Re: SMACK netfilter smacklabel socket match

From: Casey Schaufler
Date: Wed Dec 10 2008 - 19:10:21 EST


Tilman Baumann wrote:


Casey Schaufler wrote:
Tilman Baumann wrote:
If you're up to trying out something that you know is going to get
rewhacked before it goes in anywhere let me know.

Sure. I will be happy to use that.
Just tell me where to find it and how to use it and what I should look out for.


You'll need to start out with Paul Moore's testing tree:

% git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_testing

Apply the attached patch (attachments are discouraged for review purposes,
but this is handier for this purpose) and compile.

This is NOT production code. Again, we're hashing out the netlabel api and
we know that they are going to change. This is demo only. The amount of
testing it's gotten is really small.

I have created a new system label "@", pronounced "at" and referred to as
the internet label. Processes cannot be assigned the internet label. A
subject with the internet label (as identified by a packet thus labeled)
can write to any object and any subject can write to an object thus labeled,
thereby explicitly blowing a hole in the Access Control Policy.

Have fun, let me know what you hit next.

Sorry for the long delay. I was annoyingly occupied with other things.

My turn!


I just tried this out. But one thing makes me wonder if I had understood what it should do.
The syntax for /smack/slhost is IP[/MASK] LABEL.
When I give one host (in my case generously 0.0.0.0/0 *g*) a label what is the significance of the @ label?
First I used the _ label here which had the effect that everything seems to work but labeled processes still produced labeled packet which got slaughtered in different ways and degrees over the internet.
If I gave my slhost the @ label my machine was offline and did not even get pings out locally.

I get the feeling I did not understand the concept yet.
Sorry but if you don't mind giving me a hint...


OK, Paul and I knocked our heads together until we got the behavior and
interfaces ironed out if not to our mutual satisfaction at least to a
workable level. Paul's next tree:

% git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_next

has the current version. There are a couple interesting things going on.

- /smack/nltype is gone. It never lived up to its promise and is no
longer required to determine the labeling scheme.
- /smack/netlabel replaces the earlier /smack/slhost because it better
describes what it gets used for.
- The "@" label (pronounced "web") has been added to the list of special
labels. A packet with the web label will get delivered anywhere. A
network address specified to have the web label can be written to by
any process. Processes can not have the web label.
- An incoming packet from an address in the netlabel list that has a CIPSO
label attached will still use the label from the CIPSO packet.
- An unlabeled packet coming from an address in the netlabel list will be
given the label associated with that address.
- A process that wants to send a packet to an address on the list needs
write access to the label associated with that address. The packet will
be sent unlabeled if it is allowed.

So, if I want my old Sony to be treated as a single-label host with the
label "Pop" I can say:

# echo 192.168.1.102/32 Pop > /smack/netlabel

If I want the secondary network for my development machines to be single-label

# echo 192.168.2.0/24 Snap > /smack/netlabel

And if I want everyone to be able to communicate with my spam server

# echo 207.69.188.187 '@' > /smack/netlabel


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/