore
2013-04-08 21:33 ` David Miller
2013-04-08 22:01 ` Paul Moore
2013-04-08 22:08 ` David Miller
2013-04-08 23:40 ` Casey Schaufler
2013-04-09 0:33 ` Eric Dumazet
2013-04-09 0:59 ` Casey Schaufler
2013-04-09 1:09 ` Eric Dumazet
2013-04-09 1:24 ` Casey Schaufler
2013-04-09 13:19 ` Paul Moore
2013-04-09 13:33 ` Paul Moore
2013-04-09 14:00 ` Eric Dumazet
2013-04-09 14:19 ` Paul Moore
2013-04-09 14:31 ` Eric Dumazet
2013-04-09 14:52 ` Paul Moore
2013-04-09 15:05 ` Paul Moore
2013-04-09 15:07 ` Eric Dumazet
2013-04-09 15:17 ` Paul Moore
2013-04-09 15:32 ` Eric Dumazet
2013-04-09 15:57 ` Paul Moore [this message]
2013-04-09 16:11 ` Casey Schaufler
2013-04-09 16:56 ` David Miller
2013-04-09 17:00 ` Paul Moore
2013-04-09 17:09 ` David Miller
2013-04-09 17:10 ` David Miller
2013-04-09 14:05 ` Ben Hutchings
2013-04-09 14:10 ` Paul Moore
2013-04-08 21:34 ` Ben Hutchings
2013-04-08 19:25 ` David Miller
2013-04-08 16:19 ` Eric Dumazet
2013-04-08 18:03 ` Sergei Shtylyov
2013-04-08 18:12 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1874420.dSqDS2QrBc@sifl \
--to=pmoore@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mvadkert@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox