On Mon, 20 Feb 2006, Török Edwin wrote:
> In the following I will be referring to 16-skfilter-ipt_owner-ctx.patch:
>
> However I'd like to do filtering based on owner (process) even when selinux is
> not available. Your context match explicitly requires selinux to be enabled,
> and a policy loaded.
See at 10-skfilter-incoming-ipt_owner.patch, which enables incoming
matching based on socket owner, not related to SELinux.
> Could you please use LSM hooks (like inode_getsecurity) instead of directly
> using selinux? I'd want to provide my own implementation of labeling (a
> very,very simple labeling, a very small subset of what selinux does, but
> which wouldn't require much configuration). In other words, I want to write a
> LSM, and then mod_register_security() my module.
>
> Or if the above is not possible, could you provide some hooks, where I could
> register my hooks to provide these:
> - int available()
> - int ctx_to_id(char*,u32*)
> - int socket_to_ctxid(struct sock*,u32*)
>
> (Of course I could create another match that would use my module to do the
> matching on the SOCKET chain. But this would uselessly duplicate
> functionality&code, an additional hook would be a much cleaner solution).
>
> What is your opinion on what I said above? I am open to suggestions,
> criticism, advice....
It's possible to investigate doing this via LSM, although probably not
justified unless someone else is using this feature in the mainline tree.
- James
--
James Morris
<[email protected]>
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
