Re: [PATCH 1/2] LSM: Add inet_sys_snd_skb() LSM hook

[Paul Moore <paul.moore@hp.com>]

On Friday 04 January 2008 4:09:02 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Fri, 4 Jan 2008 09:38:27 -0500
>
> > Unfortunately, it's not quite that easy at present.  The only field
> > we have in the skb where we could possibly set a flag is the
> > secmark field which is already taken.
>
> Herbert Xu added a "peeked" field in net-2.6.25 that is only used on
> input while processing socket receive queues.  You could use it on
> output.

Actually, I went back to the drawing board and I think I found a 
solution that _should_ work using the existing postroute hook.  It 
isn't as general but it is relatively simple.

Historically the problem has been with labeled IPsec and the fact that 
the postroute hook can get hit multiple times when it is in use.  While 
yes, the packet is different each time through the hook but the packet's 
security label never changes (the packet's security label is determined 
by the original sender).  From a security point of view we really only 
want to check the packet once on the way out and we want that check to 
happen at the very end, not while packet transforms are in progress.  
This was the motivation for the new LSM hook.

After the new hook was rejected I took a step back and thought about the 
problem a bit more.  The multi-hit postroute hook problem was really 
only an issue for IPsec; the other labeling protocols don't have this 
problem because they don't do any transformation of the packet.  If we 
could find a quick way to determine when all of the IPsec processing 
was finished would could use the existing postroute hook approach and 
simply fall through if the hook was hit when IPsec processing was still 
needed.

I still need to test this to make sure it does everything we need, but 
I'm pretty certain that using the we can key off the skb->dst->xfrm 
value as a way to determine if a packet is done with it's IPsec 
transformation, if any.  Basically we rewrite our postroute hook to 
look something like this:

 int hook(...)
 {
	/* stuff to do every time */

	if (skb->dst->xfrm != NULL)
		return NF_ACCEPT;

	/* stuff to do only on the last time we are called */

 }

If it doesn't end up meeting our needs I'll look into the 'peeked' 
field, thanks for the suggestion.

-- 
paul moore
linux security @ hp