Re: SMACK netfilter smacklabel socket match

[Casey Schaufler <casey@schaufler-ca.com>]

Tilman Baumann wrote:
>
> Am 11.12.2008 um 01:03 schrieb Casey Schaufler:
>
>>
>>>
>>> I just tried this out. But one thing makes me wonder if I had 
>>> understood what it should do.
>>> The syntax for /smack/slhost is IP[/MASK] LABEL.
>>> When I give one host (in my case generously 0.0.0.0/0 *g*) a label 
>>> what is the significance of the @ label?
>>> First I used the _ label here which had the effect that everything 
>>> seems  to work but labeled processes still produced labeled packet 
>>> which got slaughtered in different ways and degrees over the internet.
>>> If I gave my slhost the @ label my machine was offline and did not 
>>> even get pings out locally.
>>>
>>> I get the feeling I did not understand the concept yet.
>>> Sorry but if you don't mind giving me a hint...
>>>
>>
>> OK, Paul and I knocked our heads together until we got the behavior and
>> interfaces ironed out if not to our mutual satisfaction at least to a
>> workable level. Paul's next tree:
>>
>>   % git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_next
>
> Nice, I'm eager to try that out.
>
>>
>>
>> has the current version. There are a couple interesting things going on.
>>
>>   - /smack/nltype is gone. It never lived up to its promise and is no
>>     longer required to determine the labeling scheme.
>>   - /smack/netlabel replaces the earlier /smack/slhost because it better
>>     describes what it gets used for.
>>   - The "@" label (pronounced "web") has been added to the list of 
>> special
>>     labels. A packet with the web label will get delivered anywhere. A
>>     network address specified to have the web label can be written to by
>>     any process. Processes can not have the web label.
>>   - An incoming packet from an address in the netlabel list that has 
>> a CIPSO
>>     label attached will still use the label from the CIPSO packet.
>>   - An unlabeled packet coming from an address in the netlabel list 
>> will be
>>     given the label associated with that address.
>>   - A process that wants to send a packet to an address on the list 
>> needs
>>     write access to the label associated with that address. The 
>> packet will
>>     be sent unlabeled if it is allowed.
>>
>>
>
> I guess the question will be, can the /smack/netlabel network also be 
> 0.0.0.0/0?

Yes. If you want all internet domain sockets to be unlabeled and
accessible to all:

    # echo 0.0.0.0/0 '@' > /smack/netlabel

I have tested this some, but not to the extent I've done on what I
expect to be the more normal cases. Please let me know how well the
current behavior fits what you want to accomplish. We aims to please.

> I know, that's not how it was meant to be used, but that's what would
> solve my problems with outgoing labeled packets.
>
> However, I will try this out...
> Thanks

Thank you. I'm eager to hear your next set of questions.