Re: Seriously, again, about inode_post_removexattr

Hello.

Stephen Smalley wrote:
> You need to do it in another hook, like sock_rcv_skb or
> inet_conn_request, and drop the connection before it is established.
Is it OK to filter before connection is established? How do you handle the following situation?

  /bin/daytime runs in the daytime_t domain.   /bin/nighttime runs in the nighttime_t domain.

  /bin/daytime creates a TCP socket and begin listen()ing

    fd = socket(PF_INET, SOCK_STREAM, 0);     bind(fd, ...);
    listen(fd, ...)

  then, /bin/daytime clears the fd's close-on-exec flag

    fcntl(fd, F_SETFD, 0);

  then /bin/daytime starts /bin/nighttime and /bin/nighttime inherits the fd listen()ed by /bin/daytime.   Now, one fd is shared by two domains.

  Both /bin/daytime and /bin/nighttime calls accept(fd) mutually.   The administrator allows /bin/daytime accept connections from 0.0.0.0-127.255.255.255   and allows /bin/nighttime accept connections from 128.0.0.0-255.255.255.255.

  Then, it is impossible to filter before accept() call   because the domain that the accept()ed connection will belong to   is unknown until the time of accept(), isn't it?   I think filtering at the accept() time is more appropreate   than at kernel's internal acceptance time.

  Well, the right way to solve this case may be "don't share listen()ing fd between domains". -
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

• This message: [ Message body ]
• Next message: Stephen Smalley: "Re: Staker Module"
• Previous message: Hao Xu: "Re: A tiny bug in libcap-1.10 ?"
• In reply to: Stephen Smalley: "Re: Seriously, again, about inode_post_removexattr"
• Next in thread: Stephen Smalley: "Re: Seriously, again, about inode_post_removexattr"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]