[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <48E19D01.9050809@schaufler-ca.com>
Date: Mon, 29 Sep 2008 20:29:05 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: Tilman Baumann <tilman.baumann@...lax.com>
CC: Linux-Kernel <linux-kernel@...r.kernel.org>,
linux-security-module@...r.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Tilman Baumann wrote:
>
>
> Casey Schaufler wrote:
>> Tilman Baumann wrote:
>
>>>> Hmm. It looks as if your code will do what you're asking it to do.
>>>> Are you going to be happy with the access restrictions that will be
>>>> imposed by Smack?
>>>
>>> I helped myself with rules like this.
>>> _ foo rwx
>>> But i wanted to add some security stuff like selinux for years,
>>> and SMACK seems to be just great.
>>> So i will spend some time making security rules after i got this
>>> routing
>>> stuff to work. :)
>>>
>> I confess that I'm still not completely sure what you're up too,
>> but you might want to look at smackpolyport (it's in the smack-util
>> tarball) and might make your life easier if you want to have a
>> single server (running at foo) that deals with connections from
>> processes with multiple labels.
>
> I'm essentially using this as some kind of iptables owner-match on
> steroids.
> Owner match allows to filter on the processes uid, gid, and some other
> process attributes.
> Unfortunately owner match is pretty much useless because of it's
> limited matching capabilities.
>
> I'm really just abusing the way how security contexts of processes are
> transfered to all it's sockets.
> This way I can label a process with a specific label which then gets
> transfered to all of it's sockets.
> With this match I can look at the label via the socket of any packet
> in iptables.
> I'm pretty much ignoring the Security aspect of SMACK right now and
> just use it as some label that I can stick to processes.
>
If you really want to be abusive you could replace the smack_access()
function in security/smack/smack_access.c (of all places) with a no-op
returning 0 in all cases.
> What I then to is write iptables OUTPUT chain matches which match for
> any of these labels and set some connection marks and firewall marks.
> Which I then can use in routing rules to give different routing rules
> to specific processes. (Like all proxy traffic over a second DSL line)
>
> I know, it's totally crazy. But it seems to work. :)
> I just hope the security part of this all will not break anything. But
> it does not look like it would right now.
Smack will eventually bite you if you're not careful, but users of
MAC systems wouldn't be surprised by that. I don't think it's crazy,
I think it's a matter of using what's available in novel ways. Don't
hesitate if there's anything I can do to be helpful.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists