From: etienne <etienne.basset@numericable.fr>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul.moore@hp.com>,
Linux-Kernel <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] SMACK netfilter smacklabel socket match
Date: Wed, 18 Feb 2009 20:35:00 +0100 [thread overview]
Message-ID: <499C62E4.1030600@numericable.fr> (raw)
In-Reply-To: <499C40C1.20106@schaufler-ca.com>
Casey Schaufler wrote:
> Paul Moore wrote:
>> On Wednesday 18 February 2009 02:23:24 am etienne wrote:
....
> Yes, it would make it nicer. You'll need to do a better job
> on the list management than I've been doing. It's probably well
> past time to introduce the Standard list management scheme to
> Smack, and you'll need to do so if you want to do insertions
> and/or deletions.
>
well, we could maybe do that for smack_netlbladdrs.
for smk_rules, i don't know, depending to the use case, it could grow bigger and thus need a more efficient scheme than linked-list like hash-table.
[..]
>>
>
> I would be delighted to see these changes. When you have preliminary
> versions I would be eager to see them and give them a try in the
> Smack test laboratory.
>
OK, will send tonight
> Etienne, thank you very much for the work you've done so far. Paul,
> thank you for your recommendations.
>
well, I'll try to explain my use case for SMACK, could you please tell me if this makes sense and if it is doable and sane with SMACK :
I have single-user computer that, for simplicity sake, do only web browsing with firefox;
the attack vector i'm concerned with is malicious web pages, that could execute malicious code on my computer or worse erase some of my data;
so i express the following security policy in a tool-agnostic way :
1. firefox can access internet
2. firefox can read/write it's configuration directory in my $HOME
3. firefox can read/write to a download directory
4. firefox can execute kpdf, okular, vlc etc...
5. firefox can read system files
6. firefox can write to temporary folder
pretty simple. So I expect the 'tool' to express this policy in very few line; (i had a look at selinux/refpolicy, and I'm ashamed I was too lazy to test/understand further). And if possible a mainline tool would be a big bonus.
So I decided to give smack a try, and here are my notes/interrogations :
rule 1. if i understand correctly, I have to load the following smack rule
"firefox _ rwx"
well, as '_' is the default objectlabel for all system files, it means that firefox will have smack 'w' access on system.
So first issue : is it possible to express network access in another way?
Or maybe I have to relabel /bin/, /sbin etc with a custom system label ?
rule 2-6 : easy to implement with smack, i label my $HOME with some label and download/cfg dir with other labels
Firefox won't have rw access to my $HOME hehe
Second issue : what is the simplest way to start firefox with the firefox label?
I used the following hack : write a small program (i used cap_mac_admin, could have been suid) that :
a) set /proc/self/attr/current
b) drop capabilities
c) start firefox
Is there a cleanest way, can a process be started with its objectlabel?
Third issue : there seems to be no way to log/audit access violations, have you plans to implement that?
best regards,
Etienne
next prev parent reply other threads:[~2009-02-18 19:35 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.O38YY4pVfLlMFJNBI3mhgn+qOcQ@ifi.uio.no>
[not found] ` <fa.c87eBVWyCqqi9h1c54QlwKDAIbg@ifi.uio.no>
[not found] ` <fa.f7jv/+EnhNJziduAqQS3XHiU6/A@ifi.uio.no>
[not found] ` <fa.1A5YyyPb1uCn//vnk7baNJGI0IM@ifi.uio.no>
[not found] ` <fa.HFpMNTzIQ1+pODZB3+XkfnipCfo@ifi.uio.no>
[not found] ` <fa.3IBoeBnwT1eZcqeO6DAE1tHBYc4@ifi.uio.no>
2009-02-17 20:01 ` [PATCH] SMACK netfilter smacklabel socket match etienne
2009-02-17 20:32 ` [PATCH] SMACK smacklabel : apply &MASK to IP inserted in /smack/netlabel etienne
2009-02-17 23:54 ` Paul Moore
2009-02-18 6:01 ` Casey Schaufler
2009-02-18 7:25 ` etienne
2009-02-17 22:39 ` [PATCH] SMACK netfilter smacklabel socket match David Miller
2009-02-17 23:52 ` Paul Moore
2009-02-18 7:23 ` etienne
2009-02-18 15:05 ` Paul Moore
2009-02-18 17:09 ` Casey Schaufler
2009-02-18 19:35 ` etienne [this message]
2009-02-18 20:55 ` Paul Moore
2009-02-20 4:36 ` Casey Schaufler
2009-02-20 18:26 ` etienne
2009-02-18 18:29 ` etienne
2009-02-18 19:06 ` Casey Schaufler
2009-02-18 21:16 ` [PATCH] SMACK netlabel fixes etienne
2009-02-19 5:50 ` Casey Schaufler
2009-02-19 15:24 ` Paul Moore
2009-02-19 23:22 ` [PATCH] SMACK netlabel fixes v2 etienne
2009-02-20 16:11 ` Paul Moore
2009-02-18 19:18 ` [PATCH] SMACK netfilter smacklabel socket match Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499C62E4.1030600@numericable.fr \
--to=etienne.basset@numericable.fr \
--cc=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.moore@hp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.