TOMOYO 2.4: Network socket operation restriction support.

This patchset adds support for restricting PF_INET,PF_INET6,PF_UNIX socket's
bind()/listen()/connect()/accept()/send() operations.
Since security_socket_post_recvmsg() does not exist, this patchset does not
provide support for restricting recv() operation.

Since security_socket_post_accept() does not exist, this patchset emulates it
using other security_socket_*(). This is done by assigning a magic value on the
accept()ed socket and let security_socket_*() hooks check whether the socket is
an accept()ed socket or not (by checking whether the socket has the magic value
or not). If the socket has the magic value, security_socket_*() hook performs
post-accept() permission check. This means that the permission check for
accept() is deferred until the accept()ed socket is used for the first time.

[PATCH 1/2] TOMOYO: Add socket operation restriction support.
[PATCH 2/2] TOMOYO: Enable socket permission checks.

 security-testing-2.6/security/tomoyo/network.c |  828 +++++++++++++++++++++++++
 security/tomoyo/Kconfig                        |    2
 security/tomoyo/Makefile                       |    2
 security/tomoyo/common.c                       |  113 +++
 security/tomoyo/common.h                       |  143 ++++
 security/tomoyo/gc.c                           |   38 +
 security/tomoyo/group.c                        |   66 +
 security/tomoyo/realpath.c                     |   33
 security/tomoyo/tomoyo.c                       |  253 +++++++
 security/tomoyo/util.c                         |   47 +
 10 files changed, 1503 insertions(+), 22 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html