From: Paul Moore <paul.moore@hp.com>
To: netdev@vger.kernel.org
Subject: [RFC PATCH] New LSM hook to catch outbound packets
Date: Wed, 19 Dec 2007 17:20:54 -0500 [thread overview]
Message-ID: <20071219220539.1626.46073.stgit@flek.americas.hpqcorp.net> (raw)
Currently LSMs need to use a netfilter post routing hook to catch outbound
packets and subject them to access control. This works reasonably well but
has always been a bit awkward when IPsec or similar mechanisms were used
because the same packet would end up going through the same LSM hook multiple
times. For obvious reasons this often resulted in unnecessary overhead and
additional headaches when trying to determining the correct LSM security
policy.
This patch attempts to fix this problem by adding a new hook into both the
IPv4 and IPv6 output path. The motiviation behind this new hook is a request
from users to provide packet level ingress/egress access control for all
packets on the system, not just packets that are locally consumed or generated.
I know new networking LSM hooks are frowned upon but there has been a lot of
thought and discussion put into this and we haven't been able to find a better
solution. I've trimmed the rest of the patchset from this posting as it isn't
really relevant for this discussion (the full patchset has been under
discussion on the SELinux and LSM lists), but those who are curious can find
the patches online here (this will see another update later today):
* git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
Thanks.
--
paul moore
linux security @ hp
next reply other threads:[~2007-12-19 22:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-19 22:20 Paul Moore [this message]
2007-12-19 22:21 ` [RFC PATCH] LSM: Add inet_sys_snd_skb() LSM hook Paul Moore
2007-12-20 22:22 ` James Morris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071219220539.1626.46073.stgit@flek.americas.hpqcorp.net \
--to=paul.moore@hp.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox