lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 5 Aug 2011 16:58:01 +0800
From:	<rongqing.li@...driver.com>
To:	<netdev@...r.kernel.org>, <selinux@...ho.nsa.gov>
Subject: [PATCH 0/5] Export the sock's security context to proc

-------
    Any review would be much appreciated.
 
Comments:
--------
    Export the sock's security context to proc.
    
    The element sk_security of struct sock represents the socket
    security context ID, which is inheriting from the process when
    creates this socket on most of the time.
    
    but when SELinux type_transition rule is applied to socket, or
    application sets /proc/xxx/attr/createsock, the socket security
    context would be different from the creating process. on this
    condition, the "netstat -Z" will return wrong value, since
    "netstat -Z" only returns the process security context as socket
    process security.
    
    Export the raw sock's security context to proc, so that "netstat -Z"
    could be fixed by reading procfs.

Test:
--------
1. When Enable SELinux.


1.1 check the socket security context has been exported in procfs

root@...u-host:/root> head -n 3 /proc/net/tcp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode   scontext                                          
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 5029 1 ffff88001b8ecc00 100 0 0 10 -1 system_u:system_r:initrc_t:s0-s15:c0.c1023                                                                
   1: 00000000:DBE2 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 4915 1 ffff88001b8ec600 100 0 0 10 -1 system_u:system_r:rpcd_t:s0-s15:c0.c1023                                                              


root@...u-host:/root> head -n 3 /proc/net/udp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops  scontext                          
   53: 00000000:89F1 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 4912 2 ffff88001e3b49c0 0 system_u:system_r:rpcd_t:s0-s15:c0.c1023        
  172: 00000000:0268 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 4851 2 ffff88001e3b4340 0 system_u:system_r:rpcbind_t:s0-s15:c0.c1023           


root@...u-host:/root> head -n 3 /proc/net/unix 
Num       RefCount Protocol Flags    Type St Inode Path      scontext
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   976 @/org/kernel/udev/udevd               system_u:system_r:udev_t:s0-s15:c0.c1023
ffff88001bbe6600: 0000000A 00000000 00000000 0002 01  4740 /dev/log                              system_u:system_r:syslogd_s_t:s15:c0.c1023
root@...u-host:/root> 


root@...u-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops   scontext
root@...u-host:/root> 

1.2 check these patches do not affect the netstat, it can still work
root@...u-host:/root> netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address               Foreign Address State      
tcp        0      0 *:1534                      *:* LISTEN      
tcp        0      0 *:56290                     *:* LISTEN      
tcp        0      0 localhost:submission        *:* LISTEN      
tcp        0      0 *:sunrpc                    *:* LISTEN
...

1.3 When syslog creates socket, and type transition has been applied on them, the security context of
socket would be syslogd_s_t, not same as its own process security context
syslogd_t, the "netstat -Z" returns wrong value, but the security context in procfs is correct

root@...u-host:/etc> cat /proc/net/unix |grep syslog
ffff88001f856000: 00000002 00000000 00010000 0001 01  6385 /var/lib/syslog-ng/syslog-ng.ctl      system_u:system_r:syslogd_t:s15:c0.c1023
ffff88001f856300: 00000002 00000000 00000000 0002 01  6383 /dev/log                              system_u:system_r:syslogd_s_t:s15:c0.c1023
root@...u-host:/etc> 

root@...u-host:/etc> netstat -aZ|grep 6383
unix  2      [ ]         DGRAM                    6383   793/syslog-ng
system_u:system_r:syslogd_t:s15:c0.c1023          /dev/log
root@...u-host:/etc> 



2. When SElinux is disabled

2.1 check the /proc/net/udp information are same as no these patches

root@...u-host:/root> head -n 3 /proc/net/raw  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops 

root@...u-host:/root> head -n 3 /proc/net/unix 
Num       RefCount Protocol Flags    Type St Inode Path    
ffff88001d226000: 0000000A 00000000 00000000 0002 01  2661 /dev/log                              
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01   897 @/org/kernel/udev/udevd               

root@...u-host:/root> head -n 3 /proc/net/tcp  
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode                                                     
   0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 2950 1 ffff88001d294c00 100 0 0 10 -1                     
   1: 0100007F:024B 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0        0 3217 1 ffff88001d295e00 100 0 0 10 -1                     

root@...u-host:/root> head -n 3 /proc/net/udp 
  sl  local_address rem_address   st tx_queue rx_queue tr tm->when retrnsmt uid  timeout inode ref pointer drops                                    
   57: 00000000:03F5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 2772 2 ffff88001d2ac340 0                                 
  122: 00000000:D936 00000000:0000 07 00000000:00000000 00:00000000 00000000 0        0 2831 2 ffff88001d2acd00 0                                 
root@...u-host:/root>


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists