[redhat-lspp] [RFC] [MLSXFRM 01/04] Add support to core networking
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 15 15:18:26 UTC 2006
On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> This patch adds a security sid to the flow key itself making the flow cache
> lookps based on the sid seemless.
>
> This patch also adds support for handling security for sock. Security at the
> sock level is needed to enforce the SELinux security policy for security associations
> even when a sock is orphaned (such as in the TCP LAST_ACK state).
>
> Signed-off-by: Venkat Yekkirala <vyekkirala at TrustedCS.com>
>
> ---
> include/net/flow.h | 5 +++--
> net/core/flow.c | 7 ++-----
> net/core/sock.c | 4 ++++
> 3 files changed, 9 insertions(+), 7 deletions(-)
>
> --- linux-2.6.16.vanilla/net/core/sock.c 2006-06-12 17:49:39.000000000 -0500
> +++ linux-2.6.16/net/core/sock.c 2006-06-13 08:40:48.000000000 -0500
> @@ -841,7 +841,11 @@ struct sock *sk_clone(const struct sock
> if (newsk != NULL) {
> struct sk_filter *filter;
>
> + /* Save/restore the LSM security pointer around the copy */
> + void *sptr = newsk->sk_security;
> memcpy(newsk, sk, sk->sk_prot->obj_size);
> + newsk->sk_security = sptr;
> + security_sk_clone(sk, newsk);
>
> /* SANITY */
> sk_node_init(&newsk->sk_node);
At this point in the patch series, it won't compile, since you haven't
yet defined security_sk_clone(). Also, the entire sequence above likely
belongs in a single static inline.
--
Stephen Smalley
National Security Agency
More information about the redhat-lspp
mailing list