Re: [PATCH][SELINUX] 2/2 Add SEND_MSG and RECV_MSG controls

From: James Morris
Date: Tue Jan 13 2004 - 16:05:02 EST

Next message: Richard B. Johnson: "Re: [OT] use of patented algorithms in the kernel ok or not?"
Previous message: Pavel Machek: "Re: kgdb cleanups"
In reply to: James Morris: "[PATCH][SELINUX] 2/2 Add SEND_MSG and RECV_MSG controls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 13 Jan 2004, James Morris wrote:

> This patch implements two new access controls for SELinux: SEND_MSG and
> RECV_MSG, providing mediation of network packets based on destination
> port (IPv4 only at this stage).
>

After some further discussion, Stephen and I decided that it would be more
useful for security to invert the sense of the RECV_MSG permission so that
the source port is checked during packet reception.

This patch is relative to the previous patch, please let me know if you
want the entire patch redone.

diff -urN -X dontdiff linux-2.6.1-mm2.p/security/selinux/hooks.c linux-2.6.1-mm2.w/security/selinux/hooks.c
--- linux-2.6.1-mm2.p/security/selinux/hooks.c 2004-01-13 15:59:04.153184216 -0500
+++ linux-2.6.1-mm2.w/security/selinux/hooks.c 2004-01-13 14:32:06.000000000 -0500
@@ -2773,7 +2773,7 @@

/* Fixme: make this more efficient */
err = security_port_sid(sk->sk_family, sk->sk_type,
- sk->sk_protocol, ntohs(ad.u.net.dport),
+ sk->sk_protocol, ntohs(ad.u.net.sport),
&port_sid);
if (err)
goto out;

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Richard B. Johnson: "Re: [OT] use of patented algorithms in the kernel ok or not?"
Previous message: Pavel Machek: "Re: kgdb cleanups"
In reply to: James Morris: "[PATCH][SELINUX] 2/2 Add SEND_MSG and RECV_MSG controls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]