|Main Archive Page > Month Archives > linux-security-module archives|
Stephen Smalley wrote:
> You need to do it in another hook, like sock_rcv_skb or
> inet_conn_request, and drop the connection before it is established.
Is it OK to filter before connection is established? How do you handle the following situation?
/bin/daytime runs in the daytime_t domain. /bin/nighttime runs in the nighttime_t domain.
/bin/daytime creates a TCP socket and begin listen()ing
fd = socket(PF_INET, SOCK_STREAM, 0);
then, /bin/daytime clears the fd's close-on-exec flag
fcntl(fd, F_SETFD, 0);
then /bin/daytime starts /bin/nighttime and /bin/nighttime inherits the fd listen()ed by /bin/daytime. Now, one fd is shared by two domains.
Both /bin/daytime and /bin/nighttime calls accept(fd) mutually. The administrator allows /bin/daytime accept connections from 0.0.0.0-127.255.255.255 and allows /bin/nighttime accept connections from 22.214.171.124-255.255.255.255.
Then, it is impossible to filter before accept() call because the domain that the accept()ed connection will belong to is unknown until the time of accept(), isn't it? I think filtering at the accept() time is more appropreate than at kernel's internal acceptance time.
Well, the right way to solve this case may be "don't share listen()ing fd between domains".
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to email@example.com More majordomo info at http://vger.kernel.org/majordomo-info.html