lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B15D331.7090903@schaufler-ca.com>
Date:	Tue, 01 Dec 2009 18:38:41 -0800
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Paul Nuzzi <pjnuzzi@...ho.ncsc.mil>
CC:	"David P. Quigley" <dpquigl@...ho.nsa.gov>,
	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, jmorris@...ei.org,
	selinux@...ho.nsa.gov,
	"George S. Coker, II" <gscoker@...ha.ncsc.mil>,
	Eamon Walsh <ewalsh@...ho.nsa.gov>,
	Stephen Smalley <sds@...ho.nsa.gov>
Subject: Re: [PATCH] Dynamic port labeling V2

Paul Nuzzi wrote:
> Dave brought up some good questions.

He often does. He's like that.

>  A pseudo file-system based on ports
> seems like a good idea but I think there is going be scaling issues.
>   

I'm curious what those scaling issues might be, given the success
of /proc which deals with many processes.

> SELinux also supports multiple labels for ports.

Is there a fixed set? There's no reason you couldn't do what Smack
does with sockets, which is multiple well known attribute names.
That will work even if there isn't a fixed set, come to think of
it.

>  Port 22 can be labeled
> as ssh_port and if the label is removed, reverts to reserved_port. Do
> you know of a way xattrs can handle this? 
>   

setxattr SELINIX_PORTXATTR_UNLABELED_CONTEXT reserved_port
setxattr SELINIX_PORTXATTR_CONTEXT ssh_port

if you delete the SELINIX_PORTXATTR_CONTEXT attribute it gets
reset to SELINIX_PORTXATTR_UNLABELED_CONTEXT. Simple.

> On Tue, 2009-12-01 at 10:06 -0500, David P. Quigley wrote:
>   
>> I have several questions about this.
>>
>> 1) Where is it located?
>>     

Don't know, don't much care. /sys or /sysfs or /security or /dev.

>> 2) Is your proposal to implement it as a new fs with a name something
>> like portfs?
>>     

Yes. Alternatively it could be an extension to an existing special
purpose filesystem, but I don't have a favorite candidate.

>> 3) How does it get populated initially? Do you have a file for each port
>> right off the bat? Do you only have files for ports with policy or whose
>> permissions differ from the default?
>>     

I like the notion of populating it all at once, but I expect
that there are those who'd holler for doing in on demand.

>> 4) How do I assign a label to the port? You have an issue here that
>> these files are objects themselves. You can't just label the file with
>> what you want the port labeled because now you can't mediate access to
>> these file objects outside of the label on the port itself.
>>     

On some systems you could in fact put the label of the bound process
on the object and be very happy, but I understand that SELinux is
not an example of such a system.

Put as many xattrs on the object as you like and let the LSM decide
which matters to what purpose. setxattr to put labels explicitly on
the port, and the LSM gets to decide what xattr to put on the port
when it is bound or closed. Of course, there will need to be a way
to associate the portfs entry with the port (I don't know, maybe the
port number gets you the inode number as /proc maps pid to inode?)
Yes, that implies LSM specific code in portfs, or maybe portfs
specific code in the LSM. Smack already treats attribute setting
specially on socket fd's, and it's not so terrible.

>> On Mon, 2009-11-30 at 20:52 -0800, Casey Schaufler wrote:
>>     
>>> Paul Nuzzi wrote:
>>>       
>>>> Second version of the dynamic port labeling patch.
>>>>         
>>> So I've looked through both versions of this patch and I can't
>>> help but think that you'd get better mileage out of a file system
>>> interface than this SELinux specific implementation. If you had
>>> something like
>>>
>>>     /port/22
>>>
>>> with default owner root and mode rw-------
>>>
>>>     /port/3306
>>>
>>> with default owner root and mode rw-rw-rw-
>>>
>>> you could address a bunch of the complaints about port ownership that
>>> you hear every day. Further, if the port filesystem supported xattrs
>>> you could tie in SELinux as easily as you are doing it below and get
>>> Smack for an extra $1.98, not to mention saving every other LSM the
>>> grief of defining Yet Another way to define port accesses.
>>>
>>> It bothers me that there is a perfectly reasonable way to provide the
>>> specific behavior you're looking for (SELinux label on a port) that
>>> generalizes so cleanly and that it's not being proposed.
>>>
>>>
>>>       
>>>>   Changed the name of
>>>> the selinuxfs interface to portcon and changed the interface to only
>>>> allow five arguments instead of the variable four or five.   
>>>>
>>>> Added a mechanism to add/delete/update port labels with an interface in 
>>>> the selinuxfs filesystem.  This will give administrators the ability to
>>>> update port labels faster than reloading the entire policy with
>>>> semanage.  The administrator will also need less privilege since they
>>>> don't have to be authorized to reload the full policy.
>>>>
>>>> A listing of all port labels will be output if the file /selinux/portcon
>>>> is read.  Labels could be added or deleted with the following commands 
>>>>
>>>> echo -n "del system_u:object_r:ssh_port_t:s0 6 22 22" > /selinux/portcon
>>>> echo -n "add system_u:object_r:telnetd_port_t:s0 6 22 22" > /selinux/portcon
>>>>
>>>> Labels can be atomically changed with the add command.  
>>>>
>>>>
>>>> Signed-off-by: Paul Nuzzi <pjnuzzi@...ho.ncsc.mil>
>>>>
>>>>         
>
>
>
>   

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ