Re: [patch] to add device+inode check to ipt_owner.c - HACKED UP

[Luke Kenneth Casson Leighton]

On Fri, Sep 10, 2004 at 08:49:28AM +0100, Gianni Tedesco wrote:
> On Wed, 2004-09-08 at 11:39 +0100, Luke Kenneth Casson Leighton wrote:
> > ... did i sent a patch?
> > 
> > did i send a patch??  i don't _think_ so *lol* :)
> 
> heh :)
> 
> IMO the number of constraints involed here make using this patch fairly
> involved (for something security related at least) in that, as you said,
> you have to:
> 
>  - be careful to use ACCEPT rules only
>  - be careful that you do:
>     1. remove fw rules
>     2. upgrade software
>     3. replace rules
> 
> plus the fastpath code looks very hairy with at least 3 locks taken and
> O(num_tasks * max_fds) unpreemptable in softirq...
 
 it's no worse than the present fireflier solution, which on a
 per-packet basis in userspace will go hunting through /proc
 looking for the socket _that_ way *gibber*.

 fireflier reads /proc/NNNN/exe, then also hunts through the fds for
 that process on /proc looking for things beginning with "socket:".

 [actually it used not to bother with the qualification for "socket:"
  resulting in a complete nightmare time for creating appropriate
  selinux policy]

 l.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/