From: Casey Schaufler <casey@schaufler-ca.com>
To: Tilman Baumann <tilman.baumann@collax.com>
Cc: Linux-Kernel <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Date: Mon, 29 Sep 2008 20:29:05 -0700 [thread overview]
Message-ID: <48E19D01.9050809@schaufler-ca.com> (raw)
In-Reply-To: <48E1007F.4000400@collax.com>
Tilman Baumann wrote:
>
>
> Casey Schaufler wrote:
>> Tilman Baumann wrote:
>
>>>> Hmm. It looks as if your code will do what you're asking it to do.
>>>> Are you going to be happy with the access restrictions that will be
>>>> imposed by Smack?
>>>
>>> I helped myself with rules like this.
>>> _ foo rwx
>>> But i wanted to add some security stuff like selinux for years,
>>> and SMACK seems to be just great.
>>> So i will spend some time making security rules after i got this
>>> routing
>>> stuff to work. :)
>>>
>> I confess that I'm still not completely sure what you're up too,
>> but you might want to look at smackpolyport (it's in the smack-util
>> tarball) and might make your life easier if you want to have a
>> single server (running at foo) that deals with connections from
>> processes with multiple labels.
>
> I'm essentially using this as some kind of iptables owner-match on
> steroids.
> Owner match allows to filter on the processes uid, gid, and some other
> process attributes.
> Unfortunately owner match is pretty much useless because of it's
> limited matching capabilities.
>
> I'm really just abusing the way how security contexts of processes are
> transfered to all it's sockets.
> This way I can label a process with a specific label which then gets
> transfered to all of it's sockets.
> With this match I can look at the label via the socket of any packet
> in iptables.
> I'm pretty much ignoring the Security aspect of SMACK right now and
> just use it as some label that I can stick to processes.
>
If you really want to be abusive you could replace the smack_access()
function in security/smack/smack_access.c (of all places) with a no-op
returning 0 in all cases.
> What I then to is write iptables OUTPUT chain matches which match for
> any of these labels and set some connection marks and firewall marks.
> Which I then can use in routing rules to give different routing rules
> to specific processes. (Like all proxy traffic over a second DSL line)
>
> I know, it's totally crazy. But it seems to work. :)
> I just hope the security part of this all will not break anything. But
> it does not look like it would right now.
Smack will eventually bite you if you're not careful, but users of
MAC systems wouldn't be surprised by that. I don't think it's crazy,
I think it's a matter of using what's available in novel ways. Don't
hesitate if there's anything I can do to be helpful.
next prev parent reply other threads:[~2008-09-30 3:29 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-25 17:25 SMACK netfilter smacklabel socket match Tilman Baumann
2008-09-25 18:26 ` Paul Moore
2008-09-25 19:26 ` Tilman Baumann
2008-09-25 19:57 ` Paul Moore
2008-09-25 20:32 ` Tilman Baumann
2008-09-26 12:35 ` Tilman Baumann
2008-09-26 19:55 ` Paul Moore
2008-09-26 3:43 ` Casey Schaufler
2008-09-26 8:19 ` Tilman Baumann
2008-09-27 5:01 ` Casey Schaufler
2008-09-29 16:21 ` Tilman Baumann
2008-09-30 3:29 ` Casey Schaufler [this message]
2008-10-01 11:29 ` Tilman Baumann
2008-10-01 15:21 ` Casey Schaufler
2008-10-01 16:55 ` Tilman Baumann
2008-10-01 18:22 ` Casey Schaufler
2008-10-06 12:57 ` Tilman Baumann
2008-10-06 23:05 ` Ahmed S. Darwish
2008-10-07 2:42 ` Casey Schaufler
2008-10-17 16:57 ` Tilman Baumann
2008-10-17 17:53 ` Casey Schaufler
2008-10-20 12:06 ` Tilman Baumann
2008-10-20 15:01 ` Casey Schaufler
2008-10-22 3:36 ` Casey Schaufler
2008-10-30 16:06 ` Tilman Baumann
2008-10-31 3:46 ` Casey Schaufler
2008-12-11 0:03 ` Casey Schaufler
2008-12-11 10:18 ` Tilman Baumann
2008-12-11 16:29 ` Casey Schaufler
2008-10-23 11:55 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48E19D01.9050809@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tilman.baumann@collax.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).