Re: "netstat -Z" reimplementation

[Rongqing Li <rongqing.li@windriver.com>]

On 07/27/2011 08:09 PM, Stephen Smalley wrote:
> On Wed, 2011-07-27 at 17:28 +0800, Rongqing Li wrote:
>> SELinux folks, Stephen:
>>
>> I have some thoughts about reimplementation of 'netstat -Z', but I do
>> not know if it is valuable, or if there are other risks. Could you
>> evaluate my implementation, or give me your valuable advice?
>>
>> 1. From kernel, print the socket labels to tcp, udp, raw, unix
>> files under /proc/net/.
>>
>> Now the /proc/net/tcp /proc/net/udp ... include many socket's
>> information, like local address, remote address, inode, I think we can
>> put the socket's security context to these files.
>>
>> To avoid to expose these information to non-privileged users, security
>> checking should be done when expose the socket security context to procfs.
>
> We can already control the ability to read /proc/net files by labeling
> them via genfscon statements and then writing policy accordingly.  Do we
> think exposing the (raw) security context is any more of a concern than
> the rest of the information in the file?
>
> Can we add a field to those files without breaking compatibility with
> existing userspace?
>

Currently, if a user can access /proc/net/tcp, this user can get tcp socket
all information, I think this maybe a error.

Like below case:
-------------------------------------------------------
# id -Z
root:sysadm_r:sysadm_t:s0-s15:c0.c1023
#
# netstat -Za |grep "dev/log"
unix  2      [ ACC ]     STREAM     LISTENING     7263   508/syslog-ng 
system_u:system_r:syslogd_t:s15:c0.c1023          /dev/log
#
-------------------------------------------------------

This control can be implemented when kernel print this information to 
kernel.

-Roy

>> 2. reimplementation the "netstat -Z", "netstat -Z" will first parse the
>> security context from procfs's tcp, udp, raw files, and get the security
>> context, if this step fails, "netstat -Z" will try as legacy method.
>
> It should only fall back to the legacy method if the context is not
> present in the file; if there is any other reason for failure (e.g.
> permission denied to /proc/net/tcp), then we presumably want netstat -Z
> to fail rather than report a possibly incorrect result.
>
>> If this implementation could be accepted by mainstream, netstat could
>> print the correct socket label even if the type_transition has been
>> happen on socket, or application changes socket labels by setting
>> /proc/self/attr/sockcreate.
>>
>>
>> Do you think it is valuable?
>
> Yes, I think it would be useful.
>

-- 
Best Reagrds,
Roy | RongQing Li
-------------------------------------------------------------
WIND RIVER Beijing | China Development Center
Phone: +86-10-6483-5025, Cell: +86-135-2202-9864, Fax: +86-10-6479-0367

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.