From: Samir Bellabes <sam@synack.fr>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: imipak@yahoo.com,
linux-security-module <linux-security-module@vger.kernel.org>,
Stephan Peijnik <stephan@peijnik.at>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: RFC: Mandatory Access Control for sockets aka "personal firewalls"
Date: Wed, 21 Jan 2009 04:14:29 +0100 [thread overview]
Message-ID: <m2wscp1hbe.fsf@ssh.synack.fr> (raw)
In-Reply-To: <497677CC.105@schaufler-ca.com> (Casey Schaufler's message of "Tue, 20 Jan 2009 17:18:04 -0800")
Casey Schaufler <casey@schaufler-ca.com> writes:
> I hate to be the one to say this, but it looks to me as if the
> easiest way to solve the problems that you have outlined would
> be to create a new LSM based on SELinux with two important
> changes.
Hi Casey,
I'm very interesting by this thought. because I don't have enough
background on security models.
> The first would be to have a separate policy for each
> user (or process tree) and the second would be to make the policy
> specification discretionary.
I got this, but I don't see what it's implying exactly.
> SELinux has all the mechanism you're
> talking about, but you want the policy being enforced to reflect
> a set of "personal firewall" rules rather than "domain type" rules.
ok, I understand the link with the domain type, and I agree.
> From the lobby at LCA in Hobart these rule sets are pretty hard to
> tell apart.
By my experience on it, I fully agree.
At first, I jumped on how to build this rule sets, I just totally
failed. Specially for dropping rule, and worse: how to order rules.
Then we also need to join sets : (fixing a specific user)
deny socket() for application X +
+ deny accept() for application X +
+ deny listen() for application X +
+ deny bind() for application X + .. (all syscalls)
== deny all syscall for 'application X'
So the case of having all the denying rules, minus one, and the user
adding the missing rule, is not just adding the rule, but it's to 'add'
all of them to get only one.
and then we need to put priority/order on keys : filtering by uid first
? application first ?
I don't know how to do that. what I known for sure is that I don't want
to spend the next 20 years trying to solve this problem.
that's why I focused on the better way to pass the informations to
userspace, at let someone who actually may implements a way to managed
this rules sets, with the simplest design to interact with the
kernel/API mechanism.
> And let's not have the "SELinux isn't designed to do
> that" row. Of course it isn't. Nonetheless, the personal firewall
> sure sounds a lot like SELinux if you ignore the MAC/DAC difference.
maybe, but for sure what SELinux is not doing is this :
1. I'm editing the sshd_config file to put the server to listen on the
port 2222.
2. starting server
3. SELinux is not aware of that, it's not working
4. I have to put another conf inside SELinux to allow it (but actually
didn't I already do it in 1 ?)
then it will work.
with the idea of userspace interaction (asking user, check a database)
1. I'm editing the sshd_config file to put the server to listen on the
port 2222.
2. staring server -> listen() -> catch it in userspace, ask (X user,
remote admin, automatic mecanism/database
only one config, tool is focusing on providing security : is this
allowed or not ? that's all.
And snet API can be used by others programs. As actually I'm developping
a opengl tool that is representing network informations, in real
time. This can't be done with SELinux.
But the main goal to achieve, is to make all boxes running in a LAN
aware of themselves and interact also with the main firewall, according
to the admin decisions.
sam
next prev parent reply other threads:[~2009-01-21 3:14 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-20 17:48 RFC: Mandatory Access Control for sockets aka "personal firewalls" Stephan Peijnik
2009-01-20 18:24 ` Jan Engelhardt
2009-01-20 18:56 ` Stephan Peijnik
2009-01-20 20:15 ` Samir Bellabes
2009-01-20 20:31 ` Jan Engelhardt
2009-01-20 20:53 ` Paul Moore
2009-01-20 21:42 ` Samir Bellabes
2009-01-20 21:51 ` Paul Moore
2009-01-20 19:46 ` Jonathan Day
2009-01-20 21:01 ` Paul Moore
2009-01-21 0:54 ` Samir Bellabes
2009-01-21 1:18 ` Casey Schaufler
2009-01-21 3:14 ` Samir Bellabes [this message]
2009-01-20 20:47 ` Paul Moore
2009-01-20 23:48 ` Stephan Peijnik
2009-01-21 8:18 ` Samir Bellabes
2009-01-21 14:49 ` Paul Moore
2009-01-21 0:40 ` Samir Bellabes
-- strict thread matches above, loose matches on Subject: below --
2009-01-21 7:25 Rob Meijer
2009-01-21 8:15 ` Peter Dolding
2009-01-21 8:35 ` Jan Engelhardt
2009-01-21 9:32 Rob Meijer
2009-01-21 23:28 ` Peter Dolding
2009-01-22 0:50 ` Jonathan Day
2009-01-22 0:59 ` Casey Schaufler
2009-01-22 6:29 ` Jonathan Day
2009-01-22 13:46 ` Peter Dolding
2009-01-22 17:08 ` Jonathan Day
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2wscp1hbe.fsf@ssh.synack.fr \
--to=sam@synack.fr \
--cc=casey@schaufler-ca.com \
--cc=imipak@yahoo.com \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=stephan@peijnik.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).