[apparmor] IPC syntax - again
John Johansen
john.johansen at canonical.com
Wed Jul 3 08:41:14 UTC 2013
On 07/03/2013 01:15 AM, John Johansen wrote:
> On 07/02/2013 11:43 PM, Seth Arnold wrote:
>> I wrote a long detailed response to your questions but realized after a
>> while that I was relying on some pretty huge assumptions on how the LSM
>> networking hooks interact with the secmark hooks.
>>
>> So, rather than send a long email based on probably incorrect
>> assumptions, I figured I better address those assumptions first thing.
>>
>> What can we mediate with purely LSM hooks?
>
> More than you would hope for but less than you'd like :)
>
Hrmm I should clarify I little bit, as I didn't make the clear distinction
between the secmark, and secmark rules in iptables.
The secmark is the field to carry labeling information on a packet within
the kernel. It can be used independent of iptables, eg we could create
a postroute hook in netfilter, and we would need to use secmark to carry
labeling on the packet into that hook.
The iptable rules we do NOT need, we could write our on netfilter hooks
instead of using iptables. It might be hard to argue for upstreaming them
but we could do it. However iptables is infrastructure that admins are
used to and can be leveraged if we want.
More information about the AppArmor
mailing list