| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 06 Oct 2008 19:42:25 -0700 From: Casey Schaufler <casey@...aufler-ca.com> To: Tilman Baumann <tilman.baumann@...lax.com> CC: Linux-Kernel <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org Subject: Re: SMACK netfilter smacklabel socket match Tilman Baumann wrote: > Casey Schaufler wrote: >> Tilman Baumann wrote: >>> Casey Schaufler wrote: >>> If I set /smack/nltype to 'unlabeled' I have effectively shut off >>> the network. >>> I guess I'm missing some essential point here. >>> Sorry to bother you with such trivialities. >> >> Not to worry. The essential point is that with MAC you can't just lock >> the doors, you have to lock the windows as well. What I mean by that is >> that traditional access controls apply to files, but not network >> communications. Network communications became popular in part because >> they were allowed to leave any restrictions up to the applications >> and their protocols. MAC requirements are pickier than that. The good >> news is that with a scheme like CIPSO you can easily enforce the >> policy. The bad news is that network services in general assume that >> there is no policy being enforced on them. > > This might work well in trusted networks. > But Internet is untrusted and needs to work too. At least in the most > real world scenarios. :) Yes. I'm pretty close to convinced that it needs to be included as part of the single-label host solution. Not that it can possibly be excused in any real secure environment mind you. >>> If i set /smack/nltype to 'unlabled' i don't even get SYN packets >>> out. (operation not permitted) >> >> That's probably a bug, but I think the "fix" is to disable the >> ability to >> set the nltype to anything other than CIPSO at least for the time being. > > Well, there is a case statement in smack_lsm.c that checks for the > nltype (smack_net_nltype) and omits net labeling if cipso is not set. > This seems to be a very sensible thing to do. I strongly advice for a > way to omit netlabel based access control. Yes, I hear you. > As soon as you leave controlled and trusted networks, netlabels seem > in my eyes like a maybe even critical information leak. > > btw. I tried return 0; in smk_access(), but it did not make networking > work again with nltype set to unlabled. So I guess the problem is not > some access check. > > If you have any idea how i can avoid any cipso labels on the network > but use smack for local access control? > I don't try to secure information channels. Our system is a general > purpose server, it would defeat the purpose of our system to lock it > up since our clients are never going to use cipso. > > I'm pretty sure the cipso labels are the problem. Since I can easily > access resources in the local network. But things break when I access > over Internet. > And I can not even expect this to work in any network where the system > will be deployed. > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists