Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757933AbYBPEgY (ORCPT ); Fri, 15 Feb 2008 23:36:24 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1753419AbYBPEgN (ORCPT ); Fri, 15 Feb 2008 23:36:13 -0500 Received: from web36608.mail.mud.yahoo.com ([209.191.85.25]:20002 "HELO web36608.mail.mud.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1752860AbYBPEgL (ORCPT ); Fri, 15 Feb 2008 23:36:11 -0500 X-YMail-OSG: f0KYJDUVM1k82IXDCG8mF9phhyKT0eUGOe0rvLMz6E2461_OGUCDY6LahOebvjJlIQ-- X-RocketYMMF: rancidfat Date: Fri, 15 Feb 2008 20:36:10 -0800 (PST) From: Casey Schaufler Reply-To: casey@schaufler-ca.com Subject: Re: [PATCH] (02/15/08 Linus git) Smack unlabeled outgoing ambient packets - v4 To: Paul Moore , casey@schaufler-ca.com Cc: akpm@linux-foundation.org, torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org In-Reply-To: <200802152213.11661.paul.moore@hp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Message-ID: <998774.580.qm@web36608.mail.mud.yahoo.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1641 Lines: 42 --- Paul Moore wrote: > On Friday 15 February 2008 6:24:25 pm Casey Schaufler wrote: > > From: Casey Schaufler > > > > Smack uses CIPSO labeling, but allows for unlabeled packets > > by specifying an "ambient" label that is applied to incoming > > unlabeled packets. Because the other end of the connection > > may dislike IP options, and ssh is one know application that > > behaves thus, it is prudent to respond in kind. This patch > > changes the network labeling behavior such that an outgoing > > packet that would be given a CIPSO label that matches the > > ambient label is left unlabeled. An "unlbl" domain is added > > and the netlabel defaulting mechanism invoked rather than > > assuming that everything is CIPSO. Locking has been added > > around changes to the ambient label as the mechanisms used > > to do so are more involved. > > > > Cleaned up some issues noted in review. > > Make smk_cipso_doi() static. > > Create a hook for the new security_secctx_to_secid() > > using existing underlying code. > > Fill in audit data for netlbl domain calls. > > Collapse unnecessary multiple assignments. > > > > Signed-off-by: Casey Schaufler > > Looks good to me, thanks for making those changes. > > Acked-by: Paul Moore Thank you for the insights. Casey Schaufler casey@schaufler-ca.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/