Socket Access Control Algorithm

SAC algorithm is triggered by four events:

• a connection request using TCP (tcp_v4_connect, net/ipv4/tcp_ipv4.c),
• a connection request using UDP^5.5 (udp_connect, net/ipv4/udp.c),
• a packet send request using UDP (udp_sendmsg), and
• a packet send request using RAW IP (raw_sendmsg, net/ipv4/raw.c).

The algorithm proceeds in the following steps:

1. Determine whether the destination IP address is local ( linsec_is_addr_local_v4, kernel/linsec_ipc.c). This is accomplished by traversing the list of registered network devices and comparing IP addresses bound to each one with the requested destination IP.
2. Match the destination port number to a struct sock examining various protocol dependant hash tables. The matching is based on the destination port number, network device id and the protocol used.
3. Check whether the process that requested the service contains capabilities required by the socket in its effective capability set.

Only if the last step of the above algorithm fails, i.e. if the process requesting the service is not allowed to communicate to the desired socket, is the service forced to fail. Otherwise the algorithm exits and allows standard Linux networking code to continue servicing a request.

Footnotes

... UDP^5.5

As explained in the Section 4.2.