Application layer access to networking is mediated via a series of socket-related hooks, socket_security_ops. When an application attempts to create a socket with the socket(2) system call, the create() hook allows for mediation prior to the actual creation of the socket. Following successful creation, the post_create() hook may be used to update the security state of the inode associated with the socket.
Since active user sockets have an associated inode structure, a separate security field was not added to the socket structure or to the lower-level sock structure. However, it is possible for sockets to temporarily exist in a state where they have no socket or inode structure. Hence, the networking hook functions must take care in extracting the security information for sockets.
Mediation hooks are also provided for all of the socket system calls:
bind(2) connect(2) listen(2) accept(2) sendmsg(2) recvmsg(2) getsockname(2) getpeername(2) getsockopt(2) setsockopt(2) shutdown(2)
Protocol-specific information is available via the socket structure passed as a parameter to all of these hooks (except for create(), as the socket does not yet exist at this hook). This facilitates mediation based on transport layer attributes such as TCP connection state, and seems to obviate the need for explicit transport layer hooks.
The sock_rcv_skb() hook is called when an incoming packet is first associated with a socket. This allows for mediation based upon the security state of receiving application and security state propagated from lower layers of the network stack via the sk_buff security field (see section 3.7.2).
Additional socket hooks are provided for UNIX domain communication within the abstract namespace, as binding and connecting to UNIX domain sockets in the abstract namespace is not mediated by filesystem permissions. The unix_stream_connect() hook allows mediation of stream connections, while datagram based communications may be mediated on a per-message basis via the unix_may_send() hook.