Re: sshd transition points - Luke Kenneth Casson Leighton

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Stephen Smalley <sds@epoch.ncsc.mil>,
	SE-Linux <selinux@tycho.nsa.gov>,
	g@lkcl.net
Subject: Re: sshd transition points
Date: Wed, 16 Feb 2005 00:04:37 +0000	[thread overview]
Message-ID: <20050216000437.GD30341@lkcl.net> (raw)
In-Reply-To: <20050215231707.GC29523@lkcl.net>

On Tue, Feb 15, 2005 at 11:17:07PM +0000, Luke Kenneth Casson Leighton wrote:
> okay.
> 
> i should explain what this patch actually does, shouldn't i? :)
> 
> on a setcon, if you are in context A, and you are endeavouring to
> setcon to context B, then you "automatically" get thrown instead
> into context C.

example:

	to track the privilege-separated process that handles
	a user's networking communications for you, and thereby
	to be able to "ban" a specific user from being able to
	ssh into your server except from a specific ip address.

in domain/program/ssh.te:

	# to cover the setcon
	dynamic_auto_trans(sshd_privsep_t, restricteduser_t,
	                   sshd_privsep_restricteduser_t)

	# to cover the execve of the execution of the sftp-server
	domain_auto_trans(sshd_privsep_user_t, sshd_sftp_exec_t,
	                  sftp_restricteduser_t)

then i can create a network context:

	nodecon 192.168.0.220 255.255.255.255 system_u:object_r:restricted_ip_t
	        ^^^^^^^^^^^^^

then, instead of using can_network(), i would do this:

	allow sshd_privset_restricteduser_t netif_type:netif      { tcp_send };
	allow sshd_privset_restricteduser_t restricted_ip_t:netif { tcp_recv };
	                                    ^^^^^^^^^^^^^^^

and, in openssh, to finish it off (somewhere around the privsep
child auth function), i do this:

	/* we are in sshd_privsep_t context when this is done,
	 * but how we got there is TBD... */

	get_default_context(.... &scontext);
	setcon(scontext); /* this triggers the dynamic_auto_trans */

if it wasn't for openssh deploying privilege separation [an intermediate
highly restricted process handling networking] then all this lovely
stuff would be completely unnecessary.


... isn't this a _lot_ simpler than pissing about creating hard-coded
security contexts, or fiddling around adding kludges into libselinux
to be able to create security contexts or read some pseudo-default?

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2005-02-15 23:55 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-15 15:53 sshd transition points Luke Kenneth Casson Leighton
2005-02-15 16:22 ` Adding libseuser functionality to libselinux? Daniel J Walsh
2005-02-15 16:20   ` Stephen Smalley
2005-02-15 16:49     ` Daniel J Walsh
2005-02-15 18:14 ` sshd transition points Stephen Smalley
2005-02-15 19:16   ` Luke Kenneth Casson Leighton
2005-02-15 19:22     ` Stephen Smalley
2005-02-15 20:03       ` Luke Kenneth Casson Leighton
2005-02-15 20:57         ` Luke Kenneth Casson Leighton
2005-02-16 13:02           ` Stephen Smalley
2005-02-16 13:51             ` Luke Kenneth Casson Leighton
2005-02-16 13:41               ` Stephen Smalley
2005-02-16 14:30                 ` Luke Kenneth Casson Leighton
2005-02-15 22:53         ` Luke Kenneth Casson Leighton
2005-02-15 23:17           ` Luke Kenneth Casson Leighton
2005-02-15 23:51             ` [patch] dynamic auto trans Luke Kenneth Casson Leighton
2005-02-16  0:04             ` Luke Kenneth Casson Leighton [this message]
2005-02-16 13:10               ` sshd transition points Stephen Smalley
2005-02-16 13:44                 ` Luke Kenneth Casson Leighton
2005-02-16 13:39                   ` Stephen Smalley
2005-02-16 15:11                     ` Luke Kenneth Casson Leighton
2005-02-16 15:26                   ` Luke Kenneth Casson Leighton
2005-02-16 17:50                     ` Luke Kenneth Casson Leighton
2005-02-16 17:59                       ` Peter K. Lee
2005-02-17 21:44                         ` Luke Kenneth Casson Leighton
2005-02-17 22:31                         ` Luke Kenneth Casson Leighton
2005-02-16 17:53                     ` Stephen Smalley
2005-02-16 18:31                       ` Luke Kenneth Casson Leighton
2005-02-16 13:08           ` Stephen Smalley
2005-02-16 13:45             ` Luke Kenneth Casson Leighton
2005-02-16 13:00         ` Stephen Smalley
2005-02-16 13:58           ` Luke Kenneth Casson Leighton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20050216000437.GD30341@lkcl.net \
    --to=lkcl@lkcl.net \
    --cc=g@lkcl.net \
    --cc=sds@epoch.ncsc.mil \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.