Re: [PATCH] SMACK netfilter smacklabel socket match

All of lore.kernel.org
 help / color / mirror / Atom feed

From: etienne <etienne.basset@numericable.fr>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul.moore@hp.com>,
	Linux-Kernel <linux-kernel@vger.kernel.org>,
	LSM <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] SMACK netfilter smacklabel socket match
Date: Fri, 20 Feb 2009 19:26:53 +0100	[thread overview]
Message-ID: <499EF5ED.4080207@numericable.fr> (raw)
In-Reply-To: <499E3353.7020305@schaufler-ca.com>

Casey Schaufler wrote:
> etienne wrote:
>> ...
>>> Etienne, thank you very much for the work you've done so far. Paul,
>>> thank you for your recommendations.
>>>     
>> well, I'll try to explain my use case for SMACK, could you please tell me if this makes sense and if it is doable and sane with SMACK :
>>
>> I have single-user computer that, for simplicity sake, do only web browsing with firefox; 
>> the attack vector i'm concerned with is malicious web pages, that could execute malicious code on my computer or worse erase some of my data; 
>>
>> so i express the following security policy in a tool-agnostic way :
>> 1. firefox can access internet
>>   
> 
> In Smack terms then you want the process label of your browser
> process to have access to hosts on the internet in general. The
> easy way to do this is for it to run with the ambient label
> (cat /smack/ambient to see it) which will be the floor label "_"
> unless you change it. Note that your browser will need to talk
> to the X11 server as well, so processes with the label of the
> browser will need write access to processes with the label of the
> X11 server, and visa versa.

OK
> 
>> 2. firefox can read/write it's configuration directory in my $HOME
>>   
[snip]
> 
> Do you need to use /tmp, or does firefox respect $TMPDIR?
> You can set the label of /tmp to the star "*" label if worse
> comes to worst.
>
i don't really know now, i label /tmp/ /var/tmp with *

 
>> pretty simple. So I expect the 'tool' to express this policy in very few line; (i had a look at selinux/refpolicy, and I'm ashamed I was too lazy to test/understand further).
> 
> Don't be ashamed. I wrote Smack because I was too lazy to figure
> out SELinux policy.
> 
:-)

> 
> I have a newsmack program, but all that it does is what your "hack"
> does.
>
OK then. If it's the only way
 
>> Third issue : there seems to be  no way to log/audit access violations, have you plans to implement that?
>>   
> 
> Hmm. Audit should be working.
> 
I see some "audit" hook in the  code, but i don't see a way to log _specific_ smack information ie  
"smack_subject  smack_object  smack_access drop"       (+of course process name, pid, path, and any relevant info)

like selinux would do in 'avc_audit' 

 
regards
Etienne

next prev parent reply	other threads:[~2009-02-20 18:27 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <fa.O38YY4pVfLlMFJNBI3mhgn+qOcQ@ifi.uio.no>
     [not found] ` <fa.c87eBVWyCqqi9h1c54QlwKDAIbg@ifi.uio.no>
     [not found]   ` <fa.f7jv/+EnhNJziduAqQS3XHiU6/A@ifi.uio.no>
     [not found]     ` <fa.1A5YyyPb1uCn//vnk7baNJGI0IM@ifi.uio.no>
     [not found]       ` <fa.HFpMNTzIQ1+pODZB3+XkfnipCfo@ifi.uio.no>
     [not found]         ` <fa.3IBoeBnwT1eZcqeO6DAE1tHBYc4@ifi.uio.no>
2009-02-17 20:01           ` [PATCH] SMACK netfilter smacklabel socket match etienne
2009-02-17 20:32             ` [PATCH] SMACK smacklabel : apply &MASK to IP inserted in /smack/netlabel etienne
2009-02-17 23:54               ` Paul Moore
2009-02-18  6:01                 ` Casey Schaufler
2009-02-18  7:25                 ` etienne
2009-02-17 22:39             ` [PATCH] SMACK netfilter smacklabel socket match David Miller
2009-02-17 23:52             ` Paul Moore
2009-02-18  7:23               ` etienne
2009-02-18 15:05                 ` Paul Moore
2009-02-18 17:09                   ` Casey Schaufler
2009-02-18 19:35                     ` etienne
2009-02-18 20:55                       ` Paul Moore
2009-02-20  4:36                       ` Casey Schaufler
2009-02-20 18:26                         ` etienne [this message]
2009-02-18 18:29                   ` etienne
2009-02-18 19:06                     ` Casey Schaufler
2009-02-18 21:16                       ` [PATCH] SMACK netlabel fixes etienne
2009-02-19  5:50                         ` Casey Schaufler
2009-02-19 15:24                         ` Paul Moore
2009-02-19 23:22                           ` [PATCH] SMACK netlabel fixes v2 etienne
2009-02-20 16:11                             ` Paul Moore
2009-02-18 19:18                     ` [PATCH] SMACK netfilter smacklabel socket match Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=499EF5ED.4080207@numericable.fr \
    --to=etienne.basset@numericable.fr \
    --cc=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul.moore@hp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.