Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c

[Chris Wright]

* Luke Kenneth Casson Leighton (lkcl@xxxxxxxx) wrote:
> chris - for example, i notice that at the top of ipt_owner.c it says
> "deals with local outgoing sockets".
> 
> so... does sk_buff _only_ contain a list of outgoing sockets?

no, and in fact outgoing there's no question who's sending the packet,
as it's still in process context.

> iiiisss... there a different socket for incoming traffic that
> someone is different from the list of sockets associated with
> a task?
> 
> is the clue in what you say about "Incoming is in interrupt context"?
> 
> are the sockets in the interrupt context somehow different / special
> such that they would never get to this code?

Depends on where the hooks are registered into netfilter whether you'll
get the inbound stuff.  I'm assuming this part is ok.  Point is, the act
of receiving a packet and queueing data to a socket does not happen in
process context.  So you don't know who will be woken up to actually
read data from that socket.  Your stuff should work for most cases.  But
it's not fundamentally deterministic enough to call it really secure.

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/