Hello.
Stephen Smalley wrote:
> You need to do it in another hook, like sock_rcv_skb or
> inet_conn_request, and drop the connection before it is established.
Is it OK to filter before connection is established?
How do you handle the following situation?
/bin/daytime runs in the daytime_t domain.
/bin/nighttime runs in the nighttime_t domain.
/bin/daytime creates a TCP socket and begin listen()ing
fd = socket(PF_INET, SOCK_STREAM, 0);
bind(fd, ...);
listen(fd, ...)
then, /bin/daytime clears the fd's close-on-exec flag
fcntl(fd, F_SETFD, 0);
then /bin/daytime starts /bin/nighttime and /bin/nighttime inherits the fd
listen()ed by /bin/daytime.
Now, one fd is shared by two domains.
Both /bin/daytime and /bin/nighttime calls accept(fd) mutually.
The administrator allows /bin/daytime accept connections from
0.0.0.0-127.255.255.255
and allows /bin/nighttime accept connections from 128.0.0.0-255.255.255.255.
Then, it is impossible to filter before accept() call
because the domain that the accept()ed connection will belong to
is unknown until the time of accept(), isn't it?
I think filtering at the accept() time is more appropreate
than at kernel's internal acceptance time.
Well, the right way to solve this case may be "don't share listen()ing fd
between domains".
-
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
