* James Morris (jmorris@xxxxxxxxxx) wrote:
> Below is a patch against 2.6.0-test11 which implements a new socket option
> SO_PEERSEC (defined for i386 only at this stage).
Thanks for doing this James. In your example demonstration, you simply
print the peersec string. Do you expect to use with simple comparison
against something like data from procattr, or something else? IOW,
does this introduce any new namespace issues for apps?
> +static inline int security_sk_alloc_security(struct sock *sk, int family,
> int priority)
> +static inline void security_sk_free_security(struct sock *sk)
minor nit. these names are inconsistent with the existing analogous ones.
how about simply, security_sk_alloc and security_sk_free?
> +++ linux-2.6.0-test11.w2/net/core/sock.c 2003-12-10 09:55:39.378901360
> @@ -564,6 +564,9 @@
> v.val = sk->sk_state == TCP_LISTEN;
> + case SO_PEERSEC:
> + return security_socket_getpeersec(sock, optval, len);
Would it be useful to ask the module to update len as is done in some
other cases. Perhaps buffer is too small, can len be vector for that info?
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net