lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48DDBE2E.3010006@schaufler-ca.com>
Date:	Fri, 26 Sep 2008 22:01:34 -0700
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Tilman Baumann <tilman.baumann@...lax.com>
CC:	Linux-Kernel <linux-kernel@...r.kernel.org>,
	linux-security-module@...r.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match

Tilman Baumann wrote:
> Am 26.09.2008 um 05:43 schrieb Casey Schaufler:
>
>> Tilman Baumann wrote:
>>> Hi all,
>>>
>>> i made some SMACK related patches. I hope this list is the right 
>>> place to post them.
>>
>> Here and, probably more importantly 
>> linux-security-module@...r.kernel.org as that's
>> my primary hang out.
>>
>>> The intention behind this patch is that i needed a way to (firewall) 
>>> match for packets originating from specific processes.
>>> The existing owner match did not work well enough, especially since 
>>> the cmd-owner part is removed.
>>> Then i thought about a way to tag processes and somehow match this 
>>> tag in the firewall.
>>> I recalled that SELinux can do this (SECMARK) but SELinux would have 
>>> been way to complex for what i want. But the idea was born, i just 
>>> needed something more simple.
>>>
>>> SMACK seemed to be the right way. So i made a little primitive 
>>> netfilter match to match against the security context of sockets.
>>> SMACK does CIPSO labels, but this was not what i wanted, i wanted to 
>>> label the socket not the packet (on the wire).
>>> This of course only works for packets with a local socket, but this 
>>> was my intention anyway.
>>>
>>> This way i can label a process and all it's sockets carry the same 
>>> label which i then can use to match against in the firewall.
>>>
>>
>> Hmm. It looks as if your code will do what you're asking it to do.
>> Are you going to be happy with the access restrictions that will be
>> imposed by Smack?
>
> I helped myself with rules like this.
> _ foo rwx
> But i wanted to add some security stuff like selinux for years,
> and SMACK seems to be just great.
> So i will spend some time making security rules after i got this routing
> stuff to work. :)
>
I confess that I'm still not completely sure what you're up too,
but you might want to look at smackpolyport (it's in the smack-util
tarball) and might make your life easier if you want to have a
single server (running at foo) that deals with connections from
processes with multiple labels.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ