Re: fireflier firewall userspace program doing userspace packet filtering
From: Luke Kenneth Casson Leighton
Date: Tue Aug 31 2004 - 04:19:34 EST
On Mon, Aug 30, 2004 at 09:00:23PM +0100, Luke Kenneth Casson Leighton wrote:
> On Mon, Aug 30, 2004 at 08:16:06PM +0100, Gianni Tedesco wrote:
> > On Mon, 2004-08-30 at 19:15 +0100, Luke Kenneth Casson Leighton wrote:
> > > so, my question, therefore, is:
> > >
> > > what should i record in a modified version of ipt_owner in
> > > order to "vet" packets on a per-executable basis?
> > >
> > > should i consider recording the inode of the program's binary?
> >
> > Bear in mind that that would make sense for an ACCEPT rule, but for a
> > DROP rule, copying the binary would bypass the check.
>
> i understand!
>
> i thought that selinux by default would stop me from being
> able to copy binaries from /usr/bin.... uhn... no such luck.
>
> if it becomes an issue i will investigate removing read access!
okay.
first thing:
1) assuming that the DROP rule issue is one that cannot be avoided,
and that a rules design policy of "deny everything and only allow
specifics" is required, then checking on the _full_ pathname
of the program is required.
second thing:
2) it _is_ possible to hunt through the selinux policy macros to
remove the execute permission on binaries that a user drops into
their home directory, or copies into their home directory.
l.
--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net";> lkcl.net </a> <br />
<a href="mailto:lkcl@xxxxxxxx";> lkcl@xxxxxxxx </a> <br />
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/