LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Tilman Baumann <tilman.baumann@collax.com>
Cc: Linux-Kernel <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Date: Fri, 26 Sep 2008 22:01:34 -0700	[thread overview]
Message-ID: <48DDBE2E.3010006@schaufler-ca.com> (raw)
In-Reply-To: <E33DFA86-F040-413F-8156-EDCB879F4CEE@collax.com>

Tilman Baumann wrote:
> Am 26.09.2008 um 05:43 schrieb Casey Schaufler:
>
>> Tilman Baumann wrote:
>>> Hi all,
>>>
>>> i made some SMACK related patches. I hope this list is the right 
>>> place to post them.
>>
>> Here and, probably more importantly 
>> linux-security-module@vger.kernel.org as that's
>> my primary hang out.
>>
>>> The intention behind this patch is that i needed a way to (firewall) 
>>> match for packets originating from specific processes.
>>> The existing owner match did not work well enough, especially since 
>>> the cmd-owner part is removed.
>>> Then i thought about a way to tag processes and somehow match this 
>>> tag in the firewall.
>>> I recalled that SELinux can do this (SECMARK) but SELinux would have 
>>> been way to complex for what i want. But the idea was born, i just 
>>> needed something more simple.
>>>
>>> SMACK seemed to be the right way. So i made a little primitive 
>>> netfilter match to match against the security context of sockets.
>>> SMACK does CIPSO labels, but this was not what i wanted, i wanted to 
>>> label the socket not the packet (on the wire).
>>> This of course only works for packets with a local socket, but this 
>>> was my intention anyway.
>>>
>>> This way i can label a process and all it's sockets carry the same 
>>> label which i then can use to match against in the firewall.
>>>
>>
>> Hmm. It looks as if your code will do what you're asking it to do.
>> Are you going to be happy with the access restrictions that will be
>> imposed by Smack?
>
> I helped myself with rules like this.
> _ foo rwx
> But i wanted to add some security stuff like selinux for years,
> and SMACK seems to be just great.
> So i will spend some time making security rules after i got this routing
> stuff to work. :)
>
I confess that I'm still not completely sure what you're up too,
but you might want to look at smackpolyport (it's in the smack-util
tarball) and might make your life easier if you want to have a
single server (running at foo) that deals with connections from
processes with multiple labels.



  reply	other threads:[~2008-09-27  5:01 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-25 17:25 Tilman Baumann
2008-09-25 18:26 ` Paul Moore
2008-09-25 19:26   ` Tilman Baumann
2008-09-25 19:57     ` Paul Moore
2008-09-25 20:32       ` Tilman Baumann
2008-09-26 12:35   ` Tilman Baumann
2008-09-26 19:55     ` Paul Moore
2008-09-26  3:43 ` Casey Schaufler
2008-09-26  8:19   ` Tilman Baumann
2008-09-27  5:01     ` Casey Schaufler [this message]
2008-09-29 16:21       ` Tilman Baumann
2008-09-30  3:29         ` Casey Schaufler
2008-10-01 11:29           ` Tilman Baumann
2008-10-01 15:21             ` Casey Schaufler
2008-10-01 16:55               ` Tilman Baumann
2008-10-01 18:22                 ` Casey Schaufler
2008-10-06 12:57                   ` Tilman Baumann
2008-10-06 23:05                     ` Ahmed S. Darwish
2008-10-07  2:42                     ` Casey Schaufler
2008-10-17 16:57                       ` Tilman Baumann
2008-10-17 17:53                         ` Casey Schaufler
2008-10-20 12:06                           ` Tilman Baumann
2008-10-20 15:01                             ` Casey Schaufler
2008-10-22  3:36                             ` Casey Schaufler
2008-10-30 16:06                               ` Tilman Baumann
2008-10-31  3:46                                 ` Casey Schaufler
2008-12-11  0:03                                 ` Casey Schaufler
2008-12-11 10:18                                   ` Tilman Baumann
2008-12-11 16:29                                     ` Casey Schaufler
2008-10-23 11:55                           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48DDBE2E.3010006@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tilman.baumann@collax.com \
    --subject='Re: SMACK netfilter smacklabel socket match' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).