From: Paul Moore <paul@paul-moore.com>
To: Rongqing Li <rongqing.li@windriver.com>
Cc: netdev@vger.kernel.org, selinux@tycho.nsa.gov,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 2/2] Add a netlink attribute INET_DIAG_SECCTX
Date: Thu, 01 Sep 2011 08:28:10 -0400 [thread overview]
Message-ID: <1971656.b979ahlREa@sifl> (raw)
In-Reply-To: <4E5F5153.6070708@windriver.com>
On Thursday, September 01, 2011 05:33:07 PM Rongqing Li wrote:
> On 09/01/2011 05:18 AM, Paul Moore wrote:
> > On Wednesday, August 31, 2011 04:36:17 PM rongqing.li@windriver.com wrote:
> >> From: Roy.Li<rongqing.li@windriver.com>
> >>
> >> Add a new netlink attribute INET_DIAG_SECCTX to dump the security
> >> context of TCP sockets.
> >
> > You'll have to forgive me, I'm not familiar with the netlink code used
> > by
> > netstat and friends, but is there anyway to report back the security
> > context of UDP sockets? Or does the code below handle that already?
> >
> > In general, AF_INET and AF_INET6 sockets, regardless of any upper level
> > protocols, have security contexts associated with them and it would be
> > nice to see them in netstat.
>
> Yes, this is real concern, If the dumping tcp security context can be
> accepted by netdev, I am planning to implement it for ipv4 udp socket, unix
> socket. then ipv6..
Great, I'm glad to hear you're planning on implementing this for more than
just TCP.
I understand your desire to have the basic idea accepted with only TCP
implemented - and that is fine with me - but I would like to see support for
all of the protocols merged at the same time. In other words, seeking the
basic ACKs for TCP from the davem, et al is okay but I'd like to defer merging
TCP support until you have everything implemented and ready to be merged.
--
paul moore
www.paul-moore.com
next prev parent reply other threads:[~2011-09-01 12:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-31 8:36 [PATCH 0/2] Dump the sock's security context rongqing.li
2011-08-31 8:36 ` [PATCH 1/2] Define security_sk_getsecctx rongqing.li
2011-08-31 15:43 ` Casey Schaufler
2011-08-31 18:46 ` Stephen Smalley
2011-08-31 20:49 ` Casey Schaufler
2011-08-31 8:36 ` [PATCH 2/2] Add a netlink attribute INET_DIAG_SECCTX rongqing.li
2011-08-31 12:08 ` Stephen Smalley
2011-08-31 21:18 ` Paul Moore
2011-09-01 9:33 ` Rongqing Li
2011-09-01 12:28 ` Paul Moore [this message]
2011-09-05 0:32 ` Rongqing Li
2011-08-31 8:38 ` [PATCH 0/2] Dump the sock's security context Rongqing Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1971656.b979ahlREa@sifl \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rongqing.li@windriver.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox