netdev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [PATCH 2/2] Resend: LSM-IPSec Networking Hooks

from [Trent Jaeger] [Permanent Link][Original]
To: James Morris <jmorris@xxxxxxxxxx>
Subject: Re: [PATCH 2/2] Resend: LSM-IPSec Networking Hooks
From: Trent Jaeger <jaegert@xxxxxxxxxx>
Date: Wed, 1 Jun 2005 09:59:40 -0400
Cc: chrisw@xxxxxxxx, latten@xxxxxxxxxxxxxx, netdev@xxxxxxxxxxx, sds@xxxxxxxxxxxxx, serue@xxxxxxxxxx
In-reply-to: <Xine.LNX.4.44.0505310006060.28060-100000@thoron.boston.redhat.com>
Sender: netdev-bounce@xxxxxxxxxxx

OK.

Thanks for the detailed comments.  

I will review and get back with comments and mods (probably next week).

Regards,
Trent.
------------------------------------------------------------
Trent Jaeger
IBM T.J. Watson Research Center
19 Skyline Drive, Hawthorne, NY 10532
(914) 784-7225, FAX (914) 784-7225


James Morris <jmorris@xxxxxxxxxx>

05/31/2005 12:15 AM

       
        To:        Trent Jaeger/Watson/IBM@IBMUS
        cc:        netdev@xxxxxxxxxxx, <chrisw@xxxxxxxx>, serue@xxxxxxxxxxxxxxxxxxxxxxx, <latten@xxxxxxxxxxxxxx>, <sds@xxxxxxxxxxxxx>
        Subject:        Re: [PATCH 2/2] Resend: LSM-IPSec Networking Hooks



On Tue, 17 May 2005, jaegert wrote:
Ok, my last review in this iteration.
> @@ -984,6 +1029,13 @@ static struct xfrm_state * pfkey_msg2xfr
>                x->lft.soft_add_expires_seconds = lifetime->sadb_lifetime_addtime;
>                x->lft.soft_use_expires_seconds = lifetime->sadb_lifetime_usetime;
>        }
> +
> +       sec_ctx = (struct sadb_x_sec_ctx *) ext_hdrs[SADB_X_EXT_SEC_CTX-1];
> +       if (sec_ctx != NULL) {
> +               if (security_xfrm_state_alloc(x, sec_ctx))
> +                       goto out;
You should propagate the return value of security_xfrm_state_alloc() here
by assigning it to err.
> -selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o
> +selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o nethooks.o
What about making nethooks.o (or whatever it'll be called) conditionally
compiled via CONFIG_SECURITY_NETWORK_XFRM ? (see netif.o)

> + * ISSUES:
> + *   1. Caching packets, so they are not dropped during negotiation
This needs to be done for IPsec in general, not sure what the status is.
> + *   2. Emulating a reasonable SO_PEERSEC across machines
This may not be too difficult if we limit this to connected TCP sockets.
> + *   3. Testing sk_policy setting with context
What does this mean?

Overall, this looks like a really good approach to the problem.

- James
--
James Morris
<jmorris@xxxxxxxxxx>


[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: [PATCH 2/2] Resend: LSM-IPSec Networking Hooks, Trent Jaeger <=
Previous by Date:  Unable to handle kernel paging request at virtual address 04000460, raghunathan.venkatesan
Next by Date:  Re: 2.6.12-rcx networking oops, Phil Oester
Previous by Thread:  Unable to handle kernel paging request at virtual address 04000460, raghunathan.venkatesan
Next by Thread:  Re: 2.6.12-rcx networking oops, Phil Oester
Indexes:  [Date] [Thread] [Top] [All Lists]