From: etienne <etienne.basset@numericable.fr>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: Paul Moore <paul.moore@hp.com>,
Linux-Kernel <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH] SMACK netfilter smacklabel socket match
Date: Wed, 18 Feb 2009 20:35:00 +0100 [thread overview]
Message-ID: <499C62E4.1030600@numericable.fr> (raw)
In-Reply-To: <499C40C1.20106@schaufler-ca.com>
Casey Schaufler wrote:
> Paul Moore wrote:
>> On Wednesday 18 February 2009 02:23:24 am etienne wrote:
....
> Yes, it would make it nicer. You'll need to do a better job
> on the list management than I've been doing. It's probably well
> past time to introduce the Standard list management scheme to
> Smack, and you'll need to do so if you want to do insertions
> and/or deletions.
>
well, we could maybe do that for smack_netlbladdrs.
for smk_rules, i don't know, depending to the use case, it could grow bigger and thus need a more efficient scheme than linked-list like hash-table.
[..]
>>
>
> I would be delighted to see these changes. When you have preliminary
> versions I would be eager to see them and give them a try in the
> Smack test laboratory.
>
OK, will send tonight
> Etienne, thank you very much for the work you've done so far. Paul,
> thank you for your recommendations.
>
well, I'll try to explain my use case for SMACK, could you please tell me if this makes sense and if it is doable and sane with SMACK :
I have single-user computer that, for simplicity sake, do only web browsing with firefox;
the attack vector i'm concerned with is malicious web pages, that could execute malicious code on my computer or worse erase some of my data;
so i express the following security policy in a tool-agnostic way :
1. firefox can access internet
2. firefox can read/write it's configuration directory in my $HOME
3. firefox can read/write to a download directory
4. firefox can execute kpdf, okular, vlc etc...
5. firefox can read system files
6. firefox can write to temporary folder
pretty simple. So I expect the 'tool' to express this policy in very few line; (i had a look at selinux/refpolicy, and I'm ashamed I was too lazy to test/understand further). And if possible a mainline tool would be a big bonus.
So I decided to give smack a try, and here are my notes/interrogations :
rule 1. if i understand correctly, I have to load the following smack rule
"firefox _ rwx"
well, as '_' is the default objectlabel for all system files, it means that firefox will have smack 'w' access on system.
So first issue : is it possible to express network access in another way?
Or maybe I have to relabel /bin/, /sbin etc with a custom system label ?
rule 2-6 : easy to implement with smack, i label my $HOME with some label and download/cfg dir with other labels
Firefox won't have rw access to my $HOME hehe
Second issue : what is the simplest way to start firefox with the firefox label?
I used the following hack : write a small program (i used cap_mac_admin, could have been suid) that :
a) set /proc/self/attr/current
b) drop capabilities
c) start firefox
Is there a cleanest way, can a process be started with its objectlabel?
Third issue : there seems to be no way to log/audit access violations, have you plans to implement that?
best regards,
Etienne
next prev parent reply other threads:[~2009-02-18 19:35 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <fa.O38YY4pVfLlMFJNBI3mhgn+qOcQ@ifi.uio.no>
[not found] ` <fa.c87eBVWyCqqi9h1c54QlwKDAIbg@ifi.uio.no>
[not found] ` <fa.f7jv/+EnhNJziduAqQS3XHiU6/A@ifi.uio.no>
[not found] ` <fa.1A5YyyPb1uCn//vnk7baNJGI0IM@ifi.uio.no>
[not found] ` <fa.HFpMNTzIQ1+pODZB3+XkfnipCfo@ifi.uio.no>
[not found] ` <fa.3IBoeBnwT1eZcqeO6DAE1tHBYc4@ifi.uio.no>
2009-02-17 20:01 ` [PATCH] SMACK netfilter smacklabel socket match etienne
2009-02-17 20:32 ` [PATCH] SMACK smacklabel : apply &MASK to IP inserted in /smack/netlabel etienne
2009-02-17 23:54 ` Paul Moore
2009-02-18 6:01 ` Casey Schaufler
2009-02-18 7:25 ` etienne
2009-02-17 22:39 ` [PATCH] SMACK netfilter smacklabel socket match David Miller
2009-02-17 23:52 ` Paul Moore
2009-02-18 7:23 ` etienne
2009-02-18 15:05 ` Paul Moore
2009-02-18 17:09 ` Casey Schaufler
2009-02-18 19:35 ` etienne [this message]
2009-02-18 20:55 ` Paul Moore
2009-02-20 4:36 ` Casey Schaufler
2009-02-20 18:26 ` etienne
2009-02-18 18:29 ` etienne
2009-02-18 19:06 ` Casey Schaufler
2009-02-18 21:16 ` [PATCH] SMACK netlabel fixes etienne
2009-02-19 5:50 ` Casey Schaufler
2009-02-19 15:24 ` Paul Moore
2009-02-19 23:22 ` [PATCH] SMACK netlabel fixes v2 etienne
2009-02-20 16:11 ` Paul Moore
2009-02-18 19:18 ` [PATCH] SMACK netfilter smacklabel socket match Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=499C62E4.1030600@numericable.fr \
--to=etienne.basset@numericable.fr \
--cc=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul.moore@hp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox