Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c

From: Luke Kenneth Casson Leighton
Date: Thu Sep 09 2004 - 18:59:39 EST

Next message: Luke Kenneth Casson Leighton: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Previous message: Nathan Bryant: "Re: [PATCH] Fix for spurious interrupts on e100 resume"
In reply to: Chris Wright: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Next in thread: Chris Wright: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 09, 2004 at 04:04:49PM -0700, Chris Wright wrote:

> > what's the disconnect between the task_list and the sockets (sk_buff)
> > that makes that [not knowing which one will be woken up] relevant?
>
> There's nothing stopping the following:
>
> exec good_proc
> socket()
> fork
> exec bad_proc

> Now good_proc and bad_proc are sharing a socket. Packet comes in
> destined for that socket. Rule says it's ok to deliver to socket
> (because of good_proc).

> Packet delivered to socket, wakes up waiters
> (good and bad). Now, what's stopping the bad_proc from reading from the
> socket?

okay.

i am not so worried about this scenario _because_:

under an selinux system, you would set up a policy which only
allowed the good_proc to exec other_good_procs (with the
macro can_exec(good_proc, { other_good_proc1, other_good_proc2 })

consequently, you'd design your firewall rules (in conjunction with
your selinux policy) to add _two_ dev+inode-program-enabled firewall rules
to cover the same socket, e.g. apache2 (good_proc) and some cgi script
helper (other_good_proc) - one for each program:

iptables -A INPUT -m tcp --dport=80 -m program --exe=/usr/bin/apache2 -j ACCEPT

and:

iptables -A INPUT -m tcp --dport=80 -m program --exe=/usr/cgi-bin/blahblah -j ACCEPT

> > so it's a socket: let's take an example - and i'm assuming for now
> > that things like passing file descriptors over unix-domain-sockets
> > between processes just ... doesn't happen, okay? :)
>
> These do happen, which is part of the problem ;-)

i would not consider this to be a problem [in an environment where
you specify DENY as the default and ALLOW specific instances]

under such circumstances [file descs passed between programs]...
you would end up having to create _two_ program-specific rules, like
above.

one for each of the two programs.

[this has got to be better than the present situation, where you have
to "iptables -A OUTPUT -m tcp --sport=25" and that allows ANY process
under the sun to have data escaping on port 25.]

l.

--
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net";> lkcl.net </a> <br />
<a href="mailto:lkcl@xxxxxxxx";> lkcl@xxxxxxxx </a> <br />

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Luke Kenneth Casson Leighton: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Previous message: Nathan Bryant: "Re: [PATCH] Fix for spurious interrupts on e100 resume"
In reply to: Chris Wright: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Next in thread: Chris Wright: "Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]