On Tue, 2007-04-10 at 09:11 -0400, Stephen Smalley wrote: > On Tue, 2007-04-10 at 21:35 +0900, Tetsuo Handa wrote: > > Hello. > > > > Stephen Smalley wrote: > > > It doesn't do any good to return an error _after_ the new connection has > > > been set up or the data transfer has already happened. Userspace > > > already has what it needs and another thread can already begin using it > > > _before_ you take any action in those post hooks. > > Well. What I want to do is "per-domain iptables". For example, > > domain sshd_t can accept() connections from 10.0.0.0-10.255.255.255, > > while domain httpd_t can accept() connections from > > 192.168.0.0-192.168.255.255. > > TOMOYO Linux does it by > > > > <kernel> /usr/sbin/sshd > > allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535 > > > > <kernel> /usr/sbin/httpd > > allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535 > > > > > > > > It is not the best way to abort connection after the connection has been > > accept()ed. > > But to check before accept(), > > I have to patch select() not to return "ready for accepting connection", > > otherwise > > 'select() returning "ready for accepting connection" but accept() returning > > "not allowed to > > accept from this address"' will cause meaningless CPU consumption. > > So, aborting accept()ed connection is second best for me. > > It is worse than "not the best way"; it is the wrong way, and it is > trivially subvertible. No point in providing a control that can be > easily bypassed, right? > > You need to do it in another hook, like sock_rcv_skb or > inet_conn_request, and drop the connection before it is established.
You should also likely look at SECMARK and some of the discussions that preceded it. http://marc.info/?l=linux-netdev&m=114516429530333&w=2 http://marc.info/?l=linux-netdev&m=114701592001932&w=2 http://marc.info/?l=linux-netdev&m=114758664411738&w=2 http://marc.info/?l=linux-netdev&m=114794408021148&w=2 -- Stephen Smalley National Security Agency - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
