Fwd: Re: [PATCH 1/2] LSM: Add inet_sys_snd_skb() LSM hook

Fwd: Re: [PATCH 1/2] LSM: Add inet_sys_snd_skb() LSM hook

[Paul Moore]

I forgot to CC you guys on my response to David Miller, the email is 
below.  In short, this means the flow control work, as currently 
implemented, are not acceptable upstream.  Further, it's clear to me 
that if we want to get acceptance from the networking community we need 
to stick to the netfilter hooks (which we are for everything but the 
outbound/egress check).

I just started thinking about this so I don't have any great ideas yet, 
but if anyone out there does feel free to share.  Patches are always 
nice too :)

----------  Forwarded Message  ----------

Subject: Re: [PATCH 1/2] LSM: Add inet_sys_snd_skb() LSM hook
Date: Friday 04 January 2008
From: Paul Moore <paul.moore@hp.com>
To: David Miller <davem@davemloft.net>

On Thursday 03 January 2008 11:45:49 pm David Miller wrote:
> From: Paul Moore <paul.moore@hp.com>
> Date: Thu, 03 Jan 2008 12:25:39 -0500
>
> > Add an inet_sys_snd_skb() LSM hook to allow the LSM to provide
> > packet level access control for all outbound packets.  Using the
> > existing postroute_last netfilter hook turns out to be problematic
> > as it is can be invoked multiple times for a single packet, e.g.
> > individual IPsec transforms, adding unwanted overhead and
> > complicating the security policy.
> >
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
>
> I disagree with this change.
>
> The packet is different each time you see it in the postrouting hook,
> and also the new hook is thus redundant.

Well, thanks for taking a look.

> If it's a performance issue and you can classify the security early,
> mark the SKB as "seen" and then on subsequent hooks you can just
> return immediately if that flag is set.

Unfortunately, it's not quite that easy at present.  The only field we 
have in the skb where we could possibly set a flag is the secmark field 
which is already taken.  Granted, there is the possibility of 
segmenting the secmark field to some degree but that brings about a new 
set of problems involving the number of unique labels, backwards 
compatibility, etc.

Regardless, back to the drawing board.  I'll have to think a bit harder 
about a way to make the netfilter hooks work ...

-------------------------------------------------------

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fwd: Re: [PATCH 1/2] LSM: Add inet_sys_snd_skb() LSM hook

[Paul Moore]

On Friday 04 January 2008 9:44:01 am Paul Moore wrote:
> I forgot to CC you guys on my response to David Miller, the email is
> below.  In short, this means the flow control work, as currently
> implemented, are not acceptable upstream.  Further, it's clear to me
> that if we want to get acceptance from the networking community we
> need to stick to the netfilter hooks (which we are for everything but
> the outbound/egress check).
>
> I just started thinking about this so I don't have any great ideas
> yet, but if anyone out there does feel free to share.  Patches are
> always nice too :)

I think I might have a solution to the problem and it isn't _too_ ugly.

Basically, the only time we are really have to worry about multiple hits 
on the postroute hook is when IPsec is in use, all other times this 
shouldn't really be an issue.  Our problem has always been that in the 
case of IPsec we only want to perform an access check on the packet the 
_last_ time it hits the postroute hook, which has so far proven to be 
difficult.

I believe that if we simplify the problem to just IPsec causing multiple 
hits on the postroute hook we have a simple solution.  The fix is to 
only apply the new egress access checks when skb->dst->xfrm == NULL.  
All IPsec packets eventually have to make their way out of the system 
and on their final pass through the stack the skb->dst->xfrm entry is 
NULL because they have already had all their IPsec packet transforms 
applied and are now considered "normal" IP packets.  It is at this 
point that we want to apply the egress checks, and from a practical 
point of view this is not far removed from where we had placed the new 
LSM egress hook in the first place.

I'm going to start hacking something together and hopefully will have an 
updated patchset early next week.  In the meantime, if anyone can think 
of a reason why this approach is doomed for failure please speak up ...

-- 
paul moore
linux security @ hp

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Fwd: Re: [PATCH 1/2] LSM: Add inet_sys_snd_skb() LSM hook

[James Morris]

On Fri, 4 Jan 2008, Paul Moore wrote:

> I believe that if we simplify the problem to just IPsec causing multiple 
> hits on the postroute hook we have a simple solution.  The fix is to 
> only apply the new egress access checks when skb->dst->xfrm == NULL.  

Sounds good.


-- 
James Morris
<jmorris@namei.org>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.