• Paul Moore's avatar
    lsm: Relocate the IPv4 security_inet_conn_request() hooks · 284904aa
    Paul Moore authored
    The current placement of the security_inet_conn_request() hooks do not allow
    individual LSMs to override the IP options of the connection's request_sock.
    This is a problem as both SELinux and Smack have the ability to use labeled
    networking protocols which make use of IP options to carry security attributes
    and the inability to set the IP options at the start of the TCP handshake is
    problematic.
    
    This patch moves the IPv4 security_inet_conn_request() hooks past the code
    where the request_sock's IP options are set/reset so that the LSM can safely
    manipulate the IP options as needed.  This patch intentionally does not change
    the related IPv6 hooks as IPv6 based labeling protocols which use IPv6 options
    are not currently implemented, once they are we will have a better idea of
    the correct placement for the IPv6 hooks.
    Signed-off-by: default avatarPaul Moore <paul.moore@hp.com>
    Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarJames Morris <jmorris@namei.org>
    284904aa
syncookies.c 9.99 KB