[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48DDBE2E.3010006@schaufler-ca.com>
Date: Fri, 26 Sep 2008 22:01:34 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: Tilman Baumann <tilman.baumann@...lax.com>
CC: Linux-Kernel <linux-kernel@...r.kernel.org>,
linux-security-module@...r.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Tilman Baumann wrote:
> Am 26.09.2008 um 05:43 schrieb Casey Schaufler:
>
>> Tilman Baumann wrote:
>>> Hi all,
>>>
>>> i made some SMACK related patches. I hope this list is the right
>>> place to post them.
>>
>> Here and, probably more importantly
>> linux-security-module@...r.kernel.org as that's
>> my primary hang out.
>>
>>> The intention behind this patch is that i needed a way to (firewall)
>>> match for packets originating from specific processes.
>>> The existing owner match did not work well enough, especially since
>>> the cmd-owner part is removed.
>>> Then i thought about a way to tag processes and somehow match this
>>> tag in the firewall.
>>> I recalled that SELinux can do this (SECMARK) but SELinux would have
>>> been way to complex for what i want. But the idea was born, i just
>>> needed something more simple.
>>>
>>> SMACK seemed to be the right way. So i made a little primitive
>>> netfilter match to match against the security context of sockets.
>>> SMACK does CIPSO labels, but this was not what i wanted, i wanted to
>>> label the socket not the packet (on the wire).
>>> This of course only works for packets with a local socket, but this
>>> was my intention anyway.
>>>
>>> This way i can label a process and all it's sockets carry the same
>>> label which i then can use to match against in the firewall.
>>>
>>
>> Hmm. It looks as if your code will do what you're asking it to do.
>> Are you going to be happy with the access restrictions that will be
>> imposed by Smack?
>
> I helped myself with rules like this.
> _ foo rwx
> But i wanted to add some security stuff like selinux for years,
> and SMACK seems to be just great.
> So i will spend some time making security rules after i got this routing
> stuff to work. :)
>
I confess that I'm still not completely sure what you're up too,
but you might want to look at smackpolyport (it's in the smack-util
tarball) and might make your life easier if you want to have a
single server (running at foo) that deals with connections from
processes with multiple labels.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists