lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Nov 2007 11:14:50 +0900 From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp> To: jmorris@...ei.org Cc: herbert@...dor.apana.org.au, netdev@...r.kernel.org, davem@...emloft.net, linux-security-module@...r.kernel.org, kaber@...sh.net, netfilter-devel@...ts.netfilter.org, sds@...ho.nsa.gov Subject: Re: [PATCH net-2.6.25] Add packet filtering based on process'ssecurity context. Hello. James Morris wrote: > From memory, one approach under discussion was to add netfilter hooks to > the transport layer, which could be invoked correctly by each type of > protocol when the target process is selected. > > If this is done for netfilter, then an LSM hook is probably not needed at > all, as security modules can utilize netfilter hooks directly. Patrick McHardy says (at http://marc.info/?l=linux-netdev&m=118495005800410&w=2 ) "Even with socket filters netfilter doesn't know the final receipient process, that is not known until it calls recvmsg and the data is read, which is too late for netfilter." > > Precautions: This approach has a side effect which unlikely occurs. > > > > If a socket is shared by multiple processes with different policy, > > the process who should be able to accept this connection > > will not be able to accept this connection > > because socket_post_accept() aborts this connection. > > But if socket_post_accept() doesn't abort this connection, > > the process who must not be able to accept this connection > > will repeat accept() forever, which is a worse side effect. I think this change is needed regardless of whether to use connection filtering or not. Currently, SELinux doesn't use socket_post_accept(). | * @socket_post_accept: | * This hook allows a security module to copy security | * information into the newly created socket's inode. But if one wants to *copy* security information to accept()ed socket, the location after fd_install() is too late to copy because the userland process can access accept()ed socket's fd whose security information is not copied yet. Also, if one wants to *assign* security information to accept()ed socket, it might attend memory allocation which can fail. So, use of void for socket_post_accept() deprives a security module of a chance to abort this connection if the security module failed to *assign* security information. Regards. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists