Paul Moore wrote:
On Sunday 11 October 2009 12:27:14 am Jacques Thomas wrote:
Dear All,
If I understand correctly, the permission check for inbound packet (the
"packet recv" operation) is performed by selinux_socket_sock_recv_skb,
which hooks into the socket_sock_recv_skb hook.
Does anybody remember the rationale for doing the check there instead of
the NF_INET_LOCAL_IN hook ?
When performing the "packet recv" access control the Secmark label needs to be
compared against the receiving socket's label, to the best of my understanding
this is not possible with the current netfilter hooks. At one point there was
some discussion of implementing socket level netfilter hooks but I don't
believe they ever went anywhere.
I am asking that because the permission for outbound packets ("packet
send") seems to be performed in the NF_INET_LOCAL_OUT. I am sure there
should be a good reason for this asymetry, but I don't get it.
The NF_INET_LOCAL_OUT hook, selinux_ip_output(), doesn't actually perform any
access control, it only handles labeling packets generated from disconnected
sockets when NetLabel is in use. There is outbound Secmark based access
control (amongst others) in the NF_INET_POST_ROUTING hook, but it is possible
there because the packet (struct sk_buff) has a back pointer to the socket
where it originated from enabling us to perform the access check at this point
in the stack.
This makes sense to me to me now. Thank you for the explanation.
Regards,
Jacques Thomas
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
