From: Casey Schaufler <casey@schaufler-ca.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
netdev@vger.kernel.org, davem@davemloft.net
Cc: linux-security-module@vger.kernel.org,
netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH net-2.6.25] Add packet filtering based on process's security context.
Date: Tue, 22 Jan 2008 08:49:47 -0800 (PST) [thread overview]
Message-ID: <634344.24836.qm@web36604.mail.mud.yahoo.com> (raw)
In-Reply-To: <200801230016.EGG34399.QFtVHFSJFMOOLO@I-love.SAKURA.ne.jp>
--- Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> wrote:
> ...
>
> Currently, there is no way to directly map security context from incoming
> packet to user process. This is because the creator or owner of a socket is
> not always the receiver of an incoming packet. The userland process who
> receives the incoming packet is not known until a process calls
> sys_recvmsg().
> So, I want to add a LSM hook to give a security module a chance to control
> after the recipient of the incoming packet is known.
Do you have a real situation where two user processes with different
security contexts share a socket? How do you get into that situation,
and is it appropriate to have that situation in your security scheme?
Can this occur without using privilege?
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2008-01-22 16:49 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-22 15:16 [PATCH net-2.6.25] Add packet filtering based on process's security context Tetsuo Handa
2008-01-22 16:49 ` Casey Schaufler [this message]
2008-01-23 1:26 ` [PATCH net-2.6.25] Add packet filtering based on process\'s " Tetsuo Handa
2008-01-24 11:47 ` [PATCH net-2.6.25] Add packet filtering based on process's " Tetsuo Handa
2008-01-24 15:03 ` Paul Moore
-- strict thread matches above, loose matches on Subject: below --
2007-12-31 6:21 Tetsuo Handa
2007-11-21 12:30 [PATCH] " Tetsuo Handa
2007-11-22 13:35 ` [PATCH net-2.6.25] " Tetsuo Handa
2007-11-22 23:29 ` James Morris
2007-12-03 7:58 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=634344.24836.qm@web36604.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=davem@davemloft.net \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).