Re: RFC: Mandatory Access Control for sockets aka "personal firewalls"

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Samir Bellabes <sam@synack.fr>
To: Stephan Peijnik <stephan@peijnik.at>
Cc: Jan Engelhardt <jengelh@medozas.de>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	netdev@vger.kernel.org,
	Netfilter Developer Mailing List
	<netfilter-devel@vger.kernel.org>
Subject: Re: RFC: Mandatory Access Control for sockets aka "personal firewalls"
Date: Tue, 20 Jan 2009 21:15:53 +0100	[thread overview]
Message-ID: <m2prih3f9i.fsf@ssh.synack.fr> (raw)
In-Reply-To: <1232477780.24943.116.camel@sp-laptop3.sp-local> (Stephan Peijnik's message of "Tue, 20 Jan 2009 19:56:20 +0100")

Stephan Peijnik <stephan@peijnik.at> writes:

> On Tue, 2009-01-20 at 19:24 +0100, Jan Engelhardt wrote:
>> On Tuesday 2009-01-20 18:48, Stephan Peijnik wrote:
>> >
>> >A personal firewall should implement per-application mandatory access
>> >control for sockets. In short this means that such a program decides
>> >every time a call to either socket(), accept(), bind(), connect() or
>> >listen()[...]
>> 
>> Without reading any further (yet), that sounds like
>> http://www.synack.fr/project/cn_net/cn_net.html

I have updated cn_net, for supporting libnl and having a library in
userspace.
http://www.synack.fr/project/snet/snet.html
but you are perfectly right, this is exactly what I implemented.

> Yes, it does, and it's exactly that. However, as a LSM it can only be
> used whilst no other LSM is enabled. 
> Samir Bellabes has been involved in the discussion at
> linux-security-module too.
> Even though I like the implementation personally I'm unsure about
> whether this should be dubbed "the one" way to do this or whether there
> should be an API for alternative implementations.

be carefull, you are mixing 2 distincts questions in fact :

1. how to have differents security models in the kernel, dealing with
   the LSM hooks ?

2. how to build a 'personnal firewall', based on syscall applications ?

I have a answer for the second question, it's snet, as it's the simplest
way for the kernel to deal with this problem.

For the first question, you can build a personnal firewall with LSM
hooks, if, at compilation time, you don't choose other LSM
solutions. that's how I'm using snet.
But what you are asking is to have multiple security models at the same
time, with some kind of priority.
I don't know if it's ok or not, but what I'm sure is that snet will use
LSM hooks or your new framework without any problems in fact, as you are
going to make some kind of wrapper on the members of the struct
security_operations.

>> >And yet another approach was suggested: hooking socket-related calls
>> >directly in net/socket.c. This would mean that the personal firewall
>> >code is called directly from net/socket.c and can this way work in
>> >process-context, without using the LSM framework.
>> >On the other hand this would add, besides the LSM calls that are in
>> >place in net/socket.c a few extra calls which might not be what we want.[...]
>> 
>> My opinion up to here would be to split LSM into the LSM category
>> {selinux, apparmor, tomoyo} and the other, new LSM category
>> {networking stuff}, just as a potential idea to get over the
>> stacking / single LSM use  issue.

Indeed I thought about that when writing snet.

> The problem here is that all of your three examples do use the LSM
> networking hooks too. If two functions are to be called from the LSM
> core (ie. the generic LSM one and the networking-LSM one) we get pretty
> much the same problem back as if we multiple generic LSMs enabled.

I agree that can be issue, but this as nothing to do with implementing a
personnal firewall. you see, there are 2 questions beside your
thought.

You can ask yourself about having the same kind of subsystem for
syscalls related to filesystem (open, read, write, ..).
So you can build your own security model by picking-up a subsystem A
for networking part, and a subsystem X for the filesystem part.
in this way, you can let people writing differents models for networking,
or filesystem, and so on.

I won't fight for this idea, because I'm not sure it's right or not. I
just thought about when developping snet, because I wanted to plug the
same kind of code as snet, dealing with others security hooks (as
filesystem, ..), to complete the job of snet.
But I personnaly have no shame to said that, in the 'security' point of
view, I don't known if this model means something.

>> >Implementations using the LSM approach are TuxGuardian [0] and snet [1].
>> >Code implementing the last mentioned approach can be found in git over
>> >at [2] in the sactl-direct branch.
>> >
>> >[0] http://tuxguardian.sourceforge.net/
>> 
>> tuxguardian is probably regardable as obsoleted by cn_net (if it's
>> finished someday, or is it?) -- Samir probably knows more.

concerns about tuxguardian:
 - it is using sock_sendmsg/sock_recvmsg for userspace communication.
 - there is no timeout when waiting for userspace decision on the
   syscall
 - it is dealing only with members .socket_create and .socket_listen
   from the struct security_operations

> The tuxguardian developers seem to be interested in picking up
> development again and as I wrote Samir has already been involved in this
> discussion.
>
> -- Stephan

sam

next prev parent reply	other threads:[~2009-01-20 20:15 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-01-20 17:48 RFC: Mandatory Access Control for sockets aka "personal firewalls" Stephan Peijnik
2009-01-20 18:24 ` Jan Engelhardt
2009-01-20 18:56   ` Stephan Peijnik
2009-01-20 20:15     ` Samir Bellabes [this message]
2009-01-20 20:31       ` Jan Engelhardt
2009-01-20 20:53         ` Paul Moore
2009-01-20 21:42           ` Samir Bellabes
2009-01-20 21:51             ` Paul Moore
2009-01-20 19:46 ` Jonathan Day
2009-01-20 21:01   ` Paul Moore
2009-01-21  0:54   ` Samir Bellabes
2009-01-21  1:18     ` Casey Schaufler
2009-01-21  3:14       ` Samir Bellabes
2009-01-20 20:47 ` Paul Moore
2009-01-20 23:48   ` Stephan Peijnik
2009-01-21  8:18     ` Samir Bellabes
2009-01-21 14:49     ` Paul Moore
2009-01-21  0:40 ` Samir Bellabes
  -- strict thread matches above, loose matches on Subject: below --
2009-01-21  7:25 Rob Meijer
2009-01-21  8:15 ` Peter Dolding
2009-01-21  8:35   ` Jan Engelhardt
2009-01-21  9:32 Rob Meijer
2009-01-21 23:28 ` Peter Dolding
2009-01-22  0:50   ` Jonathan Day
2009-01-22  0:59     ` Casey Schaufler
2009-01-22  6:29       ` Jonathan Day
2009-01-22 13:46     ` Peter Dolding
2009-01-22 17:08       ` Jonathan Day

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m2prih3f9i.fsf@ssh.synack.fr \
    --to=sam@synack.fr \
    --cc=jengelh@medozas.de \
    --cc=linux-security-module@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=stephan@peijnik.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).