On Tuesday 04 September 2007 10:02:46 am Tetsuo Handa wrote:
Okay, I just went back and re-read the conversation from July as well as the
description of your current patches and I think what is basically comes down
to is that your design makes use of userspace intervention to allow/reject
connections and/or packets based on the application's domain. Unfortunately
for TOMOYO, the current LSM network hooks are placed in such a way that you
can not block and query a userspace agent for an access control decision.
Myself and some others have suggested using the netfilter userspace queue
mechanism[1]. However, I understand this may cause you problems when you try
to determine the incoming packet's destination/domain. With these
requirements I understand why you are pushing so hard to introduce these new
LSM hooks, but for many reasons I would really prefer to try and find a way
to utilize the existing hooks. I've tried to think of a way to do this over
the past day and have not been able to arrive at a clean solution.
Personally, I still question the wisdom of receiving a packet/connection only
to drop/reject it later when an application tries to read it but I might be
the only one.
Based on some of the other discussion around this patch there appears to be
other, larger issues which you still need to sort out (language parser in the
kernel, /proc issues, etc.). I would recommend addressing those concerns and
including the netdev mailing list on your next patchset as they might have
some thoughts on your network design.
[1]http://www.netfilter.org/projects/libnetfilter_queue/index.html
--
paul moore
linux security @ hp
-
