From: Samir Bellabes <sam@synack.fr>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: jmorris@namei.org, herbert@gondor.apana.org.au,
netdev@vger.kernel.org, davem@davemloft.net,
linux-security-module@vger.kernel.org, kaber@trash.net,
netfilter-devel@vger.kernel.org, sds@tycho.nsa.gov
Subject: Re: [PATCH net-2.6.25] Add packet filtering based on process'ssecurity context.
Date: Fri, 30 Nov 2007 17:07:31 +0100 [thread overview]
Message-ID: <m2r6i71zuk.fsf@synack.fr> (raw)
In-Reply-To: <200711302359.GGF60963.LtFFFHQVJOSOOM@I-love.SAKURA.ne.jp> (Tetsuo Handa's message of "Fri, 30 Nov 2007 23:59:13 +0900")
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> writes:
> Hello.
>
> Samir Bellabes wrote:
>> at security_socket_accept(), the user only accept the fact that the
>> application is able to go to sock->ops->accept(). That's the purpose of
>> this hook.
> Yes. This hook can't perform filtering.
By "filtering", you should mean "packets filtring", shouldn't you ?
because this hook is able to deny the accept() syscall for a process, so
it's a kind of "filtring" too.
>> After, when packet are coming, we can catch them with
>> libnetfilter_queue, and deal with filtering packets.
> Is this performed inside sock->ops->accept()?
No, it's performed from the userspace. the goal is to don't touch the
network stack at all.
after accepting a successful security_socket_accept(), the processus
will wait for client. first packet will arrived. Here we do the
filtering, and give the ability to the user to deny packets.
Dropping the TCP SYN for a TCP connection, for example, then the
process don't see the connection arrived and was dropped.
Another important point which make me sure we should need to use the
libnetfilter_queue is that the we need to work with the conntrack tool
to automatically let some connections going throught the firewall.
One example, a ftp client will listen on a arbitrary port for the
incoming data channel. This job is already handle with the conntrack_ftp
extension by netfilter.
With your tool, you will have to learn the ftp client to let incoming
connection, reach this dynamic port, so does this mean, as it's dynamic,
to allow TCP port 1024-65535 ?
With the approach of using the libnetfilter_queue, we can first put the
network packet inside the conntrack, let the packets in the RELATED
state going trought the firewall and be ACCEPTED, and for others
packets, let the user decide.
>> here we agree. *but* in my module, the user don't judge before
>> sock->ops->accept(). He judges when packets are coming, throught the
>> libnetfilter_queue API, in userspace, and reinject packet if it's ok.
> I didn't understand what is happening.
> Is there a hook which can perform filtering inside sock->ops->accept()?
I'm not speaking anymore about socket filtering inside
sock->aps->accept(). I do filtering for sock->aps->accept() with the
netfilter tool, by handling packets directly.
So there's two thing, first dealing with socket filtering for socket(),
bind(), listen(), accept() (just to let application to have the right to
execute the syscall)
Then for managing the data inside the connection, I will use the packet
by packet way, with netfilter and libnetfilter_queue.
I really need time to made a real release, to show code. I will take it.
regards,
sam
next prev parent reply other threads:[~2007-11-30 16:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200711212130.EJJ43745.LFOFHOSMJOtFVQ@I-love.SAKURA.ne.jp>
[not found] ` <200711222235.GCA05378.HtMOJQVFSFOLFO@I-love.SAKURA.ne.jp>
[not found] ` <Xine.LNX.4.64.0711231005270.4252@us.intercode.com.au>
2007-11-24 13:03 ` FW: [PATCH net-2.6.25] Add packet filtering based on process'ssecurity context Tetsuo Handa
[not found] ` <200711241114.FCJ30702.JSMOFQtVHFFOOL@I-love.SAKURA.ne.jp>
[not found] ` <m2sl2p8x8e.fsf@synack.fr>
2007-11-30 14:07 ` Tetsuo Handa
2007-11-30 14:29 ` Samir Bellabes
2007-11-30 14:59 ` Tetsuo Handa
2007-11-30 16:07 ` Samir Bellabes [this message]
2007-12-01 3:48 ` Tetsuo Handa
2007-12-01 7:18 ` Samir Bellabes
[not found] ` <200712011715.JFJ39500.QOJFStHFMOOLVF@I-love.SAKURA.ne.jp>
[not found] ` <200712021224.CBH90604.HMtJFFOOFLQVSO@I-love.SAKURA.ne.jp>
[not found] ` <m28x4a1vy8.fsf@synack.fr>
[not found] ` <200712042200.CDH65164.OOFSMFFLHJOtVQ@I-love.SAKURA.ne.jp>
2007-12-09 8:06 ` Tetsuo Handa
2007-12-09 16:05 ` Samir Bellabes
[not found] ` <4753B743.2090501@trash.net>
2007-12-03 13:17 ` [PATCH net-2.6.25] Add packet filtering based on process's securitycontext Tetsuo Handa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2r6i71zuk.fsf@synack.fr \
--to=sam@synack.fr \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=sds@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).