| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Oct 2008 20:36:43 -0700
From: Casey Schaufler <casey@...aufler-ca.com>
To: Tilman Baumann <tilman.baumann@...lax.com>
CC: Linux-Kernel <linux-kernel@...r.kernel.org>,
linux-security-module@...r.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Tilman Baumann wrote:
>> If you're up to trying out something that you know is going to get
>> rewhacked before it goes in anywhere let me know.
>
> Sure. I will be happy to use that.
> Just tell me where to find it and how to use it and what I should look
> out for.
>
You'll need to start out with Paul Moore's testing tree:
% git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
Apply the attached patch (attachments are discouraged for review purposes,
but this is handier for this purpose) and compile.
This is NOT production code. Again, we're hashing out the netlabel api and
we know that they are going to change. This is demo only. The amount of
testing it's gotten is really small.
I have created a new system label "@", pronounced "at" and referred to as
the internet label. Processes cannot be assigned the internet label. A
subject with the internet label (as identified by a packet thus labeled)
can write to any object and any subject can write to an object thus labeled,
thereby explicitly blowing a hole in the Access Control Policy.
Have fun, let me know what you hit next.
Thank you.
View attachment "lblnet081021.patch" of type "text/plain" (30520 bytes)
Powered by blists - more mailing lists