From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: support for fireflight reading /proc/NNN/fd and /proc/NNN/exe
Date: Mon, 7 Jun 2004 20:59:57 +0000 [thread overview]
Message-ID: <20040607205957.GA3063@lkcl.net> (raw)
In-Reply-To: <20040607082243.GH4543@lkcl.net>
hey, what happened?
sorry about that, i must have hit send rather than cancel.
i picked fireflight because it does on-demand popup firewalling,
which i think is great.
the packet(s) is(are) blocked until approved or rejected, and you
can create a rule immediately from them.
also you can firewall _applications_ so only a certain app is allowed
to do "http" etc.
.. the thing is that, obviously, it requires to know the name
of the applications.
so what it does is look in /proc/NNN/exe and /proc/NNN/fds and
looks up the executable...
and thank you to russell for mentioning the can_ps(...) macro which
allows to read /proc.
.. but it also needs to be able to track the files themselves,
getattr, and stuff.
this is what i'm seeing:
allow fireflier_t ptmx_t:chr_file { getattr };
allow fireflier_t sound_device_t:chr_file { getattr };
allow fireflier_t sysadm_ssh_t:tcp_socket { getattr };
allow fireflier_t sysadm_tty_device_t:chr_file { getattr };
allow fireflier_t user_devpts_t:chr_file { getattr };
allow fireflier_t user_home_t:file { getattr };
allow fireflier_t user_tmp_t:file { getattr };
allow fireflier_t user_t:fifo_file { getattr };
allow fireflier_t user_t:tcp_socket { getattr };
allow fireflier_t user_t:unix_stream_socket { getattr };
allow fireflier_t xdm_t:fifo_file { getattr };
should i be looking to modify the can_ps macro?
i mean, basically, everything in /proc/NNN/fds, fireflier is
going to try to stat it.
this is can_ps.
define(`can_ps',`
allow $1 $2:dir { search getattr read };
allow $1 $2:{ file lnk_file } { read getattr };
allow $1 $2:process getattr;
# We need to suppress this denial because procps tries to access
# /proc/pid/environ and this now triggers a ptrace check in recent
# kernels
# (2.4 and 2.6). Might want to change procps to not do this, or only if
# running in a privileged domain.
dontaudit $1 $2:process ptrace;
')
should i change this:
allow $1 $2:{ file lnk_file } { read getattr };
to this:
allow $1 $2:{ file lnk_file chr_file tcp_socket fifo_file
unix_stream_socket } { read getattr };
and why, if i have can_ps(fireflier_t, domain), am i still seeing
denied getattr on user_home_t?
.. alternatively, has anyone got any better ideas on how fireflier
should be checking for executable program's names?
l.
p.s. if i _don't_ allow it to look up these program names, i can
expect fireflier to thoroughly lock up the machine as it can't
tell me what to do with a packet, so it gets blocked.
On Mon, Jun 07, 2004 at 08:22:43AM +0000, Luke Kenneth Casson Leighton wrote:
> hi,
>
> got an interesting issue that i don't quite know how to tackle.
>
> i picked fireflight because it's exactly the sort of thing that i
> need to put
> --
> --
> expecting email to be received and understood is a bit like
> picking up the telephone and immediately dialing without
> checking for a dial-tone; speaking immediately without listening
> for either an answer or ring-tone; hanging up immediately and
> believing that you have actually started a conversation.
> --
> <a href="http://lkcl.net"> lkcl.net </a> <br />
> <a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
--
--
expecting email to be received and understood is a bit like
picking up the telephone and immediately dialing without
checking for a dial-tone; speaking immediately without listening
for either an answer or ring-tone; hanging up immediately and
believing that you have actually started a conversation.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2004-06-07 21:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-07 8:22 support for fireflight reading /proc/NNN/fd and /proc/NNN/exe Luke Kenneth Casson Leighton
2004-06-07 20:59 ` Luke Kenneth Casson Leighton [this message]
2004-06-07 23:21 ` Thomas Bleher
2004-06-08 9:17 ` Luke Kenneth Casson Leighton
2004-06-08 17:11 ` Stephen Smalley
2004-06-08 17:26 ` Luke Kenneth Casson Leighton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040607205957.GA3063@lkcl.net \
--to=lkcl@lkcl.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.