On Wed, 2011-08-31 at 08:43 -0700, Casey Schaufler wrote: > On 8/31/2011 1:36 AM, rongqing.li@xxxxxxxxxxxxx wrote: > > From: Roy.Li <rongqing.li@xxxxxxxxxxxxx> > > > > Define security_sk_getsecctx to return the security > > context of a sock. > > So, what is the intended use of the information > coming from this hook? If I wanted to write the > Smack hook, which of the "contexts" would I want > to return? There are potentially three. If I know > what the caller is looking for, I can (hopefully) > select the correct information. The initial use case is for netstat -Z so that it can reliably show the security context of the socket rather than inferring it from the owning process, which can be inaccurate for security-aware applications. In your situation, when in != out, which would you rather see in netstat -Z output? Alternatively, if you want them both, perhaps you could combine in and out into a single string that is returned, similar to what you proposed for handling multiple xattrs with inode_getsecctx()? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
