Message ID | 1312874910-31010-7-git-send-email-rongqing.li@windriver.com |
---|---|
State | Rejected, archived |
Delegated to: | David Miller |
Headers | show |
From: <rongqing.li@windriver.com> Date: Tue, 9 Aug 2011 15:28:30 +0800 > if (v == SEQ_START_TOKEN) { > seq_printf(seq, "%-*s\n", TMPSZ - 1, > " sl local_address rem_address st tx_queue " > "rx_queue tr tm->when retrnsmt uid timeout " > - "inode"); > + "inode seclabel"); > goto out; > } Unfortunately you cannot change the layout of procfs file output in this way. It has the potential to break programs which are parsing this file in userspace already. The layout hasn't changed in a very long time because it is essentially a uservisible ABI. If you want to export new information you'll have to do it using the facility that is extensible, and that's the netlink based socket dumping facility implemented in inet_diag.c, tcp_diag.c and friends. There, you can simply add a new netlink attribute that gets dumped with the entry, which will provide the security context. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 08/09/2011 03:33 PM, David Miller wrote: > From:<rongqing.li@windriver.com> > Date: Tue, 9 Aug 2011 15:28:30 +0800 > >> if (v == SEQ_START_TOKEN) { >> seq_printf(seq, "%-*s\n", TMPSZ - 1, >> " sl local_address rem_address st tx_queue " >> "rx_queue tr tm->when retrnsmt uid timeout " >> - "inode"); >> + "inode seclabel"); >> goto out; >> } > > Unfortunately you cannot change the layout of procfs file output in > this way. It has the potential to break programs which are parsing > this file in userspace already. > > The layout hasn't changed in a very long time because it is essentially > a uservisible ABI. > > If you want to export new information you'll have to do it using the > facility that is extensible, and that's the netlink based socket dumping > facility implemented in inet_diag.c, tcp_diag.c and friends. > > There, you can simply add a new netlink attribute that gets dumped with > the entry, which will provide the security context. > > Thanks, I see how I should do. I will continue to develop it and hope get your help. Thanks.
different from the sock's owner process security context. Signed-off-by: Roy.Li <rongqing.li@windriver.com> --- net/ipv4/tcp_ipv4.c | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 955b8e6..ddac912 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -2479,12 +2479,13 @@ static int tcp4_seq_show(struct seq_file *seq, void *v) { struct tcp_iter_state *st; int len; + struct sock *s = NULL; if (v == SEQ_START_TOKEN) { seq_printf(seq, "%-*s\n", TMPSZ - 1, " sl local_address rem_address st tx_queue " "rx_queue tr tm->when retrnsmt uid timeout " - "inode"); + "inode seclabel"); goto out; } st = seq->private; @@ -2493,15 +2494,20 @@ static int tcp4_seq_show(struct seq_file *seq, void *v) case TCP_SEQ_STATE_LISTENING: case TCP_SEQ_STATE_ESTABLISHED: get_tcp4_sock(v, seq, st->num, &len); + s = v; break; case TCP_SEQ_STATE_OPENREQ: get_openreq4(st->syn_wait_sk, v, seq, st->num, st->uid, &len); + s = st->syn_wait_sk; break; case TCP_SEQ_STATE_TIME_WAIT: get_timewait4_sock(v, seq, st->num, &len); break; } - seq_printf(seq, "%*s\n", TMPSZ - 1 - len, ""); + + len += sock_write_secctx(s, seq); + len = TMPSZ - 1 - len; + seq_printf(seq, "%*s\n", len > 0 ? len : 0, ""); out: return 0; }
From: Roy.Li <rongqing.li@windriver.com> Export the tcp sock's security context to proc, since it maybe