"Serge E. Hallyn" <serue@xxxxxxxxxx> writes:
>> diff --git a/security/snet/Kconfig b/security/snet/Kconfig
>> new file mode 100644
>> index 0000000..e1516a1
>> --- /dev/null
>> +++ b/security/snet/Kconfig
>> @@ -0,0 +1,22 @@
>> +#
>> +# snet
>> +#
>> +
>> +config SECURITY_SNET
>> + bool "snet - Security for NETwork syscalls"
>> + depends on SECURITY_NETWORK && IPV6
>
> Why depend on IPV6?
right, no need.
>
>> + default n
>> + ---help---
>> + Provide a generic netlink that reports networking's syscalls
>> + to userspace
>
> And also wait for userspace to decide whether to authorize the
> syscall, right? 'report on' is very different.
I'm proposing this patch, which applies on top of previous
diff --git a/security/snet/Kconfig b/security/snet/Kconfig
index e1516a1..8ac7778 100644
--- a/security/snet/Kconfig
+++ b/security/snet/Kconfig
@@ -4,11 +4,11 @@
config SECURITY_SNET
bool "snet - Security for NETwork syscalls"
- depends on SECURITY_NETWORK && IPV6
+ depends on SECURITY_NETWORK
default n
---help---
- Provide a generic netlink that reports networking's syscalls
- to userspace
+ If this option is enabled, the kernel will include support for reporting
+ networking's syscalls to userspace and wait for a verdict
config SECURITY_SNET_DEBUG
bool "snet debug messages"
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
