Re: SMACK netfilter smacklabel socket match

[Casey Schaufler]

Tilman Baumann wrote:
> Casey Schaufler wrote:
> > Tilman Baumann wrote:
> > > > If you're up to trying out something that you know is going to get
> > > > rewhacked before it goes in anywhere let me know.
> > >
> > > Sure. I will be happy to use that.
> > > Just tell me where to find it and how to use it and what I should 
> > > look out for.
> >
> > You'll need to start out with Paul Moore's testing tree:
> >
> > % git clone git://git.infradead.org/users/pcmoore/lblnet-2.6_testing
> >
> > Apply the attached patch (attachments are discouraged for review 
> > purposes,
> > but this is handier for this purpose) and compile.
> >
> > This is NOT production code. Again, we're hashing out the netlabel 
> > api and
> > we know that they are going to change. This is demo only. The amount of
> > testing it's gotten is really small.
> >
> > I have created a new system label "@", pronounced "at" and referred 
> > to as
> > the internet label. Processes cannot be assigned the internet label. A
> > subject with the internet label (as identified by a packet thus labeled)
> > can write to any object and any subject can write to an object thus 
> > labeled,
> > thereby explicitly blowing a hole in the Access Control Policy.
> >
> > Have fun, let me know what you hit next.
>
> Sorry for the long delay. I was annoyingly occupied with other things.
>
> I just tried this out. But one thing makes me wonder if I had 
> understood what it should do.
> The syntax for /smack/slhost is IP[/MASK] LABEL.

OK, I made a mistake here. The syntax will allow for a mask soon, but
the code I passed along only supports IP addresses, not ranges. For
your case you'll need to have an entry for each of the three hosts.

> When I give one host (in my case generously 0.0.0.0/0 *g*) a label 
> what is the significance of the @ label?
> First I used the _ label here which had the effect that everything 
> seems  to work but labeled processes still produced labeled packet 
> which got slaughtered in different ways and degrees over the internet.
> If I gave my slhost the @ label my machine was offline and did not 
> even get pings out locally.

I don't think that I've passed along the patch that supports "@" yet.
I'm hoping to give it a little bit of test before it goes out. Sorry
that I seem to have given you the impression that it should work
already.

> I get the feeling I did not understand the concept yet.
> Sorry but if you don't mind giving me a hint...

Now where's the fun in giving out hints? (smiley goes here)

The idea behind the "@" label is that there are a class of people who
don't trust the other processes on their machine, but who are willing to
trust anything so long as it comes off the network. Further, anything that
they put on the network is inherently worthy of trust. Somehow this does
not match my personal notions, but it is a common request.

So, a packet labeled "@" will be delivered to any socket. A single-label
host at "@" will accept packets from anyone. It's a wild-card, no holds 
barred,
laze fair approach to networking that makes no sense whatsoever from a
security standpoint but that everyone seems to believe is necessary.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/