From: Samir Bellabes <sam@synack.fr>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-security-module@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [RFC v3 01/10] lsm: add security_socket_closed()
Date: Fri, 06 May 2011 15:45:27 +0200 [thread overview]
Message-ID: <87oc3glz7s.fsf@synack.fr> (raw)
In-Reply-To: <201105040029.IGA98088.SHOVQFLOMJtOFF@I-love.SAKURA.ne.jp> (Tetsuo Handa's message of "Wed, 4 May 2011 00:29:29 +0900")
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
> Samir Bellabes wrote:
>> Allow a module to update security informations when a socket is closed.
> Is security_inode_free() too late for doing it?
>
> static void ccs_inode_free_security(struct inode *inode)
> {
> if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC)
> ccs_update_socket_tag(inode, 0);
> }
this point won't be possible.
security_inode_free() is occuring too late :
static int sock_close(struct inode *inode, struct file *filp)
{
security_socket_close(SOCKET_I(inode));
... -> acces sock->sk infos in this hook
sock_release(SOCKET_I(inode));
{
sock->ops->release(sock);
{
int inet_release(struct socket *sock)
{
struct sock *sk = sock->sk;
if (sk) {
sock_rps_reset_flow(sk);
sock->sk = NULL;
sk->sk_prot->close(sk, timeout);
--> here sk infos are now removed
}
}
if (!sock->file) {
iput(SOCK_INODE(sock));
--> here we are removing the inode, so
security_inode_free is called now, but too late.
}
}
}
return 0;
}
next prev parent reply other threads:[~2011-05-06 13:45 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-03 14:24 [RFC v3 00/10] snet: Security for NETwork syscalls Samir Bellabes
2011-05-03 14:24 ` [RFC v3 01/10] lsm: add security_socket_closed() Samir Bellabes
2011-05-03 15:29 ` Tetsuo Handa
2011-05-03 15:41 ` Samir Bellabes
2011-05-06 13:45 ` Samir Bellabes [this message]
2011-05-03 14:24 ` [RFC v3 02/10] Revert "lsm: Remove the socket_post_accept() hook" Samir Bellabes
2011-05-03 22:02 ` Paul Moore
2011-05-04 2:28 ` Tetsuo Handa
2011-05-04 8:50 ` Samir Bellabes
2011-05-05 14:11 ` Paul Moore
2011-05-05 21:43 ` Tetsuo Handa
2011-05-06 9:25 ` Samir Bellabes
2011-05-06 17:27 ` Paul Moore
2011-05-03 14:24 ` [RFC v3 03/10] snet: introduce snet_core Samir Bellabes
2011-05-03 14:24 ` [RFC v3 04/10] snet: introduce snet_event Samir Bellabes
2011-05-03 14:24 ` [RFC v3 05/10] snet: introduce snet_hooks Samir Bellabes
2011-05-03 14:24 ` [RFC v3 06/10] snet: introduce snet_netlink Samir Bellabes
2011-05-03 14:24 ` [RFC v3 07/10] snet: introduce snet_verdict Samir Bellabes
2011-05-03 14:24 ` [RFC v3 08/10] snet: introduce snet_ticket Samir Bellabes
2011-05-03 14:24 ` [RFC v3 09/10] snet: introduce snet_utils Samir Bellabes
2011-05-03 14:24 ` [RFC v3 10/10] snet: introduce security/snet, Makefile and Kconfig changes Samir Bellabes
2011-05-03 16:53 ` [RFC v3 00/10] snet: Security for NETwork syscalls Casey Schaufler
2011-05-03 17:15 ` Samir Bellabes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87oc3glz7s.fsf@synack.fr \
--to=sam@synack.fr \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).