| To: | Luke Kenneth Casson Leighton <lkcl@xxxxxxxx> |
|---|---|
| Subject: | Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity |
| From: | Stephen Smalley <sds@xxxxxxxxxxxxxx> |
| Date: | Fri, 08 Oct 2004 07:18:42 -0400 |
| Cc: | Valdis Kletnieks <Valdis.Kletnieks@xxxxxx>, lkml <linux-kernel@xxxxxxxxxxxxxxx>, SELinux@xxxxxxxxxxxxx, Ingo Molnar <mingo@xxxxxxxxxx>, netdev@xxxxxxxxxxx, linux-net@xxxxxxxxxxxxxxx |
| In-reply-to: | <20041008093154.GA5089@lkcl.net> |
| Organization: | National Security Agency |
| References: | <200410070542.i975gkHV031259@turing-police.cc.vt.edu> <1097157367.13339.38.camel@moss-spartans.epoch.ncsc.mil> <20041008093154.GA5089@lkcl.net> |
| Sender: | netdev-bounce@xxxxxxxxxxx |
On Fri, 2004-10-08 at 05:31, Luke Kenneth Casson Leighton wrote: > an alternative possible solution is to get the packet _out_ from > the interrupt context and have the aux pid comm exe information added. No, the network permission checks are intentionally layered to match the network protocol implementation. There is a process-to-socket check performed in process context when the data is received from the socket by an actual process, but there is also the socket-to-netif/node/port check performed in softirq context when the packet is received on the socket from the network. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Re: 2.6.7 tulip performance (with NAPI), Lennert Buytenhek |
|---|---|
| Next by Date: | Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity, Luke Kenneth Casson Leighton |
| Previous by Thread: | Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity, Luke Kenneth Casson Leighton |
| Next by Thread: | Re: 2.6.9-rc2-mm4-VP-S7 - ksoftirq and selinux oddity, Luke Kenneth Casson Leighton |
| Indexes: | [Date] [Thread] [Top] [All Lists] |