On Tue, 2007-04-10 at 21:35 +0900, Tetsuo Handa wrote: > Hello. > > Stephen Smalley wrote: > > It doesn't do any good to return an error _after_ the new connection has > > been set up or the data transfer has already happened. Userspace > > already has what it needs and another thread can already begin using it > > _before_ you take any action in those post hooks. > Well. What I want to do is "per-domain iptables". For example, > domain sshd_t can accept() connections from 10.0.0.0-10.255.255.255, > while domain httpd_t can accept() connections from > 192.168.0.0-192.168.255.255. > TOMOYO Linux does it by > > <kernel> /usr/sbin/sshd > allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535 > > <kernel> /usr/sbin/httpd > allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535 > > > > It is not the best way to abort connection after the connection has been > accept()ed. > But to check before accept(), > I have to patch select() not to return "ready for accepting connection", > otherwise > 'select() returning "ready for accepting connection" but accept() returning > "not allowed to > accept from this address"' will cause meaningless CPU consumption. > So, aborting accept()ed connection is second best for me.
It is worse than "not the best way"; it is the wrong way, and it is trivially subvertible. No point in providing a control that can be easily bypassed, right? You need to do it in another hook, like sock_rcv_skb or inet_conn_request, and drop the connection before it is established. -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
