Dear All,
If I understand correctly, the permission check for inbound packet (the
"packet recv" operation) is performed by selinux_socket_sock_recv_skb,
which hooks into the socket_sock_recv_skb hook.
Does anybody remember the rationale for doing the check there instead of
the NF_INET_LOCAL_IN hook ?
I am asking that because the permission for outbound packets ("packet
send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
should be a good reason for this asymetry, but I don't get it.
Thanks for your time,
Jacques Thomas
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
