linux-security-module April 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: Seriously, again, about inode_post_re

Re: Seriously, again, about inode_post_removexattr

From: Tetsuo Handa <from-lsm_at_nospam>
Date: Wed Apr 11 2007 - 11:38:37 GMT
To: linux-security-module@vger.kernel.org


Hello.

Stephen Smalley wrote:
> You need to do it in another hook, like sock_rcv_skb or
> inet_conn_request, and drop the connection before it is established.
Is it OK to filter before connection is established? How do you handle the following situation?

  /bin/daytime runs in the daytime_t domain.   /bin/nighttime runs in the nighttime_t domain.

  /bin/daytime creates a TCP socket and begin listen()ing

    fd = socket(PF_INET, SOCK_STREAM, 0);     bind(fd, ...);
    listen(fd, ...)

  then, /bin/daytime clears the fd's close-on-exec flag

    fcntl(fd, F_SETFD, 0);

  then /bin/daytime starts /bin/nighttime and /bin/nighttime inherits the fd listen()ed by /bin/daytime.   Now, one fd is shared by two domains.

  Both /bin/daytime and /bin/nighttime calls accept(fd) mutually.   The administrator allows /bin/daytime accept connections from 0.0.0.0-127.255.255.255   and allows /bin/nighttime accept connections from 128.0.0.0-255.255.255.255.

  Then, it is impossible to filter before accept() call   because the domain that the accept()ed connection will belong to   is unknown until the time of accept(), isn't it?   I think filtering at the accept() time is more appropreate   than at kernel's internal acceptance time.

  Well, the right way to solve this case may be "don't share listen()ing fd between domains". -
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html