From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [RFC PATCH v2 1/2] lsm: Add hooks to the TUN driver Date: Wed, 12 Aug 2009 15:43:15 -0400 Message-ID: <200908121543.15419.paul.moore@hp.com> References: <20090810172238.7946.34247.stgit@flek.lan> <20090810172844.7946.43287.stgit@flek.lan> <20090812192840.GA13135@us.ibm.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org, selinux@tycho.nsa.gov To: "Serge E. Hallyn" Return-path: In-Reply-To: <20090812192840.GA13135@us.ibm.com> Content-Disposition: inline Sender: linux-security-module-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Wednesday 12 August 2009 03:28:40 pm Serge E. Hallyn wrote: > Quoting Paul Moore (paul.moore@hp.com): > > The TUN driver lacks any LSM hooks which makes it difficult for LSM > > modules, such as SELinux, to enforce access controls on network traffic > > generated by TUN users; this is particularly problematic for > > virtualization apps such as QEMU and KVM. This patch adds three new LSM > > hooks designed to control the creation and attachment of TUN devices, the > > hooks are: > > > > * security_tun_dev_create() > > Provides access control for the creation of new TUN devices > > > > * security_tun_dev_post_create() > > Provides the ability to create the necessary socket LSM state for > > newly created TUN devices > > > > * security_tun_dev_attach() > > Provides access control for attaching to existing, persistent TUN > > devices and the ability to update the TUN device's socket LSM state as > > necessary --- > > Acked-by: Serge Hallyn Thanks. -- paul moore linux @ hp