Re: decipher the secmark number from nf_conntrack/ip_conntrack

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 23, 2010 at 6:30 PM, Mr Dash Four
<mr.dash.four@xxxxxxxxxxxxxx> wrote:

> Whoever designed that part of the interface (it wasn't you by any chance,
> was it?) thought, wrongly, that secmark means
> 'show-me-the-internal-number-the-kernel-uses-to-identify-that-security-mark-for-that-particular-connection'!

It was written when secmark was implemented by an SELinux hacker (and
an ex-netfilter hacker) named James Morris who should have known
better.

James, I just cc'd you on this thread.  Basically the conntrack code
exported the selinux sid instead of the context to userspace via both
procfs and its netlink interface.  Mr Dash Four would like to show the
context in both places (I'm going to stop showing the sid everywhere
no matter what).  Jan would like the netlink interface to show the
context and the procfs interface to show nothing (since procfs is
deprecated and what we have been showing has obviously gone unused)

I'll throw in my 2 cents.  I would like to see the proc interface
'fixed' or 'enhanced', I don't care what it is called, to show the
name.  However my patch series (now 6 patches long) splits the netlink
and the procfs changes into separate pieces which can be selectively
applied.

If we can come to a consensus on the question of 'should we show
nothing at all or the context in the procfs interface' then we can
start the question of who wants to carry my series (since it straddles
the security and the netfilter code)

-Eric

p.s. I'll send the series once I get the conntrack userspace code to
understand my changes to make sure I didn't screw anything up.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux