From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Gianni Tedesco <gianni@scaramanga.co.uk>
Cc: linux-kernel@vger.kernel.org
Subject: Re: fireflier firewall userspace program doing userspace packet filtering
Date: Tue, 31 Aug 2004 10:27:51 +0100 [thread overview]
Message-ID: <20040831092751.GK31497@lkcl.net> (raw)
In-Reply-To: <20040830200023.GA31497@lkcl.net>
On Mon, Aug 30, 2004 at 09:00:23PM +0100, Luke Kenneth Casson Leighton wrote:
> On Mon, Aug 30, 2004 at 08:16:06PM +0100, Gianni Tedesco wrote:
> > On Mon, 2004-08-30 at 19:15 +0100, Luke Kenneth Casson Leighton wrote:
> > > so, my question, therefore, is:
> > >
> > > what should i record in a modified version of ipt_owner in
> > > order to "vet" packets on a per-executable basis?
> > >
> > > should i consider recording the inode of the program's binary?
> >
> > Bear in mind that that would make sense for an ACCEPT rule, but for a
> > DROP rule, copying the binary would bypass the check.
>
> i understand!
>
> i thought that selinux by default would stop me from being
> able to copy binaries from /usr/bin.... uhn... no such luck.
>
> if it becomes an issue i will investigate removing read access!
okay.
first thing:
1) assuming that the DROP rule issue is one that cannot be avoided,
and that a rules design policy of "deny everything and only allow
specifics" is required, then checking on the _full_ pathname
of the program is required.
second thing:
2) it _is_ possible to hunt through the selinux policy macros to
remove the execute permission on binaries that a user drops into
their home directory, or copies into their home directory.
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
prev parent reply other threads:[~2004-08-31 9:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-30 10:42 fireflier firewall userspace program doing userspace packet filtering Luke Kenneth Casson Leighton
2004-08-30 18:15 ` Luke Kenneth Casson Leighton
2004-08-30 19:16 ` Gianni Tedesco
2004-08-30 20:00 ` Luke Kenneth Casson Leighton
2004-08-31 9:27 ` Luke Kenneth Casson Leighton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040831092751.GK31497@lkcl.net \
--to=lkcl@lkcl.net \
--cc=gianni@scaramanga.co.uk \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox