| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1312534686-4099-1-git-send-email-rongqing.li@windriver.com>
Date: Fri, 5 Aug 2011 16:58:01 +0800
From: <rongqing.li@...driver.com>
To: <netdev@...r.kernel.org>, <selinux@...ho.nsa.gov>
Subject: [PATCH 0/5] Export the sock's security context to proc
-------
Any review would be much appreciated.
Comments:
--------
Export the sock's security context to proc.
The element sk_security of struct sock represents the socket
security context ID, which is inheriting from the process when
creates this socket on most of the time.
but when SELinux type_transition rule is applied to socket, or
application sets /proc/xxx/attr/createsock, the socket security
context would be different from the creating process. on this
condition, the "netstat -Z" will return wrong value, since
"netstat -Z" only returns the process security context as socket
process security.
Export the raw sock's security context to proc, so that "netstat -Z"
could be fixed by reading procfs.
Test:
--------
1. When Enable SELinux.
1.1 check the socket security context has been exported in procfs
root@...u-host:/root> head -n 3 /proc/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode scontext
0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 5029 1 ffff88001b8ecc00 100 0 0 10 -1 system_u:system_r:initrc_t:s0-s15:c0.c1023
1: 00000000:DBE2 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 4915 1 ffff88001b8ec600 100 0 0 10 -1 system_u:system_r:rpcd_t:s0-s15:c0.c1023
root@...u-host:/root> head -n 3 /proc/net/udp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops scontext
53: 00000000:89F1 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4912 2 ffff88001e3b49c0 0 system_u:system_r:rpcd_t:s0-s15:c0.c1023
172: 00000000:0268 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 4851 2 ffff88001e3b4340 0 system_u:system_r:rpcbind_t:s0-s15:c0.c1023
root@...u-host:/root> head -n 3 /proc/net/unix
Num RefCount Protocol Flags Type St Inode Path scontext
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01 976 @/org/kernel/udev/udevd system_u:system_r:udev_t:s0-s15:c0.c1023
ffff88001bbe6600: 0000000A 00000000 00000000 0002 01 4740 /dev/log system_u:system_r:syslogd_s_t:s15:c0.c1023
root@...u-host:/root>
root@...u-host:/root> head -n 3 /proc/net/raw
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops scontext
root@...u-host:/root>
1.2 check these patches do not affect the netstat, it can still work
root@...u-host:/root> netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:1534 *:* LISTEN
tcp 0 0 *:56290 *:* LISTEN
tcp 0 0 localhost:submission *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
...
1.3 When syslog creates socket, and type transition has been applied on them, the security context of
socket would be syslogd_s_t, not same as its own process security context
syslogd_t, the "netstat -Z" returns wrong value, but the security context in procfs is correct
root@...u-host:/etc> cat /proc/net/unix |grep syslog
ffff88001f856000: 00000002 00000000 00010000 0001 01 6385 /var/lib/syslog-ng/syslog-ng.ctl system_u:system_r:syslogd_t:s15:c0.c1023
ffff88001f856300: 00000002 00000000 00000000 0002 01 6383 /dev/log system_u:system_r:syslogd_s_t:s15:c0.c1023
root@...u-host:/etc>
root@...u-host:/etc> netstat -aZ|grep 6383
unix 2 [ ] DGRAM 6383 793/syslog-ng
system_u:system_r:syslogd_t:s15:c0.c1023 /dev/log
root@...u-host:/etc>
2. When SElinux is disabled
2.1 check the /proc/net/udp information are same as no these patches
root@...u-host:/root> head -n 3 /proc/net/raw
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops
root@...u-host:/root> head -n 3 /proc/net/unix
Num RefCount Protocol Flags Type St Inode Path
ffff88001d226000: 0000000A 00000000 00000000 0002 01 2661 /dev/log
ffff88001ea1cc00: 00000002 00000000 00000000 0002 01 897 @/org/kernel/udev/udevd
root@...u-host:/root> head -n 3 /proc/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 00000000:05FE 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 2950 1 ffff88001d294c00 100 0 0 10 -1
1: 0100007F:024B 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 3217 1 ffff88001d295e00 100 0 0 10 -1
root@...u-host:/root> head -n 3 /proc/net/udp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode ref pointer drops
57: 00000000:03F5 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2772 2 ffff88001d2ac340 0
122: 00000000:D936 00000000:0000 07 00000000:00000000 00:00000000 00000000 0 0 2831 2 ffff88001d2acd00 0
root@...u-host:/root>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists