On Wednesday 21 May 2008 12:54:16 pm Stephen Smalley wrote: > On Wed, 2008-05-21 at 12:46 -0400, Paul Moore wrote: > > I agree with James that we need to perform some access check before > > setting the ct->secmark field, however, I don't think it is as > > simple as calling selinux_secmark_relabel_packet_permission(). The > > problem is that the selinux_secmark_relabel_packet_permission() > > function checks to see if the currently running task can relabel > > packets; in this case we don't want to check the currently running > > task we want to check the sender of the netlink message which we > > can't really do currently. > > Sending task SID is saved in NETLINK_CB(skb).sid at send time, so the > information is available (but would need to be passed into the > function). Thanks, that is good to know, I missed that. -- paul moore linux @ hp -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
