Re: SMACK netfilter smacklabel socket match

From: Casey Schaufler
Date: Wed Oct 01 2008 - 11:21:49 EST

Next message: Eric Paris: "Re: [PATCH] capability: WARN when invalid capability is requestedrather than BUG/panic"
Previous message: Linus Torvalds: "Re: [patch 2/2] PNP: don't check disabled PCI BARs for conflicts inquirk_system_pci_resources()"
In reply to: Tilman Baumann: "Re: SMACK netfilter smacklabel socket match"
Next in thread: Tilman Baumann: "Re: SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tilman Baumann wrote:

Casey Schaufler wrote:
Casey Schaufler wrote:
If you really want to be abusive you could replace the smack_access()
function in security/smack/smack_access.c (of all places) with a no-op
returning 0 in all cases.

I thought of that too. :)
But i would rather like to use the thing in it's intended function sometime in the future.

Even better.

What I then to is write iptables OUTPUT chain matches which match for any of these labels and set some connection marks and firewall marks.
Which I then can use in routing rules to give different routing rules to specific processes. (Like all proxy traffic over a second DSL line)

I know, it's totally crazy. But it seems to work. :)
I just hope the security part of this all will not break anything. But it does not look like it would right now.

Smack will eventually bite you if you're not careful, but users of
MAC systems wouldn't be surprised by that.

Speaking of the devil...
This is exactly what happened to me right now. I have problems with _some_ https connects. The problem lies somewhere in openssl.
I did not yet find any clue with strace.
Is there some straight forward way to audit/debug LSM interventions?

strace is probably your best bet, as it will tell you what syscalls
fail. Your current situation is most likely a case where your program
running with a label "Foo" is trying to communicate with a service on
a machine that doesn't talk CIPSO and hence Smack is treating all
packets to and from that host with the ambient (%cat /smack/ambient)
label, which is "_" unless you've changed it.

I have probably missed something that a labeled process could not do as a '_' process could. Have no idea right now, but it is probably something stupidly simple.

A labeled system hoping to get services from an unlabeled server is the biggest
single pain in dealing with labeled systems. Per-host labeling is in the works,
and it will help in some cases. What I really need is a way to designate an
unlabeled host as safe to talk to at any label, but it will take some serious
work to come up with a scheme that makes that palatable for a labeled environment.
I know that SELinux allows for it, but the purist in me has serious doubts.

I don't think it's crazy,
I think it's a matter of using what's available in novel ways.

I like that attitude. :)

It got me where I am today. Hmm, maybe you should be just a little bit careful.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Eric Paris: "Re: [PATCH] capability: WARN when invalid capability is requestedrather than BUG/panic"
Previous message: Linus Torvalds: "Re: [patch 2/2] PNP: don't check disabled PCI BARs for conflicts inquirk_system_pci_resources()"
In reply to: Tilman Baumann: "Re: SMACK netfilter smacklabel socket match"
Next in thread: Tilman Baumann: "Re: SMACK netfilter smacklabel socket match"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]