On Sun, 2006-10-01 at 16:26 -0500, Venkat Yekkirala wrote:
> Add skb_policy_check and skb_netfilter_check hooks to LSM to enable
> reconciliation of the various security identifiers as well as enforce
> flow control on inbound (PREROUTING/INPUT) and outbound
> (OUTPUT/FORWARD/POSTROUTING)
> traffic.
>
> Signed-off-by: Venkat Yekkirala <[EMAIL PROTECTED]>
> ---
> include/linux/security.h | 41 ++++++++++++++++++++++++++++++++++++-
> security/dummy.c | 13 +++++++++++
> 2 files changed, 53 insertions(+), 1 deletion(-)
> @@ -3150,7 +3185,11 @@ static inline int security_xfrm_state_al
> {
> if (!polsec)
> return 0;
> - return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid);
> + /*
> + * No need to pass polsec along since we want the context to be
> + * taken from secid which is usually from the sock.
> + */
> + return security_ops->xfrm_state_alloc_security(x, NULL, NULL, secid);
> }
As a follow-up patch, you could then drop polsec from the hook interface
in security_ops (but not the static inline function interface), and from
the underlying selinux functions. That would simplify
selinux_xfrm_sec_ctx_alloc() a bit and make the logic clearer.
--
Stephen Smalley
National Security Agency
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
