[redhat-lspp] Re: [PATCH 1/1] selinux: secid reconciliation fixes V02
Paul Moore
paul.moore at hp.com
Mon Oct 9 16:12:52 UTC 2006
Venkat Yekkirala wrote:
>>Venkat Yekkirala wrote:
>>
>>>--- net-2.6.sid6/include/linux/security.h 2006-10-05
>>
>>12:03:39.000000000 -0500
>>
>>>+++ net-2.6/include/linux/security.h 2006-10-08
>>
>>14:10:49.000000000 -0500
>>
>>>@@ -67,6 +67,7 @@ struct xfrm_selector;
>>> struct xfrm_policy;
>>> struct xfrm_state;
>>> struct xfrm_user_sec_ctx;
>>>+struct net_device;
>>>
>>> extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
>>> extern int cap_netlink_recv(struct sk_buff *skb, int cap);
>>>@@ -828,8 +829,8 @@ struct request_sock;
>>> * Sets the new child socket's sid to the openreq sid.
>>> * @inet_conn_established:
>>> * Sets the connection's peersid to the secmark on skb.
>>>- * @req_classify_flow:
>>>- * Sets the flow's sid to the openreq sid.
>>>+ * @igmp_classify_skb:
>>>+ * Classifies an skb representing an igmp packet.
>>
>>I wonder if it might be cleaner to have a generic
>>classify_skb() function? That
>>seems to be more inline with what James commented on earlier
>>and I'm almost
>>certain the netdev crowd would be much more open to a generic
>>hook. It
>>shouldn't be too expensive to check if the packet is an IGMP
>>packet inside the hook.
>
>
> It wouldn't necessarily be clean in that you would have to put
> all the logic to determine what kind of packet it is inside the
> hook, if it's even possible to do it under all circumstances.
Yes, but the *interface* would be cleaner which was the point I was trying to
make. There have been a lot of new LSM networking hooks introduced lately and I
thought it might be worthwhile to keep the interfaces as flexibile as possibile.
I guess we can always change it later if needed.
>>>+/*static inline void security_sk_classify_ipcm(struct sock *sk,
>>>+ struct ipcm_cookie *ipc)
>>>+{
>>>+ security_ops->sk_getsecid(sk, &ipc->secid);
>>>+}*/
>>>+
>>
>>If this really isn't needed shouldn't we just remove the code
>>altogether instead
>>of commenting it out?
>
> Yes. If you could take it out, I would appreciate it. (let me know if
> you want a new patch with this taken out).
It's probably quickest if I just drop it.
--
paul moore
linux security @ hp
More information about the redhat-lspp
mailing list