[patch] to add device+inode check to ipt_owner.c - HACKED UP

From: Luke Kenneth Casson Leighton
Date: Wed Sep 08 2004 - 04:59:48 EST

Next message: Duncan Sands: "Re: [PATCH] netpoll endian fixes"
Previous message: Ingo Molnar: "Re: [patch] voluntary-preempt-2.6.9-rc1-bk12-R9"
Next in thread: Arjan van de Ven: "Re: [patch] to add device+inode check to ipt_owner.c - HACKED UP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

dear kernel people,

this is a first pass at attempting to add per-program firewall rule
checking to iptables.

fireflier makes a complete hash of this in user-space because there
is no way it track state information (therefore it cannot track RST
and FIN and FIN ACK packets)

so, i figured i'd try do this in kernel space instead, where it
should be done.

digitally signing the name of the exe is not okay.
_using_ the name of the exe isn't really okay in my book, either.

inodes are only meaningful on a per-device basis.

therefore i add a device (80 chars as a hack) and an inode number
argument to ipt_owner.h

i blatantly cut/paste the code from fs/proc/base.c into ipt_owner.c
only to find that a compile resulted in warnings about mmput
and mmget (present in kernel/sched.c) not existing.

therefore i blatantly hacked fs/proc/base.c to expose the functionality
i required, which is, "given a task struct, give me the dentry and
vfsmount structs associated with its executable". i called it
proc_task_dentry_lookup().

from there, i can grab the inode number and the device name.

i had to add an EXPORT_SYMBOL(proc_task_dentry_lookup).
i realise this is not ideal (it shouldn't be in fs/proc/base.c,
ipt_owner.c shouldn't be dependent on CONFIG_PROC_FS, etc. at
this stage i don't care)

i feel certain that the functionality required in this function
is not only required elsewhere but also available elsewhere
(in which case, why is it being duplicated in fs/proc/base.c)
so clearly i must be missing something.

from previous messages:

- default rules should be "DENY ALL" and invididual "ALLOW"s this patch
is NOT good to use with "DENY" rules because users can always copy the
program (even on selinux systems)

anyone reading this far be warned of the following:

- if you don't like what i have done, i so don't care: i HAVE to
get this to work and no amount of "i don't like" is going to
take that away. don't like it? save yourself some effort:
delete this message and your mindset.

- if you do like what i have done, and you are not an experienced
kernel hacker, please be aware that i am still experimenting,
i am very much in the dark on this, and your input and
assistance would be greatly appreciated, but you NEED to take
precautions to ensure it doesn't do your system any damage.

- you'll also need a hacked version of userspace iptables.
i'm working on it.

with that in mind, comments and assistance much appreciated because
i feel certain that i cannot be the only person looking for this
sort of functionality.

l.

--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net";> lkcl.net </a> <br />
<a href="mailto:lkcl@xxxxxxxx";> lkcl@xxxxxxxx </a> <br />

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Duncan Sands: "Re: [PATCH] netpoll endian fixes"
Previous message: Ingo Molnar: "Re: [patch] voluntary-preempt-2.6.9-rc1-bk12-R9"
Next in thread: Arjan van de Ven: "Re: [patch] to add device+inode check to ipt_owner.c - HACKED UP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]