[redhat-lspp] [RFC] [MLSXFRM 01/04] Add support to core networking
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 15 17:14:41 UTC 2006
On Thu, 2006-06-15 at 11:18 -0400, Stephen Smalley wrote:
> On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> > This patch adds a security sid to the flow key itself making the flow cache
> > lookps based on the sid seemless.
> >
> > This patch also adds support for handling security for sock. Security at the
> > sock level is needed to enforce the SELinux security policy for security associations
> > even when a sock is orphaned (such as in the TCP LAST_ACK state).
> >
> > Signed-off-by: Venkat Yekkirala <vyekkirala at TrustedCS.com>
> >
> > ---
> > include/net/flow.h | 5 +++--
> > net/core/flow.c | 7 ++-----
> > net/core/sock.c | 4 ++++
> > 3 files changed, 9 insertions(+), 7 deletions(-)
> >
>
> > --- linux-2.6.16.vanilla/net/core/sock.c 2006-06-12 17:49:39.000000000 -0500
> > +++ linux-2.6.16/net/core/sock.c 2006-06-13 08:40:48.000000000 -0500
> > @@ -841,7 +841,11 @@ struct sock *sk_clone(const struct sock
> > if (newsk != NULL) {
> > struct sk_filter *filter;
> >
> > + /* Save/restore the LSM security pointer around the copy */
> > + void *sptr = newsk->sk_security;
> > memcpy(newsk, sk, sk->sk_prot->obj_size);
> > + newsk->sk_security = sptr;
> > + security_sk_clone(sk, newsk);
> >
> > /* SANITY */
> > sk_node_init(&newsk->sk_node);
>
> At this point in the patch series, it won't compile, since you haven't
> yet defined security_sk_clone().
BTW, see the guidance in
http://www.zip.com.au/~akpm/linux/patches/stuff/tpp.txt
particularly about patch series.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list