To: paul.moore@hp.com
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org,
       chrisw@sous-sol.org
Subject: Re: [TOMOYO 15/15] LSM expansion for TOMOYO Linux.
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
References: <46CED214.6050505@gmail.com>
	<46CED5F4.3030204@gmail.com>
	<200708271049.06900.paul.moore@hp.com>
In-Reply-To: <200708271049.06900.paul.moore@hp.com>
Message-Id: <200708281939.JDH33719.MVSFOOQJHFFOtL@I-love.SAKURA.ne.jp>
Date: Tue, 28 Aug 2007 19:39:13 +0900
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1164
Lines: 27

Hello.

Paul Moore wrote:
> >    * post_recv_datagram is added in skb_recv_datagram.
>
> Can you explain to me why this is not possible using the existing 
> security_socket_sock_rcv_skb() LSM hook?

socket_sock_rcv_skb() is a hook for enqueue time.
I want a hook for dequeue time, because what TOMOYO Linux is doing is
not "whether a socket created by foo is permitted to pick up
an incoming packet from specific address/port"
but "whether bar is permitted to pick up
an incoming packet from specific address/port".
At the time of enqueue, I can't know who will pick up that packet.

Same reason for socket_post_accept(). What TOMOYO Linux is doing is
not "whether a socket created by foo is permitted to accept
a connection request from specific address/port"
but "whether bar is permitted to accept
a connection request from specific address/port".
At the time of enqueue, I can't know who will pick up that request.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/