Re: Raw communication bypassing tomoyo/akari (2019-06-05 22:50 by kumaneko #83074)
Hello. Thank you for using TOMOYO/AKARI.
TOMOYO/AKARI handles only TCP/UDP/RAW on PF_INET/PF_INET6 and STREAM/DGRAM/SEQPACKET on PF_UNIX.
This is because other protocols are unlikely permitted due to firewalls even if applications try
to communicate using other protocols. As far as I know, none of upstreamed LSM modules check
addresses of other protocols (SELinux seems to check SCTP though). Adding support for checking
other protocols unlikely pays the complexity.
Why do you want to check PF_IPX and PF_PACKET etc. ? Why do you want to check
AF_IPX and AF_PACKET etc. addresses associated with TOMOYO/AKARI's domains?
I think that use of regular firewalls (or maybe made-to-order LSM module)
might fit better than trying to check other protocols using TOMOYO/AKARI.