|
|
Subscribe / Log in / New account

Re: [RFC] snet - Security for NETwork syscalls

[Posted January 28, 2009 by jake]

From:  Paul Moore <paul.moore-AT-hp.com>
To:  Peter Dolding <oiaohm-AT-gmail.com>
Subject:  Re: [RFC] snet - Security for NETwork syscalls
Date:  Wed, 21 Jan 2009 09:55:13 -0500
Message-ID:  <200901210955.13963.paul.moore@hp.com>
Cc:  Samir Bellabes <sam-AT-synack.fr>, linux-security-module-AT-vger.kernel.org

On Wednesday 21 January 2009 3:37:07 am Peter Dolding wrote:
> On Wed, Jan 21, 2009 at 8:52 AM, Samir Bellabes <sam@synack.fr> wrote:
> > Paul Moore <paul.moore@hp.com> writes:
> >> On Sunday 18 January 2009 11:17:28 pm Samir Bellabes wrote:
> >>> hi lsm users,
> >>>
> >>> as the discussion thread "RFC: Socket MAC LSM" put a question on
> >>> how to build a simple personnal firewall, I pleased to introduce
> >>> the snet tool ...
> >>
> >> Hello,
> >>
> >> Thanks for posting this, but as it stands right now I think we
> >> need a bit more discussion before we pursue a personal firewall
> >> solution.
> >
> > sure
> >
> >> Regardless, I do like the approach you took of deferring the
> >> actual decision processing to userspace; this should allow
> >> multiple personal firewall implementations without the need for
> >> extensive kernel modifications (make everyone's life easier).
> >
> > Yes, at first I wrote a daemon in userspace, responsive of
> > dispatching the information to subsystems (logging, sending
> > verdict, graphical tool to ask the user, database to check user
> > rules rather than interactive ask, ..) but I finaly make the effort
> > to build a library, which is easier for maintenance of the kernel
> > part, and let the user build is own system.
> >
> > sam
>
> Yes I am repeating myself.   Why hook in the LSM.   netfilter already
> does outgoing packet blocking based on Process ID.  Its not that hard
> to expand it to application.

I'm not defending the concept of a personal firewall, my opinion is that 
it is a poor option for security and typically only results in training 
the user to click the "allow" button when the pfwall diaglog box pops 
up on his/her screen.  However, ignoring that for a moment I believe 
the motivation for why LSM and why not netfilter is that based on the 
requirements we have seen so far the pfwall developers are not 
interested in controlling packets directly but rather socket operations 
(bind, listen, connect, etc.).  I am not a netfilter expert, but it 
appears that netfilter is more focused on traffic flow and not socket 
operations while the LSM framework appears better suited for 
controlling socket operations in a manner which the pfwall developers 
want.

-- 
paul moore
linux @ hp
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

to post comments


Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds