Re: SMACK netfilter smacklabel socket match
From: Tilman Baumann
Date: Fri Sep 26 2008 - 04:20:19 EST
Am 26.09.2008 um 05:43 schrieb Casey Schaufler:
Tilman Baumann wrote:
Hi all,
i made some SMACK related patches. I hope this list is the right
place to post them.
Here and, probably more importantly linux-security-module@xxxxxxxxxxxxxxx
as that's
my primary hang out.
The intention behind this patch is that i needed a way to
(firewall) match for packets originating from specific processes.
The existing owner match did not work well enough, especially since
the cmd-owner part is removed.
Then i thought about a way to tag processes and somehow match this
tag in the firewall.
I recalled that SELinux can do this (SECMARK) but SELinux would
have been way to complex for what i want. But the idea was born, i
just needed something more simple.
SMACK seemed to be the right way. So i made a little primitive
netfilter match to match against the security context of sockets.
SMACK does CIPSO labels, but this was not what i wanted, i wanted
to label the socket not the packet (on the wire).
This of course only works for packets with a local socket, but this
was my intention anyway.
This way i can label a process and all it's sockets carry the same
label which i then can use to match against in the firewall.
Hmm. It looks as if your code will do what you're asking it to do.
Are you going to be happy with the access restrictions that will be
imposed by Smack?
I helped myself with rules like this.
_ foo rwx
But i wanted to add some security stuff like selinux for years,
and SMACK seems to be just great.
So i will spend some time making security rules after i got this routing
stuff to work. :)
Regards
Tilman
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/