Re: [Patch 1/1] updated: TCP/UDP getpeersec

Thu, 16 Feb 2006 07:12:29 -0800 

On Thu, 2006-02-16 at 01:30 -0500, Catherine Zhang wrote:
> Joy,
> 
> Thanks for your comment and sorry for the delay.  Did you mean a
> separate error code for 'null' context?  The current code catches the
> case when the sid is SECSID_NULL, and returns ENOPROTOOPT.  The
> question is whether we want to create a different error code for this
> case.  Any suggestions?
> 
Actually, what I meant was should we return an error at all, not create
a new error code. Should it be considered an error if a userspace
application asks for the peer context and ipsec is not being used? My
guess is that most apps will not care if ipsec is being used when 
they ask for this info. Therefore, I was wondering instead of
checking if sid == SECSID_NULL, just let security_to_sid_context()
return "null" and send this to userspace as context. Userspace would
then know a "null" context returned means no context for peer.

> On 2/10/06, Joy Latten <[EMAIL PROTECTED]> wrote:
> > Catherine,
> > I am just wondering about something...
> > Should a peer_sid of 0 or SECSID_NULL be an error here if
> > the connection doesn't have a transform? I understand we only get
> > peer's context if a xfrm is involved, but I am thinking
> > most user applications may not kno or care if there is a xfrm.
> > If not treated as an error, it looks like security_to_sid_context()
> > would just return "null" for context. Would that be acceptable?
> >
> > Perhaps it is just important that we document the behaviour because
> > I am thinking most user apps will not care or know if ipsec is
> > running, so programmers may use this socket option to get peer
> > context and may need to understand why they received an error of
> > ENOPROTOOPT.
> >
> > > }
> > > +     else {
> > >               err = -ENOPROTOOPT;
> > >               goto out;
> > >       }
> > >
> > > -     ssec = sock->sk->sk_security;
> > > -
> > > -     err = security_sid_to_context(ssec->peer_sid, &scontext, 
> > > &scontext_len);
> > > +     err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
> > > +
> > >       if (err)
> > >               goto out;
> > >
> > > @@ -3396,6 +3410,23 @@ out:
> > >       return err;
> > >  }
> > >
> > > +
> >
> > Regards,
> > Joy
> >
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to