On Mon, 25 Apr 2005, Stephen Smalley wrote:
True, but I don't think this will help much in this particular
case, as
the original poster wants to control information flow via loopback and
you aren't likely to be using IPSEC on such traffic.
You could use null encryption and null authentication.
Another possibility is to implement SO_PEERSEC for loopback TCP, although
I think it requires more LSM hooks.
In the absence of a sk_buff security field and associated hooks for
lifecycle management, I think that we'd have to go with something like
the iptables MARK module, ala LIDS.
I think this is at the wrong layer; how would you query the socket for
peer security information?
- James
--
James Morris
<jmorris(a)redhat.com>