[redhat-lspp] [RFC] [MLSXFRM 01/04] Add support to core networking

Stephen Smalley sds at tycho.nsa.gov
Thu Jun 15 15:18:26 UTC 2006


On Tue, 2006-06-13 at 17:09 -0500, Venkat Yekkirala wrote:
> This patch adds a security sid to the flow key itself making the flow cache
> lookps based on the sid seemless.
> 
> This patch also adds support for handling security for sock. Security at the
> sock level is needed to enforce the SELinux security policy for security associations
> even when a sock is orphaned (such as in the TCP LAST_ACK state).
> 
> Signed-off-by: Venkat Yekkirala <vyekkirala at TrustedCS.com>
> 
> ---
> include/net/flow.h |    5 +++--
> net/core/flow.c    |    7 ++-----
> net/core/sock.c    |    4 ++++
> 3 files changed, 9 insertions(+), 7 deletions(-)
> 

> --- linux-2.6.16.vanilla/net/core/sock.c	2006-06-12 17:49:39.000000000 -0500
> +++ linux-2.6.16/net/core/sock.c	2006-06-13 08:40:48.000000000 -0500
> @@ -841,7 +841,11 @@ struct sock *sk_clone(const struct sock 
>  	if (newsk != NULL) {
>  		struct sk_filter *filter;
>  
> +		/* Save/restore the LSM security pointer around the copy */
> +		void *sptr = newsk->sk_security;
>  		memcpy(newsk, sk, sk->sk_prot->obj_size);
> +		newsk->sk_security = sptr;
> +		security_sk_clone(sk, newsk);
>  
>  		/* SANITY */
>  		sk_node_init(&newsk->sk_node);

At this point in the patch series, it won't compile, since you haven't
yet defined security_sk_clone().  Also, the entire sequence above likely
belongs in a single static inline.

-- 
Stephen Smalley
National Security Agency




More information about the redhat-lspp mailing list