[redhat-lspp] Re: [PATCH 1/1] selinux: secid reconciliation fixes V02

Paul Moore paul.moore at hp.com
Mon Oct 9 15:51:47 UTC 2006 

Venkat Yekkirala wrote:
> --- net-2.6.sid6/include/linux/security.h	2006-10-05 12:03:39.000000000 -0500
> +++ net-2.6/include/linux/security.h	2006-10-08 14:10:49.000000000 -0500
> @@ -67,6 +67,7 @@ struct xfrm_selector;
>  struct xfrm_policy;
>  struct xfrm_state;
>  struct xfrm_user_sec_ctx;
> +struct net_device;
>  
>  extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
>  extern int cap_netlink_recv(struct sk_buff *skb, int cap);
> @@ -828,8 +829,8 @@ struct request_sock;
>   *	Sets the new child socket's sid to the openreq sid.
>   * @inet_conn_established:
>   *	Sets the connection's peersid to the secmark on skb.
> - * @req_classify_flow:
> - *	Sets the flow's sid to the openreq sid.
> + * @igmp_classify_skb:
> + *	Classifies an skb representing an igmp packet.

I wonder if it might be cleaner to have a generic classify_skb() function?  That
seems to be more inline with what James commented on earlier and I'm almost
certain the netdev crowd would be much more open to a generic hook.  It
shouldn't be too expensive to check if the packet is an IGMP packet inside the hook.

>   * @skb_flow_in:
>   *	Checks to see if security policy would allow skb into the system
>   *	while also reconciling the xfrm secid, cipso, etc, if any, and
> @@ -1385,9 +1386,10 @@ struct security_operations {
>  					struct request_sock *req);
>  	void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
>  	void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
> -	void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
> +	void (*igmp_classify_skb)(struct sk_buff *skb);
>  	int (*skb_flow_in)(struct sk_buff *skb, unsigned short family);
> -	int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid);
> +	int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid,
> +			const struct net_device *out, unsigned short family);
>  #endif	/* CONFIG_SECURITY_NETWORK */
>  
>  #ifdef CONFIG_SECURITY_NETWORK_XFRM
> @@ -2953,14 +2955,20 @@ static inline void security_sk_clone(con
>  	return security_ops->sk_clone_security(sk, newsk);
>  }
>  
> +/*static inline void security_sk_classify_ipcm(struct sock *sk,	
> +					struct ipcm_cookie *ipc)
> +{
> +	security_ops->sk_getsecid(sk, &ipc->secid);
> +}*/
> +

If this really isn't needed shouldn't we just remove the code altogether instead
of commenting it out?

-- 
paul moore
linux security @ hp

More information about the redhat-lspp mailing list