From: Luke Kenneth Casson Leighton <lkcl@lkcl.net>
To: Arjan van de Ven <arjanv@redhat.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [patch] to add device+inode check to ipt_owner.c - HACKED UP
Date: Wed, 8 Sep 2004 14:43:56 +0100 [thread overview]
Message-ID: <20040908134356.GC1017@lkcl.net> (raw)
In-Reply-To: <1094638489.2800.7.camel@laptop.fenrus.com>
On Wed, Sep 08, 2004 at 12:14:50PM +0200, Arjan van de Ven wrote:
> On Wed, 2004-09-08 at 12:09, Luke Kenneth Casson Leighton wrote:
> > dear kernel people,
> >
> > this is a first pass at attempting to add per-program firewall rule
> > checking to iptables.
>
> question: any reason you didn't use something like selinux-like contexts
> instead of dentry/device pairs ?
a very good question: stephen smalley described an approach in which
exactly what you suggest can be done.
please bear with me whilst i explain, then i will answer.
the issue is that FireFlier is an on-demand (user-driven) popup firewall
program [and there literally ISN'T any firewall program available for
linux that even remotely comes close to the same capabilities as
fireflier]
so rules are queued (ipt_queue) and the popup thrown at the user until
they select "yes, no, create-a-firewall-rule".
to parallel the same functionality i would need to place a hook in
selinux to catch an audit operation (hooks are already there), then
alert the user to it, then create a rule, recompile the policy, and
_then_ let the hook proceed.
i'm not sure if this would work!!!
so, i didn't want to use selinux contexts because it involves
dynamically creating selinux policy rules.
fireflier is NOT a "create-it-once-then-apply-it-suck-it-and-see"
firewall program.
it's an on-demand "popup" firewall program where the default is
"block by virtue of the packet being in the ip_queue, awaiting
user approval or disapproval".
unless... *shudder* ... you mean ... why didn't i consider getting
FireFlier to _create_ selinux contexts, blatting them into the policy
directly? (which i know is possible, there do exist binary policy
editing-and-writing tools).
well... if this approach turns out to be a total nightmare, then
your question is really appreciated because it makes me think of
other possibilities.
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net"> lkcl.net </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />
next prev parent reply other threads:[~2004-09-08 13:38 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-08 10:09 [patch] to add device+inode check to ipt_owner.c - HACKED UP Luke Kenneth Casson Leighton
2004-09-08 10:14 ` Arjan van de Ven
2004-09-08 13:43 ` Luke Kenneth Casson Leighton [this message]
2004-09-08 10:39 ` Luke Kenneth Casson Leighton
2004-09-08 10:47 ` viro
2004-09-08 13:35 ` Luke Kenneth Casson Leighton
2004-09-10 7:49 ` Gianni Tedesco
2004-09-10 9:57 ` Luke Kenneth Casson Leighton
2004-09-10 11:11 ` Luke Kenneth Casson Leighton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040908134356.GC1017@lkcl.net \
--to=lkcl@lkcl.net \
--cc=arjanv@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox