Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity

From: Stephen Smalley
Date: Fri Oct 08 2004 - 06:31:32 EST

Next message: William Lee Irwin III: "Re: 2.6.9-rc2-mm2"
Previous message: William Lee Irwin III: "Re: 2.6.9-rc3-mm3"
In reply to: Luke Kenneth Casson Leighton: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Next in thread: Luke Kenneth Casson Leighton: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2004-10-08 at 05:31, Luke Kenneth Casson Leighton wrote:
> an alternative possible solution is to get the packet _out_ from
> the interrupt context and have the aux pid comm exe information added.

No, the network permission checks are intentionally layered to match the
network protocol implementation. There is a process-to-socket check
performed in process context when the data is received from the socket
by an actual process, but there is also the socket-to-netif/node/port
check performed in softirq context when the packet is received on the
socket from the network.

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: William Lee Irwin III: "Re: 2.6.9-rc2-mm2"
Previous message: William Lee Irwin III: "Re: 2.6.9-rc3-mm3"
In reply to: Luke Kenneth Casson Leighton: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Next in thread: Luke Kenneth Casson Leighton: "Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]