On Friday 13 March 2009 02:54:58 pm David Miller wrote: > From: Paul Moore <paul.moore@xxxxxx> > Date: Thu, 12 Mar 2009 12:22:57 -0400 > > > The current placement of the security_inet_conn_request() hooks do not > > allow individual LSMs to override the IP options of the connection's > > request_sock. This is a problem as both SELinux and Smack have the > > ability to use labeled networking protocols which make use of IP options > > to carry security attributes and the inability to set the IP options at > > the start of the TCP handshake is problematic. > > > > This patch moves the IPv4 security_inet_conn_request() hooks past the > > code where the request_sock's IP options are set/reset so that the LSM > > can safely manipulate the IP options as needed. This patch intentionally > > does not change the related IPv6 hooks as IPv6 based labeling protocols > > which use IPv6 options are not currently implemented, once they are we > > will have a better idea of the correct placement for the IPv6 hooks. > > This looks OK to me: > > Acked-by: David S. Miller <davem@xxxxxxxxxxxxx> Great, thanks for taking a look. -- paul moore linux @ hp -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
