On Tuesday, July 3 2007 8:07:45 am Tetsuo Handa wrote:
> diff -ur a/include/linux/security.h b/include/linux/security.h
> --- a/include/linux/security.h 2007-07-03 10:07:14.000000000 +0900
> +++ b/include/linux/security.h 2007-07-03 13:21:20.581744544 +0900
> @@ -745,6 +745,16 @@
> * @sock contains the listening socket structure.
> * @newsock contains the newly created server socket for connection.
> * Return 0 if permission is granted.
> + * @socket_pre_accept:
> + * Check peer's address after accepting a new connection but
> + * before making that connection visible to userland.
> + * This hook is intended for filtering connections from unwanted peers.
> + * The connection will be aborted if this hook returns nonzero.
> + * @sock contains the listening socket structure.
> + * @newsock contains the newly created server socket for connection.
> + * @address contains the address of remote endpoint.
> + * @addrlen contains the length of address.
> + * Return 0 if permission is granted.
... and below ...
> diff -ur a/net/socket.c b/net/socket.c
> --- a/net/socket.c 2007-07-03 10:07:16.000000000 +0900
> +++ b/net/socket.c 2007-07-03 13:23:53.055565000 +0900
> @@ -1426,6 +1437,11 @@
> if (err < 0)
> goto out_fd;
>
> + /* Filter connections from unwanted peers like TCP Wrapper. */
> + err = security_socket_pre_accept(sock, newsock);
> + if (err)
> + goto out_fd;
> +
> if (upeer_sockaddr) {
> if (newsock->ops->getname(newsock, (struct sockaddr *)address,
> &len, 2) < 0) {
I believe the existing security_inet_conn_request() LSM hook should allow you
to do what you want. Adding another hook _after_ the inbound connection has
been accepted is probably a bad idea.
> diff -ur a/include/linux/security.h b/include/linux/security.h
> --- a/include/linux/security.h 2007-07-03 10:07:14.000000000 +0900
> +++ b/include/linux/security.h 2007-07-03 13:21:20.581744544 +0900
> @@ -763,6 +773,14 @@
> * @size contains the size of message structure.
> * @flags contains the operational flags.
> * Return 0 if permission is granted.
> + * @socket_post_recvmsg:
> + * Check peer's address after receiving a message from a socket.
> + * This hook is intended for filtering messages from unwanted peers.
> + * @sock contains the socket structure.
> + * @msg contains the message structure.
> + * @size contains the size of message structure.
> + * @flags contains the operational flags.
> + * Return 0 if permission is granted.
> * @socket_getsockname:
> * Check permission before the local address (name) of the socket object
> * @sock is retrieved.
... and below ...
> diff -ur a/net/socket.c b/net/socket.c
> --- a/net/socket.c 2007-07-03 10:07:16.000000000 +0900
> +++ b/net/socket.c 2007-07-03 13:23:53.055565000 +0900
> @@ -651,6 +651,17 @@
> ret = __sock_recvmsg(&iocb, sock, msg, size, flags);
> if (-EIOCBQUEUED == ret)
> ret = wait_on_sync_kiocb(&iocb);
> + /*
> + * Filter messages from unwanted peers.
> + * To be exact, this hook can't filter messages,
> + * this hook just returns an error code.
> + * Do we have to keep userland buffer unchanged until this hook?
> + */
> + if (ret >= 0) {
> + int err = security_socket_post_recvmsg(sock, msg, size, flags);
> + if (err)
> + ret = err;
> + }
> return ret;
> }
Is there some reason why you can't use security_socket_recvmsg()? Also, don't
forget that there are many other ways to read a network socket than just
recvmsg().
--
paul moore
linux security @ hp
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
