lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 19 Dec 2007 17:20:54 -0500
From:	Paul Moore <paul.moore@...com>
To:	netdev@...r.kernel.org
Subject: [RFC PATCH] New LSM hook to catch outbound packets

Currently LSMs need to use a netfilter post routing hook to catch outbound
packets and subject them to access control.  This works reasonably well but
has always been a bit awkward when IPsec or similar mechanisms were used
because the same packet would end up going through the same LSM hook multiple
times.  For obvious reasons this often resulted in unnecessary overhead and
additional headaches when trying to determining the correct LSM security
policy.

This patch attempts to fix this problem by adding a new hook into both the
IPv4 and IPv6 output path.  The motiviation behind this new hook is a request
from users to provide packet level ingress/egress access control for all
packets on the system, not just packets that are locally consumed or generated.
I know new networking LSM hooks are frowned upon but there has been a lot of
thought and discussion put into this and we haven't been able to find a better
solution.  I've trimmed the rest of the patchset from this posting as it isn't
really relevant for this discussion (the full patchset has been under
discussion on the SELinux and LSM lists), but those who are curious can find
the patches online here (this will see another update later today):

 * git://git.infradead.org/users/pcmoore/lblnet-2.6_testing

Thanks.

-- 
paul moore
linux security @ hp
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ