linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Casey Schaufler <casey@schaufler-ca.com>
To: Tilman Baumann <tilman.baumann@collax.com>
Cc: Linux-Kernel <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org
Subject: Re: SMACK netfilter smacklabel socket match
Date: Mon, 29 Sep 2008 20:29:05 -0700	[thread overview]
Message-ID: <48E19D01.9050809@schaufler-ca.com> (raw)
In-Reply-To: <48E1007F.4000400@collax.com>

Tilman Baumann wrote:
>
>
> Casey Schaufler wrote:
>> Tilman Baumann wrote:
>
>>>> Hmm. It looks as if your code will do what you're asking it to do.
>>>> Are you going to be happy with the access restrictions that will be
>>>> imposed by Smack?
>>>
>>> I helped myself with rules like this.
>>> _ foo rwx
>>> But i wanted to add some security stuff like selinux for years,
>>> and SMACK seems to be just great.
>>> So i will spend some time making security rules after i got this 
>>> routing
>>> stuff to work. :)
>>>
>> I confess that I'm still not completely sure what you're up too,
>> but you might want to look at smackpolyport (it's in the smack-util
>> tarball) and might make your life easier if you want to have a
>> single server (running at foo) that deals with connections from
>> processes with multiple labels.
>
> I'm essentially using this as some kind of iptables owner-match on 
> steroids.
> Owner match allows to filter on the processes uid, gid, and some other 
> process attributes.
> Unfortunately owner match is pretty much useless because of it's 
> limited matching capabilities.
>
> I'm really just abusing the way how security contexts of processes are 
> transfered to all it's sockets.
> This way I can label a process with a specific label which then gets 
> transfered to all of it's sockets.
> With this match I can look at the label via the socket of any packet 
> in  iptables.
> I'm pretty much ignoring the Security aspect of SMACK right now  and 
> just use it as some label that I can stick to processes.
>

If you really want to be abusive you could replace the smack_access()
function in security/smack/smack_access.c (of all places) with a no-op
returning 0 in all cases.

> What I then to is write iptables OUTPUT chain matches which match for 
> any of these labels and set some connection marks and firewall marks.
> Which I then can use in routing rules to give different routing rules 
> to specific processes. (Like all proxy traffic over a second DSL line)
>
> I know, it's totally crazy. But it seems to work. :)
> I just hope the security part of this all will not break anything. But 
> it does not look like it would right now.

Smack will eventually bite you if you're not careful, but users of
MAC systems wouldn't be surprised by that. I don't think it's crazy,
I think it's a matter of using what's available in novel ways. Don't
hesitate if there's anything I can do to be helpful.


  reply	other threads:[~2008-09-30  3:29 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-25 17:25 SMACK netfilter smacklabel socket match Tilman Baumann
2008-09-25 18:26 ` Paul Moore
2008-09-25 19:26   ` Tilman Baumann
2008-09-25 19:57     ` Paul Moore
2008-09-25 20:32       ` Tilman Baumann
2008-09-26 12:35   ` Tilman Baumann
2008-09-26 19:55     ` Paul Moore
2008-09-26  3:43 ` Casey Schaufler
2008-09-26  8:19   ` Tilman Baumann
2008-09-27  5:01     ` Casey Schaufler
2008-09-29 16:21       ` Tilman Baumann
2008-09-30  3:29         ` Casey Schaufler [this message]
2008-10-01 11:29           ` Tilman Baumann
2008-10-01 15:21             ` Casey Schaufler
2008-10-01 16:55               ` Tilman Baumann
2008-10-01 18:22                 ` Casey Schaufler
2008-10-06 12:57                   ` Tilman Baumann
2008-10-06 23:05                     ` Ahmed S. Darwish
2008-10-07  2:42                     ` Casey Schaufler
2008-10-17 16:57                       ` Tilman Baumann
2008-10-17 17:53                         ` Casey Schaufler
2008-10-20 12:06                           ` Tilman Baumann
2008-10-20 15:01                             ` Casey Schaufler
2008-10-22  3:36                             ` Casey Schaufler
2008-10-30 16:06                               ` Tilman Baumann
2008-10-31  3:46                                 ` Casey Schaufler
2008-12-11  0:03                                 ` Casey Schaufler
2008-12-11 10:18                                   ` Tilman Baumann
2008-12-11 16:29                                     ` Casey Schaufler
2008-10-23 11:55                           ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48E19D01.9050809@schaufler-ca.com \
    --to=casey@schaufler-ca.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=tilman.baumann@collax.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).