Re: [PATCH net-2.6.25] Add packet filtering based on process'ssecurity context.

Hello.

James Morris wrote:
> From memory, one approach under discussion was to add netfilter hooks to
> the transport layer, which could be invoked correctly by each type of
> protocol when the target process is selected.
>
> If this is done for netfilter, then an LSM hook is probably not needed at
> all, as security modules can utilize netfilter hooks directly.

Patrick McHardy says (at http://marc.info/?l=linux-netdev&m=118495005800410&w=2 ) "Even with socket filters netfilter doesn't know the final receipient  process, that is not known until it calls recvmsg and the data is read,  which is too late for netfilter."

> > Precautions: This approach has a side effect which unlikely occurs.
> >
> > If a socket is shared by multiple processes with different policy,
> > the process who should be able to accept this connection
> > will not be able to accept this connection
> > because socket_post_accept() aborts this connection.
> > But if socket_post_accept() doesn't abort this connection,
> > the process who must not be able to accept this connection
> > will repeat accept() forever, which is a worse side effect.
I think this change is needed regardless of whether to use connection filtering or not. Currently, SELinux doesn't use socket_post_accept(). | * @socket_post_accept: | * This hook allows a security module to copy security | * information into the newly created socket's inode.

But if one wants to *copy* security information to accept()ed socket, the location after fd_install() is too late to copy because the userland process can access accept()ed socket's fd whose security information is not copied yet.

Also, if one wants to *assign* security information to accept()ed socket, it might attend memory allocation which can fail. So, use of void for socket_post_accept() deprives a security module of a chance to abort this connection if the security module failed to *assign* security information.

Regards.

-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

• This message: [ Message body ]
• Next message: James Morris: "[PATCH -mm 2/2] do_wait: cleanup delay_group_leader() usage (fwd)"
• Previous message: James Morris: "Re: [PATCH net-2.6.25] Add packet filtering based on process's security context."
• In reply to: James Morris: "Re: [PATCH net-2.6.25] Add packet filtering based on process's security context."
• Next in thread: Samir Bellabes: "Re: [PATCH net-2.6.25] Add packet filtering based on process'ssecurity context."
• Reply: Samir Bellabes: "Re: [PATCH net-2.6.25] Add packet filtering based on process'ssecurity context."
• Maybe reply: Tetsuo Handa: "Re: [PATCH net-2.6.25] Add packet filtering based on process'ssecurity context."

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]