LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Tilman Baumann <tilman.baumann@collax.com>
Cc: Linux-Kernel <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Date: Wed, 01 Oct 2008 08:21:30 -0700	[thread overview]
Message-ID: <48E3957A.7040201@schaufler-ca.com> (raw)
In-Reply-To: <48E35F36.4030203@collax.com>

Tilman Baumann wrote:
> Casey Schaufler wrote:
>>> Casey Schaufler wrote:
>> If you really want to be abusive you could replace the smack_access()
>> function in security/smack/smack_access.c (of all places) with a no-op
>> returning 0 in all cases.
>
> I thought of that too. :)
> But i would rather like to use the thing in it's intended function 
> sometime in the future.

Even better.


>>> What I then to is write iptables OUTPUT chain matches which match 
>>> for any of these labels and set some connection marks and firewall 
>>> marks.
>>> Which I then can use in routing rules to give different routing 
>>> rules to specific processes. (Like all proxy traffic over a second 
>>> DSL line)
>>>
>>> I know, it's totally crazy. But it seems to work. :)
>>> I just hope the security part of this all will not break anything. 
>>> But it does not look like it would right now.
>>
>> Smack will eventually bite you if you're not careful, but users of
>> MAC systems wouldn't be surprised by that.
> Speaking of the devil...
> This is exactly what happened to me right now. I have problems with 
> _some_ https connects. The problem lies somewhere in openssl.
> I did not yet find any clue with strace.
> Is there some straight forward way to audit/debug LSM interventions?

strace is probably your best bet, as it will tell you what syscalls
fail. Your current situation is most likely a case where your program
running with a label "Foo" is trying to communicate with a service on
a machine that doesn't talk CIPSO and hence Smack is treating all
packets to and from that host with the ambient (%cat /smack/ambient)
label, which is "_" unless you've changed it.

> I have probably missed something that a labeled process could not do 
> as a '_' process could. Have no idea right now, but it is probably 
> something stupidly simple.
>

A labeled system hoping to get services from an unlabeled server is the 
biggest
single pain in dealing with labeled systems. Per-host labeling is in the 
works,
and it will help in some cases. What I really need is a way to designate an
unlabeled host as safe to talk to at any label, but it will take some 
serious
work to come up with a scheme that makes that palatable for a labeled 
environment.
I know that SELinux allows for it, but the purist in me has serious doubts.

>> I don't think it's crazy,
>> I think it's a matter of using what's available in novel ways.
> I like that attitude. :)

It got me where I am today. Hmm, maybe you should be just a little bit 
careful.


  reply	other threads:[~2008-10-01 15:21 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-25 17:25 Tilman Baumann
2008-09-25 18:26 ` Paul Moore
2008-09-25 19:26   ` Tilman Baumann
2008-09-25 19:57     ` Paul Moore
2008-09-25 20:32       ` Tilman Baumann
2008-09-26 12:35   ` Tilman Baumann
2008-09-26 19:55     ` Paul Moore
2008-09-26  3:43 ` Casey Schaufler
2008-09-26  8:19   ` Tilman Baumann
2008-09-27  5:01     ` Casey Schaufler
2008-09-29 16:21       ` Tilman Baumann
2008-09-30  3:29         ` Casey Schaufler
2008-10-01 11:29           ` Tilman Baumann
2008-10-01 15:21             ` Casey Schaufler [this message]
2008-10-01 16:55               ` Tilman Baumann
2008-10-01 18:22                 ` Casey Schaufler
2008-10-06 12:57                   ` Tilman Baumann
2008-10-06 23:05                     ` Ahmed S. Darwish
2008-10-07  2:42                     ` Casey Schaufler
2008-10-17 16:57                       ` Tilman Baumann
2008-10-17 17:53                         ` Casey Schaufler
2008-10-20 12:06                           ` Tilman Baumann
2008-10-20 15:01                             ` Casey Schaufler
2008-10-22  3:36                             ` Casey Schaufler
2008-10-30 16:06                               ` Tilman Baumann
2008-10-31  3:46                                 ` Casey Schaufler
2008-12-11  0:03                                 ` Casey Schaufler
2008-12-11 10:18                                   ` Tilman Baumann
2008-12-11 16:29                                     ` Casey Schaufler
2008-10-23 11:55                           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48E3957A.7040201@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tilman.baumann@collax.com \
    --subject='Re: SMACK netfilter smacklabel socket match' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).