On Wed, January 21, 2009 09:15, Peter Dolding wrote:
> Netfilter can already reject or approve out going packets from
> applications on the base of user id process id and so on. This is
> before packets enter the Netfilter processing stack. Cost of looking
> up if applicaiton is approved or not appoved is out weight be the cost
> of rejected packets going trough netfilter.
>
> Sorry netfilter is already sorting out how sockets can be used. What
> you are basically talking about is two layors doing exactly the same
> thing. Half of what tuxguardian does can be done in a iptables
> module. Ie filtering out going traffic based on application.
>
> Please explain why expanding netfilter is not a option. Expanding
> netfilter avoids conflicts with LSM's.
>
Agreed patches to Netfilter might get you a long way. Along the lines of
--owner-uid you may extend it with something like --owner-exe and possibly
--owner-callchainid. That could take care of:
* connection-full-protocol like TCP
* outgoing connection-less-protocol packets like UDP or ICMP
The one thing that would remain would be incoming connection-less-protocol
packets. If Netfilter could be patched in such a way that incoming packets
could be filtered based on receiving process meta, that would be a great
way to go. If not, maybe LSM would need to just mediate 'bind'.
A second issue comes with user level administration. If Netfilter would be
patched to allow a user to administrate her 'private' table, that could
get called from the system wide Netfilter rules, some MAC framework would
still be needed to make sure the user has a way to change the rules in her
private table, but her browser, pdf reader, mail client etc have not.
That is, you could define some system wide ruleset like:
System wide:
* deny any packet from executables under '/home/*'
* deny any packet from user 'localuser'
* for any packet from an executable under /usr/bin/networkingtools/ jump
to the users USERPRIVATE table.
* deny all other trafic.
User alice USERPRIVATE:
* allow all packets from /usr/bin/webbrowser to anything on tcp port 80.
User bob USERPRIVATE:
* allow all packets from /usr/bin/webbrowser to the socks port of the
socks server.
Would a solution like that be feasible?
You would want alice or bob to be able to change their USERPRIVATE table,
but you wouldn't want /usr/bin/webbrowser or any other program to do so
independently. At least for that you would need close cooperation with
for example SeLinux or AppArmor.
Further it seems that 'bind' for connection less sockets will still be
important a candidate for mediation by LSM IMHO.
Rob.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
