Re: [PATCH BUGFIX -rc4] Smack: Respect 'unlabeled' netlabel mode

[Paul Moore]

Sorry I'm late to the party ...

On Friday 30 May 2008 8:58:26 pm Ahmed S. Darwish wrote:
> There are two possible solutions in my mind:
>
> - Using a predefined netlabel domain to denote to unlabeled packets.
>   Defect: May collide with a user chosen label and used to break
> security. Solution: Use a domain name that can't become a label
> (Hackery ?)

>From my understanding of Smack that is what the ambient label does 
currently.  Does this not work correctly for you?

> - I've tried first to use what was done before the 'Smack: unlabeled
> outgoing ambient packets' patch, which honored nltype=unlabeled, but
> ignored netlabel completely:
>   i.e.
>
>   int rc = 0;
>   if (secattr.flags != NETLBL_SECATTR_NONE)
>        rc = netlbl_sock_setattr(sk, &secattr);
>   return rc
>
>   Paul, would this be right from a netlabel perspective ?

Well, what are you trying to do (it isn't clear to me from the code 
snippet above)?  The netlbl_sock_setattr() function looks at the 
secattr->domain field and uses the value their to lookup the desired 
labeling protocol (currently either CIPSO or unlabeled) and then the 
NetLabel subsystem passes the socket and the secattr information onto 
the specific protocol handler where the secattr->attr information is 
used to assign on-the-wire labels to the socket.

-- 
paul moore
linux @ hp
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/