On Monday 2008-05-26 10:06, James Morris wrote:
>> >
>> >There are calls from SECMARK and CONNSECMARK into the SELinux API, which
>> >are the labeling targets.
>>
>> But you cannot deny the deletion of a rule from within SECMARKÿÿ
>> there is not even a ->destroy function in that module.
>
>There is a destroy function, although it is only used internally by
>SELinux for reference counting.
>
>The xtables destroy method does not return a value and probably needs to
>unconditionally succeed in any case.
>
>Possible solutions are:
>
>- Add a new method which is designed specifically for applying access
>control to rule deletion.
[...]
By the time the destroy function is called, it is already decided
the rule is going away--it is much more like a "cleanup" hook
for any private data the match/target had.
In fact, there is not even really a per-rule [rule={match,target}]
destroy function. A new table image is loaded and atomically
swapped with the previous one. You would rather want to call
security_*() in the ioctl phase.
But then again, the capability flag for net access could just be
split up, which is what people suggested to me about
CAP_SYS_ADMIN when twiddling with file access security hooks
last year.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
