lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 21 Jan 2009 09:35:58 +0100 (CET)
From:	Jan Engelhardt <jengelh@...ozas.de>
To:	Peter Dolding <oiaohm@...il.com>
cc:	rmeijer@...all.nl, Casey Schaufler <casey@...aufler-ca.com>,
	Samir Bellabes <sam@...ack.fr>, imipak@...oo.com,
	linux-security-module <linux-security-module@...r.kernel.org>,
	Stephan Peijnik <stephan@...jnik.at>, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org
Subject: Re: RFC: Mandatory Access Control for sockets aka "personal 
 firewalls"


On Wednesday 2009-01-21 09:15, Peter Dolding wrote:
>
>I really don't see the need for special here other than improving iptables.
>
>LSM module is over kill.  This leads to double processing of packet requests.
>
>netfilter already can operate as either MAC or DAC all depending on
>the rules passed into it and the outside LSM applied.

But it cannot be used for personal firewalls at this time.
Incoming packets have no process context because they are
processed before that is determined, and similarly,
outgoing packets have already left most of the process
context behind them. Additionally, Netfilter cannot reject
bind() calls *at all*. That is the reason this is done
as an LSM in the first place.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ