From: Patrick McHardy <kaber@trash.net>
To: James Morris <jmorris@namei.org>
Cc: Tetsuo Handa <from-netdev@I-love.SAKURA.ne.jp>,
shemminger@linux-foundation.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/1] Allow LSM to use IP address/port number.
Date: Fri, 20 Jul 2007 17:44:19 +0200 [thread overview]
Message-ID: <46A0D853.30803@trash.net> (raw)
In-Reply-To: <Line.LNX.4.64.0707201124070.7319@d.namei>
James Morris wrote:
> On Sat, 21 Jul 2007, Tetsuo Handa wrote:
>
>
>> I can't use netfilter infrastructure because
>> it is too early to know who the recipant process of the packet is.
>>
>
> I think the way forward on this is to re-visit the idea of providing a
> proper solution for the incoming packet/user match problem.
>
> I posted one possible solution a couple of years ago (skfilter):
> http://lwn.net/Articles/157137/
>
> I think there has been some recent discussion by netfilter developers
> about this issue, so perhaps you could talk to them (cd'd Patrick)
>
Even with socket filters netfilter doesn't know the final receipient
process, that is not known until it calls recvmsg and the data is read,
which is too late for netfilter.
Quoting Tetsuo:
> > So, my approach is not using security context associated with a socket
> > but security context associated with a process.
Isn't the socket context derived from the process context?
next prev parent reply other threads:[~2007-07-20 15:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200707032107.CBD30767.PtGMNNTS@I-love.SAKURA.ne.jp>
[not found] ` <200707061114.07419.paul.moore@hp.com>
[not found] ` <200707070225.AFC45609.MNStNTPG@I-love.SAKURA.ne.jp>
[not found] ` <200707061343.03942.paul.moore@hp.com>
2007-07-09 5:33 ` [RFC] Allow LSM to use IP address/port number. (was Re: [PATCH 1/1] Add post accept()/recvmsg() hooks.) Tetsuo Handa
2007-07-09 7:26 ` [RFC] Allow LSM to use IP address/port number David Miller
2007-07-09 13:13 ` Tetsuo Handa
2007-07-09 22:50 ` James Morris
2007-07-09 23:05 ` Stephen Hemminger
2007-07-09 23:41 ` James Morris
2007-07-10 4:11 ` Tetsuo Handa
2007-07-20 15:11 ` [PATCH 1/1] " Tetsuo Handa
2007-07-20 15:28 ` James Morris
2007-07-20 15:44 ` Patrick McHardy [this message]
2007-07-21 1:57 ` Tetsuo Handa
2007-07-21 18:11 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46A0D853.30803@trash.net \
--to=kaber@trash.net \
--cc=from-netdev@I-love.SAKURA.ne.jp \
--cc=jmorris@namei.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=shemminger@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).