October 18, 2006
This article was contributed by Jake Edge.
Current kernel level security mechanisms, such as
SELinux, are focused
strictly on securing local resources and are not concerned with communicating
any security information to other machines on the network. The
NetLabel project aims to
change that by providing packet labeling
capabilities for the kernel. The initial implementation, with support for
Common IP Security Option (CIPSO) labeling has been included into the 2.6.19
kernel.
CIPSO is an IETF
draft
that has been adopted by a number of vendors and
is one of several network labeling standards that are used by 'trusted'
operating systems. In order to interoperate with these systems and to
replace them, Linux needs to be able to provide the same capabilities.
At its core, CIPSO is an agreement between systems on a set of labels (or tags)
describing the security level or context of the process that is sending
the packets. CIPSO users define a 'domain of interpretation' (DOI) that
governs the interpretation of those tags so that both ends of the
conversation can determine if the other process has the authorization
necessary to do that communication. The DOI and labels are placed into
the options portion of every IP packet that is sent and, based on those
values, security requirements
can be enforced at the kernel level. If a process attempts to communicate
outside of its authorized scope, the kernel can drop the packet.
NetLabel is a mechanism to put CIPSO information into outgoing packets and to
examine incoming packets for their tags. It uses the
Linux Security Module (LSM) hooks
to implement the labeling and checking. It also interfaces with SELinux to
provide label information based on the SELinux context. Incoming sockets
get a context that is based on the CIPSO tag and the context of the listening
socket. In this way, access to specific services can be restricted to remote
processes with the proper authorization.
Management of NetLabel is handled through the netlink socket interface;
user space tools to configure it are available from the project page.
The complexity of configuring NetLabel and SELinux is likely to be daunting
to the uninitiated, but for those installations that already use CIPSO, it
should be relatively straightforward.
NetLabel's design goals include a well contained implementation that uses
existing kernel hooks as well as minimal performance impact when
enabled but not configured. By running the gauntlet of kernel developers and
getting included into the kernel, NetLabel has likely met both of those goals.
The current implementation provides minimal
CIPSO support, just one tag type and none of the configuration parameters,
but support for this additional functionality is planned as is support
for additional labeling protocols.
CIPSO and NetLabel are not for everyone, in fact, they are likely to be
much less widely adopted than SELinux. CIPSO only works
on very strictly controlled networks as there is nothing
in the specification that prevents unauthorized machines from claiming
authorization; the system and router configuration must prevent that kind
of behavior. In addition, it provides yet another configuration
challenge for administrators to get through before their systems will perform
correctly. But for those installations that do need it, this work and its
future additions should be very well received.
(
Log in to post comments)