Re: SMACK netfilter smacklabel socket match

From: Tilman Baumann
Date: Thu Oct 30 2008 - 12:06:33 EST




Casey Schaufler wrote:
Tilman Baumann wrote:
If you're up to trying out something that you know is going to get
rewhacked before it goes in anywhere let me know.

Sure. I will be happy to use that.
Just tell me where to find it and how to use it and what I should look out for.


You'll need to start out with Paul Moore's testing tree:

% git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_testing

Apply the attached patch (attachments are discouraged for review purposes,
but this is handier for this purpose) and compile.

This is NOT production code. Again, we're hashing out the netlabel api and
we know that they are going to change. This is demo only. The amount of
testing it's gotten is really small.

I have created a new system label "@", pronounced "at" and referred to as
the internet label. Processes cannot be assigned the internet label. A
subject with the internet label (as identified by a packet thus labeled)
can write to any object and any subject can write to an object thus labeled,
thereby explicitly blowing a hole in the Access Control Policy.

Have fun, let me know what you hit next.

Sorry for the long delay. I was annoyingly occupied with other things.

I just tried this out. But one thing makes me wonder if I had understood what it should do.
The syntax for /smack/slhost is IP[/MASK] LABEL.
When I give one host (in my case generously 0.0.0.0/0 *g*) a label what is the significance of the @ label?
First I used the _ label here which had the effect that everything seems to work but labeled processes still produced labeled packet which got slaughtered in different ways and degrees over the internet.
If I gave my slhost the @ label my machine was offline and did not even get pings out locally.

I get the feeling I did not understand the concept yet.
Sorry but if you don't mind giving me a hint...

--
Tilman Baumann
Software Developer
Collax GmbH . Boetzinger Strasse 60 . 79111 Freiburg . Germany

p: +49 (0) 89-990157-0
f: +49 (0) 89-990157-11

Geschaeftsfuehrer: William K. Hite / Boris Nalbach
AG Muenchen HRB 158898, Ust.-IdNr: DE 814464942
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/