On Fri, Feb 25, 2011 at 01:21:05PM -0600, Joy Latten wrote: > > > > > > I think that's not possible too. The security_xfrm_decode_session() > > > hook is used from within xfrm_decode_session(). This function > > > is used in codepaths that are used for both, inbound and outbound > > > processing (xfrm_lookup, xfrm_policy_check etc.). > > > > This makes me wonder if the LSM hook is even in the right place. > > I am unable to find the original email to get a full understanding of > the context of this particular patch so am responding via Paul's email. > If my comments seem incorrect due to lack of context... please let me > know. > > I believe xfrm_decode_session is for inbound processing. > I could not readily find anything suggesting that xfrm_lookup() > results in __xfrm_decode_session() getting called. If I have missed > it, please let me know. I was looking at kernel code for 2.6.35.7. Well, xfrm_decode_session() called in the forwarding path from __xfrm_route_forward() to construct the flow that is passed to xfrm_lookup(). Also it is called from the netfilter functions ip_route_me_harder() on output, and ip_xfrm_me_harder() from the local out and the postrouting hook. Further, security_xfrm_decode_session() is called via selinux_skb_xfrm_sid() from selinux_skb_peerlbl_sid() which is called from input, output and forwaring codepaths. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
