lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 11 Dec 2008 08:29:20 -0800
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Tilman Baumann <tilman.baumann@...lax.com>
CC:	Linux-Kernel <linux-kernel@...r.kernel.org>,
	linux-security-module@...r.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match

Tilman Baumann wrote:
>
> Am 11.12.2008 um 01:03 schrieb Casey Schaufler:
>
>>
>>>
>>> I just tried this out. But one thing makes me wonder if I had 
>>> understood what it should do.
>>> The syntax for /smack/slhost is IP[/MASK] LABEL.
>>> When I give one host (in my case generously 0.0.0.0/0 *g*) a label 
>>> what is the significance of the @ label?
>>> First I used the _ label here which had the effect that everything 
>>> seems  to work but labeled processes still produced labeled packet 
>>> which got slaughtered in different ways and degrees over the internet.
>>> If I gave my slhost the @ label my machine was offline and did not 
>>> even get pings out locally.
>>>
>>> I get the feeling I did not understand the concept yet.
>>> Sorry but if you don't mind giving me a hint...
>>>
>>
>> OK, Paul and I knocked our heads together until we got the behavior and
>> interfaces ironed out if not to our mutual satisfaction at least to a
>> workable level. Paul's next tree:
>>
>>   % git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_next
>
> Nice, I'm eager to try that out.
>
>>
>>
>> has the current version. There are a couple interesting things going on.
>>
>>   - /smack/nltype is gone. It never lived up to its promise and is no
>>     longer required to determine the labeling scheme.
>>   - /smack/netlabel replaces the earlier /smack/slhost because it better
>>     describes what it gets used for.
>>   - The "@" label (pronounced "web") has been added to the list of 
>> special
>>     labels. A packet with the web label will get delivered anywhere. A
>>     network address specified to have the web label can be written to by
>>     any process. Processes can not have the web label.
>>   - An incoming packet from an address in the netlabel list that has 
>> a CIPSO
>>     label attached will still use the label from the CIPSO packet.
>>   - An unlabeled packet coming from an address in the netlabel list 
>> will be
>>     given the label associated with that address.
>>   - A process that wants to send a packet to an address on the list 
>> needs
>>     write access to the label associated with that address. The 
>> packet will
>>     be sent unlabeled if it is allowed.
>>
>>
>
> I guess the question will be, can the /smack/netlabel network also be 
> 0.0.0.0/0?

Yes. If you want all internet domain sockets to be unlabeled and
accessible to all:

    # echo 0.0.0.0/0 '@' > /smack/netlabel

I have tested this some, but not to the extent I've done on what I
expect to be the more normal cases. Please let me know how well the
current behavior fits what you want to accomplish. We aims to please.

> I know, that's not how it was meant to be used, but that's what would
> solve my problems with outgoing labeled packets.
>
> However, I will try this out...
> Thanks

Thank you. I'm eager to hear your next set of questions.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ