|
|
Subscribe / Log in / New account

[RFC] snet - Security for NETwork syscalls

[Posted January 28, 2009 by jake]

From:  Samir Bellabes <sam-AT-synack.fr>
To:  linux-security-module-AT-vger.kernel.org
Subject:  [RFC] snet - Security for NETwork syscalls
Date:  Mon, 19 Jan 2009 05:17:28 +0100
Message-ID:  <m2eiz06iav.fsf@ssh.synack.fr>

hi lsm users,

as the discussion thread "RFC: Socket MAC LSM" put a question on how to
build a simple personnal firewall, I pleased to introduce the snet tool.

As you may remember [0], I worked on the "network event connector"
(cn_net). The main idea is to capture events coming from userspace,
whenever a processus is doing some network syscall (sys_listen,
sys_bind, ..) and send usefull related informations to userspace to
decided if the syscall as to be accepted or denied.

As cn_net was a proof of concept, I moved to this new tool snet.
main improvements are :
 * using the libnl, instead of connector.
 * having a library in userspace, instead of a direct daemon.

snet is a kernel patch and a userspace library + sample tools
 * kernel code is using LSM, and communicate with userspace with libnl.
 * userspace code is build as a library, so it's easy to use it in you
    own code, in order to intercept "event". 

here are the output of the example program available with the userspace
part.

    * verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256
      id=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80

    * verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123
      pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0

This informations are available throught the library callback function.

As you can guess, at this point it's really easy to log this into
database or build a personnal firewall.

The great idea is that it's supporting all network protocols and all
network family easily, as we are at the socket level.

I assume everything is not perfect for a "true" code release.
But this is working well for me. And I choose to stop delaying release
and show some code as more people are trying to do the same thing.

you can download the userspace part here :
http://www.synack.fr/project/snet/release/snetd-0.1.tar.bz2

homepage is available here http://www.synack.fr/project/snet/

[0] http://www.spinics.net/lists/netdev/msg24437.html

thanks

-- 

Samir Bellabes (6):
      snet: initial commit
      snet: filtering behaviour and default policy
      snet: support for socket_create()
      snet: fixing output format
      snet: support verdict timeout
      snet: make sequence number atomic

 Kconfig                     |    1 
 Makefile                    |    2 
 snet/Kconfig                |   12 
 snet/Makefile               |    8 
 snet/include/snet.h         |   21 +
 snet/include/snet_hash.h    |   18 +
 snet/include/snet_hooks.h   |   22 +
 snet/include/snet_netlink.h |  207 ++++++++++++++
 snet/include/snet_utils.h   |    8 
 snet/include/snet_verdict.h |   27 +
 snet/snet_core.c            |   90 ++++++
 snet/snet_hash.c            |  247 +++++++++++++++++
 snet/snet_hooks.c           |  624 ++++++++++++++++++++++++++++++++++++++++++++
 snet/snet_netlink.c         |  624 ++++++++++++++++++++++++++++++++++++++++++++
 snet/snet_utils.c           |   14 
 snet/snet_verdict.c         |  226 +++++++++++++++
 16 files changed, 2151 insertions(+)

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

to post comments


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds