All of lore.kernel.org
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Tilman Baumann <tilman.baumann@collax.com>
Cc: Linux-Kernel <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Date: Mon, 29 Sep 2008 20:29:05 -0700	[thread overview]
Message-ID: <48E19D01.9050809@schaufler-ca.com> (raw)
In-Reply-To: <48E1007F.4000400@collax.com>

Tilman Baumann wrote:
>
>
> Casey Schaufler wrote:
>> Tilman Baumann wrote:
>
>>>> Hmm. It looks as if your code will do what you're asking it to do.
>>>> Are you going to be happy with the access restrictions that will be
>>>> imposed by Smack?
>>>
>>> I helped myself with rules like this.
>>> _ foo rwx
>>> But i wanted to add some security stuff like selinux for years,
>>> and SMACK seems to be just great.
>>> So i will spend some time making security rules after i got this 
>>> routing
>>> stuff to work. :)
>>>
>> I confess that I'm still not completely sure what you're up too,
>> but you might want to look at smackpolyport (it's in the smack-util
>> tarball) and might make your life easier if you want to have a
>> single server (running at foo) that deals with connections from
>> processes with multiple labels.
>
> I'm essentially using this as some kind of iptables owner-match on 
> steroids.
> Owner match allows to filter on the processes uid, gid, and some other 
> process attributes.
> Unfortunately owner match is pretty much useless because of it's 
> limited matching capabilities.
>
> I'm really just abusing the way how security contexts of processes are 
> transfered to all it's sockets.
> This way I can label a process with a specific label which then gets 
> transfered to all of it's sockets.
> With this match I can look at the label via the socket of any packet 
> in  iptables.
> I'm pretty much ignoring the Security aspect of SMACK right now  and 
> just use it as some label that I can stick to processes.
>

If you really want to be abusive you could replace the smack_access()
function in security/smack/smack_access.c (of all places) with a no-op
returning 0 in all cases.

> What I then to is write iptables OUTPUT chain matches which match for 
> any of these labels and set some connection marks and firewall marks.
> Which I then can use in routing rules to give different routing rules 
> to specific processes. (Like all proxy traffic over a second DSL line)
>
> I know, it's totally crazy. But it seems to work. :)
> I just hope the security part of this all will not break anything. But 
> it does not look like it would right now.

Smack will eventually bite you if you're not careful, but users of
MAC systems wouldn't be surprised by that. I don't think it's crazy,
I think it's a matter of using what's available in novel ways. Don't
hesitate if there's anything I can do to be helpful.


  reply	other threads:[~2008-09-30  3:29 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-25 17:25 SMACK netfilter smacklabel socket match Tilman Baumann
2008-09-25 18:26 ` Paul Moore
2008-09-25 19:26   ` Tilman Baumann
2008-09-25 19:57     ` Paul Moore
2008-09-25 20:32       ` Tilman Baumann
2008-09-26 12:35   ` Tilman Baumann
2008-09-26 19:55     ` Paul Moore
2008-09-26  3:43 ` Casey Schaufler
2008-09-26  8:19   ` Tilman Baumann
2008-09-27  5:01     ` Casey Schaufler
2008-09-29 16:21       ` Tilman Baumann
2008-09-30  3:29         ` Casey Schaufler [this message]
2008-10-01 11:29           ` Tilman Baumann
2008-10-01 15:21             ` Casey Schaufler
2008-10-01 16:55               ` Tilman Baumann
2008-10-01 18:22                 ` Casey Schaufler
2008-10-06 12:57                   ` Tilman Baumann
2008-10-06 23:05                     ` Ahmed S. Darwish
2008-10-07  2:42                     ` Casey Schaufler
2008-10-17 16:57                       ` Tilman Baumann
2008-10-17 17:53                         ` Casey Schaufler
2008-10-20 12:06                           ` Tilman Baumann
2008-10-20 15:01                             ` Casey Schaufler
2008-10-22  3:36                             ` Casey Schaufler
2008-10-30 16:06                               ` Tilman Baumann
2008-10-31  3:46                                 ` Casey Schaufler
2008-12-11  0:03                                 ` Casey Schaufler
2008-12-11 10:18                                   ` Tilman Baumann
2008-12-11 16:29                                     ` Casey Schaufler
2008-10-23 11:55                           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48E19D01.9050809@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tilman.baumann@collax.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.