From: Casey Schaufler <casey@schaufler-ca.com>
To: Tetsuo Handa <from-netdev@I-love.SAKURA.ne.jp>,
kaber@trash.net, jmorris@namei.org
Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH 1/1] Allow LSM to use IP address/port number.
Date: Sat, 21 Jul 2007 11:11:43 -0700 (PDT) [thread overview]
Message-ID: <589819.72705.qm@web36605.mail.mud.yahoo.com> (raw)
In-Reply-To: <200707211057.ACE39835.WUNtGEPSOFF@I-love.SAKURA.ne.jp>
--- Tetsuo Handa <from-netdev@I-love.SAKURA.ne.jp> wrote:
>
> Hello.
>
> Patrick McHardy wrote:
> > Quoting Tetsuo:
> > > > So, my approach is not using security context associated with a socket
> > > > but security context associated with a process.
> > Isn't the socket context derived from the process context?
> Not so regarding my case.
>
> static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t
> priority)
> {
> sk->sk_security = current->security;
> return 0;
> }
>
> will not help what I want to do.
> So, I'm not planning to use "sk->sk_security".
Before you go too far down this path please note that the quoted
code is bad* because back pointers from sockets to tasks can't be
reliable. See later versions for more reasonable behavior.
> I'm planning to use "current->security" at accept()/recvmsg() time.
The delivery of packets and the completion of these syscalls are
related but independent events. Be careful about the relationship
between the events and the placement of your checks.
----
* Stephen had good comments on the details on list earlier.
Casey Schaufler
casey@schaufler-ca.com
prev parent reply other threads:[~2007-07-21 18:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200707032107.CBD30767.PtGMNNTS@I-love.SAKURA.ne.jp>
[not found] ` <200707061114.07419.paul.moore@hp.com>
[not found] ` <200707070225.AFC45609.MNStNTPG@I-love.SAKURA.ne.jp>
[not found] ` <200707061343.03942.paul.moore@hp.com>
2007-07-09 5:33 ` [RFC] Allow LSM to use IP address/port number. (was Re: [PATCH 1/1] Add post accept()/recvmsg() hooks.) Tetsuo Handa
2007-07-09 7:26 ` [RFC] Allow LSM to use IP address/port number David Miller
2007-07-09 13:13 ` Tetsuo Handa
2007-07-09 22:50 ` James Morris
2007-07-09 23:05 ` Stephen Hemminger
2007-07-09 23:41 ` James Morris
2007-07-10 4:11 ` Tetsuo Handa
2007-07-20 15:11 ` [PATCH 1/1] " Tetsuo Handa
2007-07-20 15:28 ` James Morris
2007-07-20 15:44 ` Patrick McHardy
2007-07-21 1:57 ` Tetsuo Handa
2007-07-21 18:11 ` Casey Schaufler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=589819.72705.qm@web36605.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=from-netdev@I-love.SAKURA.ne.jp \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).