On Mon, 9 Jul 2007, Tetsuo Handa wrote:
Hello.
This thread is from http://marc.info/?t=11834645705r=1w=2 .
I want to use tcp_wrapper-like filtering using LSM.
The appropriate way to do this would be via netfilter queuing to
userspace, as already suggested by Paul Moore.
--
James
Hello.
This thread is from http://marc.info/?t=11834645705r=1w=2 .
I want to use tcp_wrapper-like filtering using LSM.
But it seems that there are cases (recvmsg() and read()?) where
__sock_recvmsg() is called with msg-name == NULL and msg-msg_namelen == 0
that makes what I want to do
Sorry, I failed to send this message to netdev ml. Please ignore.
On Mon, 09 Jul 2007 13:29:44 +0900
Tetsuo Handa [EMAIL PROTECTED] wrote:
Hello.
This thread is from http://marc.info/?t=11834645705r=1w=2 .
I want to use tcp_wrapper-like filtering using LSM.
But it seems that there
Hello.
This thread is from http://marc.info/?t=11834645705r=1w=2 .
I want to use tcp_wrapper-like filtering using LSM.
But it seems that there are cases (recvmsg() and read()?) where
__sock_recvmsg() is called with msg-name == NULL and msg-msg_namelen == 0
that makes what I want to do
Hello.
Paul Moore wrote:
Perhaps you could move the security_post_accept() hook further up and add a
return value? I do not see any current in-tree users of the hook and I
imagine moving it up would actually make the existing hook a bit more useful
in general.
If there are no objections,
On Friday, July 6 2007 10:59:49 am Tetsuo Handa wrote:
In the existing security_socket_recvmsg() hook you could peek at the top
of the socket's receive queue and determine all of the information you
would want to know to make your access decision. Granted, it still might
be a bit racy if
Hello.
Paul Moore wrote:
Thinking about your problem (personal firewall) a bit more I can't help but
wonder if your solution would be better implemented as a netfilter module?
If netfilter hooks allow blocking operation, it may be a solution.
But making decisions at
On Tuesday, July 3 2007 8:07:45 am Tetsuo Handa wrote:
diff -ur a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h2007-07-03 10:07:14.0 +0900
+++ b/include/linux/security.h2007-07-03 13:21:20.581744544 +0900
@@ -745,6 +745,16 @@
*
Thank you for your suggestion.
Paul Moore wrote:
I believe the existing security_inet_conn_request() LSM hook should allow you
to do what you want. Adding another hook _after_ the inbound connection has
been accepted is probably a bad idea.
Unfortunately, security_inet_conn_request() doesn't
