lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <48E35F36.4030203@collax.com>
Date:	Wed, 01 Oct 2008 13:29:58 +0200
From:	Tilman Baumann <tilman.baumann@...lax.com>
To:	Casey Schaufler <casey@...aufler-ca.com>
CC:	Linux-Kernel <linux-kernel@...r.kernel.org>,
	linux-security-module@...r.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match

Casey Schaufler wrote:
>> Casey Schaufler wrote:
> If you really want to be abusive you could replace the smack_access()
> function in security/smack/smack_access.c (of all places) with a no-op
> returning 0 in all cases.

I thought of that too. :)
But i would rather like to use the thing in it's intended function 
sometime in the future.

>> What I then to is write iptables OUTPUT chain matches which match for 
>> any of these labels and set some connection marks and firewall marks.
>> Which I then can use in routing rules to give different routing rules 
>> to specific processes. (Like all proxy traffic over a second DSL line)
>>
>> I know, it's totally crazy. But it seems to work. :)
>> I just hope the security part of this all will not break anything. But 
>> it does not look like it would right now.
> 
> Smack will eventually bite you if you're not careful, but users of
> MAC systems wouldn't be surprised by that.
Speaking of the devil...
This is exactly what happened to me right now. I have problems with 
_some_ https connects. The problem lies somewhere in openssl.
I did not yet find any clue with strace.
Is there some straight forward way to audit/debug LSM interventions?

I have probably missed something that a labeled process could not do as 
a '_' process could. Have no idea right now, but it is probably 
something stupidly simple.

> I don't think it's crazy,
> I think it's a matter of using what's available in novel ways.
I like that attitude. :)

-- 
Tilman Baumann
Software Developer
Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany

p: +49 (0) 89-990157-0
f: +49 (0) 89-990157-11

Geschaeftsfuehrer: William K. Hite / Boris Nalbach
AG Muenchen HRB 158898, Ust.-IdNr: DE 814464942
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ