lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <E33DFA86-F040-413F-8156-EDCB879F4CEE@collax.com>
Date:	Fri, 26 Sep 2008 10:19:40 +0200
From:	Tilman Baumann <tilman.baumann@...lax.com>
To:	Casey Schaufler <casey@...aufler-ca.com>
Cc:	Linux-Kernel <linux-kernel@...r.kernel.org>,
	linux-security-module@...r.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match

Am 26.09.2008 um 05:43 schrieb Casey Schaufler:

> Tilman Baumann wrote:
>> Hi all,
>>
>> i made some SMACK related patches. I hope this list is the right  
>> place to post them.
>
> Here and, probably more importantly linux-security-module@...r.kernel.org 
>  as that's
> my primary hang out.
>
>> The intention behind this patch is that i needed a way to  
>> (firewall) match for packets originating from specific processes.
>> The existing owner match did not work well enough, especially since  
>> the cmd-owner part is removed.
>> Then i thought about a way to tag processes and somehow match this  
>> tag in the firewall.
>> I recalled that SELinux can do this (SECMARK) but SELinux would  
>> have been way to complex for what i want. But the idea was born, i  
>> just needed something more simple.
>>
>> SMACK seemed to be the right way. So i made a little primitive  
>> netfilter match to match against the security context of sockets.
>> SMACK does CIPSO labels, but this was not what i wanted, i wanted  
>> to label the socket not the packet (on the wire).
>> This of course only works for packets with a local socket, but this  
>> was my intention anyway.
>>
>> This way i can label a process and all it's sockets carry the same  
>> label which i then can use to match against in the firewall.
>>
>
> Hmm. It looks as if your code will do what you're asking it to do.
> Are you going to be happy with the access restrictions that will be
> imposed by Smack?

I helped myself with rules like this.
_ foo rwx
But i wanted to add some security stuff like selinux for years,
and SMACK seems to be just great.
So i will spend some time making security rules after i got this routing
stuff to work. :)

Regards
  Tilman
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ