(2010/01/08 3:56), Aaron Stone wrote: >> If we can identify the client (web application instance) in some way, >> memcached will be able to store the something identifier of the cached >> object. It may be called owner of the cached object (depending on the >> security model). >> Then, access control mechanism can provide its access control decision >> based on the client's identifier and object's identifier. > > With a filesystem, the kernel knows which process is making the call > and what user and group ids the process is running as, so it can > perform access checks with that sideband information. Is there a > mechanism for this with network sockets in SELinux?
SELinux has an API to get privileges of the peer process for the given socket descriptor. #include <selinux/selinux.h> int getpeercon(int sockfd, security_context_t *context); The sockfd argument is the returned value from accept(2). This API set a cstring representation of the peer (client) process's privilege (called security context), then return. Then, the server process can ask in-kernel SELinux whether the required access can be allowed, or not, based on the pair of client's security context and item's security context. SELinux returns its decision: allowed or denied. If denied, the server process returns ERROR without running the request. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <[email protected]>
