Re: SMACK netfilter smacklabel socket match

From: Casey Schaufler
Date: Mon Oct 06 2008 - 22:47:30 EST

Next message: Paul E. McKenney: "Re: RCU hang on cpu re-hotplug with 2.6.27rc8"
Previous message: Suresh Siddha: "Re: [patch 3/7] x86, cpa: make the kernel physical mapping initialization a two pass sequence"
In reply to: Ahmed S. Darwish: "Re: SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tilman Baumann wrote:

Casey Schaufler wrote:
Tilman Baumann wrote:
Casey Schaufler wrote:
If I set /smack/nltype to 'unlabeled' I have effectively shut off the network.
I guess I'm missing some essential point here.
Sorry to bother you with such trivialities.

Not to worry. The essential point is that with MAC you can't just lock
the doors, you have to lock the windows as well. What I mean by that is
that traditional access controls apply to files, but not network
communications. Network communications became popular in part because
they were allowed to leave any restrictions up to the applications
and their protocols. MAC requirements are pickier than that. The good
news is that with a scheme like CIPSO you can easily enforce the
policy. The bad news is that network services in general assume that
there is no policy being enforced on them.

This might work well in trusted networks.
But Internet is untrusted and needs to work too. At least in the most real world scenarios. :)

Yes. I'm pretty close to convinced that it needs to be included as
part of the single-label host solution. Not that it can possibly be
excused in any real secure environment mind you.

If i set /smack/nltype to 'unlabled' i don't even get SYN packets out. (operation not permitted)

That's probably a bug, but I think the "fix" is to disable the ability to
set the nltype to anything other than CIPSO at least for the time being.

Well, there is a case statement in smack_lsm.c that checks for the nltype (smack_net_nltype) and omits net labeling if cipso is not set.
This seems to be a very sensible thing to do. I strongly advice for a way to omit netlabel based access control.

Yes, I hear you.

As soon as you leave controlled and trusted networks, netlabels seem in my eyes like a maybe even critical information leak.

btw. I tried return 0; in smk_access(), but it did not make networking work again with nltype set to unlabled. So I guess the problem is not some access check.

If you have any idea how i can avoid any cipso labels on the network but use smack for local access control?
I don't try to secure information channels. Our system is a general purpose server, it would defeat the purpose of our system to lock it up since our clients are never going to use cipso.

I'm pretty sure the cipso labels are the problem. Since I can easily access resources in the local network. But things break when I access over Internet.
And I can not even expect this to work in any network where the system will be deployed.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Paul E. McKenney: "Re: RCU hang on cpu re-hotplug with 2.6.27rc8"
Previous message: Suresh Siddha: "Re: [patch 3/7] x86, cpa: make the kernel physical mapping initialization a two pass sequence"
In reply to: Ahmed S. Darwish: "Re: SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]