[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [redhat-lspp] [RFC] [MLSXFRM 01/04] Add support to core networking
- From: Stephen Smalley <sds tycho nsa gov>
- To: Venkat Yekkirala <vyekkirala trustedcs com>
- Cc: redhat-lspp redhat com, latten austin ibm com, tjaeger cse psu edu, jmorris redhat com
- Subject: Re: [redhat-lspp] [RFC] [MLSXFRM 01/04] Add support to core networking
- Date: Thu, 15 Jun 2006 11:18:26 -0400
On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> This patch adds a security sid to the flow key itself making the flow cache
> lookps based on the sid seemless.
>
> This patch also adds support for handling security for sock. Security at the
> sock level is needed to enforce the SELinux security policy for security associations
> even when a sock is orphaned (such as in the TCP LAST_ACK state).
>
> Signed-off-by: Venkat Yekkirala <vyekkirala TrustedCS com>
>
> ---
> include/net/flow.h | 5 +++--
> net/core/flow.c | 7 ++-----
> net/core/sock.c | 4 ++++
> 3 files changed, 9 insertions(+), 7 deletions(-)
>
> --- linux-2.6.16.vanilla/net/core/sock.c 2006-06-12 17:49:39.000000000 -0500
> +++ linux-2.6.16/net/core/sock.c 2006-06-13 08:40:48.000000000 -0500
> @@ -841,7 +841,11 @@ struct sock *sk_clone(const struct sock
> if (newsk != NULL) {
> struct sk_filter *filter;
>
> + /* Save/restore the LSM security pointer around the copy */
> + void *sptr = newsk->sk_security;
> memcpy(newsk, sk, sk->sk_prot->obj_size);
> + newsk->sk_security = sptr;
> + security_sk_clone(sk, newsk);
>
> /* SANITY */
> sk_node_init(&newsk->sk_node);
At this point in the patch series, it won't compile, since you haven't
yet defined security_sk_clone(). Also, the entire sequence above likely
belongs in a single static inline.
--
Stephen Smalley
National Security Agency
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]