subject:"Re\: \[RFC\] Allow LSM to use IP address\/port number."

Re: [RFC] Allow LSM to use IP address/port number.

2007-07-09 Thread David Miller

From: Tetsuo Handa [EMAIL PROTECTED]
Date: Mon, 09 Jul 2007 14:33:01 +0900

 @@ -649,8 +660,16 @@ int sock_recvmsg(struct socket *sock, st
   init_sync_kiocb(iocb, NULL);
   iocb.private = siocb;
   ret = __sock_recvmsg(iocb, sock, msg, size, flags);
 - if (-EIOCBQUEUED == ret)
 + if (-EIOCBQUEUED == ret) {
   ret = wait_on_sync_kiocb(iocb);
 + /* I can now check security_socket_post_recvmsg(). */
 + if (ret = 0) {
 + int err = security_socket_post_recvmsg(sock, msg, size,
 +flags);
 + if (err)
 + ret = err;
 + }
 + }
   return ret;
  }

I don't think it's such a hot idea to return errors if the
wait_on_sync_kiocb() has returned success.

-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC] Allow LSM to use IP address/port number.

2007-07-09 Thread Tetsuo Handa

Hello.

Thank you for your comment.


David Miller wrote:
 I don't think it's such a hot idea to return errors if the
 wait_on_sync_kiocb() has returned success.
My patch may return errors for non-wait_on_sync_kiocb() case too.
Are you saying only wait_on_sync_kiocb() case is bad?
If so, could you please explain me why?
The location I inserted a hook is after aio event finished.
Both struct kiocb and struct sock_iocb are no longer in use.
So, I think this location can safely return errors.


If you are saying don't return error after receiving data,
I'll explain you why I need hooks after receiving data.

What I want to do is to implement a kind of anti-virus software's
personal firewall feature.
It drops messages from unwanted IP address/ports.
(To be exact, it doesn't drop, it just tells userland process
not to use received messages by returning errors.)

security_socket_recvmsg() is called before retrieving a message.
I want a hook that is called after retrieving a message
so that I can use IP address and port number for judgement.

I also want to allow users judge interactively using a popup dialog.
To judge interactively, the hook has to be block-able.
If non-interactive, iptables is the appropriate location for filtering.
This is why I want to insert security_socket_post_recvmsg() hook here.


Regards.
-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC] Allow LSM to use IP address/port number. (was Re: [PATCH 1/1] Add post accept()/recvmsg() hooks.)

2007-07-09 Thread James Morris

On Mon, 9 Jul 2007, Tetsuo Handa wrote:

 Hello.
 
 This thread is from http://marc.info/?t=11834645705r=1w=2 .
 
 I want to use tcp_wrapper-like filtering using LSM.

The appropriate way to do this would be via netfilter queuing to 
userspace, as already suggested by Paul Moore.


-- 
James Morris
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC] Allow LSM to use IP address/port number.

2007-07-09 Thread James Morris

On Mon, 9 Jul 2007, Stephen Hemminger wrote:

 Isn't it better to hook into existing netfilter infrastructure somehow?

Yes, it has been suggested several times.


-- 
James Morris
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC] Allow LSM to use IP address/port number.

2007-07-09 Thread Tetsuo Handa

Thank you for your comment.

I have a question regarding netfilter infrastructure.

I want to filter messages using task_struct-security.
Can the netfilter's queuing to userspace feature
get a list of struct task_struct who shares a socket
that is going to receive incoming messages?

My approach is not is this socket allowed to receive from xxx.xxx.xxx.xxx port 
yy
but is this process allowed to receive from xxx.xxx.xxx.xxx port yy.
So, my approach is not using security context associated with a socket
but security context associated with a process.

If I can't use netfilter, there is no chance to filter before enqueuing
messages. So, I think propagating errors to the local user
after dequeuing messages is the only possible way.

Regards.
-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC] Allow LSM to use IP address/port number. (was Re: [PATCH 1/1] Add post accept()/recvmsg() hooks.)

2007-07-08 Thread from-lsm

Sorry, I failed to send this message to netdev ml. Please ignore.

On Mon, 09 Jul 2007 13:29:44 +0900
Tetsuo Handa [EMAIL PROTECTED] wrote:

 Hello.
 
 This thread is from http://marc.info/?t=11834645705r=1w=2 .
 
 I want to use tcp_wrapper-like filtering using LSM.
 But it seems that there are cases (recvmsg() and read()?) where
 __sock_recvmsg() is called with msg-name == NULL and msg-msg_namelen == 0
 that makes what I want to do impossible.
 To make IP address and port number always available,
 some changes in socket layer are needed.
 
 Since I\'m not getting objection from LSM-ml so far,
 I\'m now adding netdev-ml because this patch is related to socket layer.
 
 Are there ways to receive messages other than 
 recv()/recvfrom()/recvmsg()/read()?
 If recv()/recvfrom()/recvmsg()/read() are all ways to receive messages,
 the following patch seems to allow LSM to use IP address and port number.
 
 The following patch allocates buffer for receiving IP address and port number
 even if userland doesn\'t request them.
 Is this change no problem?
 
 Regards.
 
 Signed-off-by: Tetsuo Handa [EMAIL PROTECTED]
 ---
  include/linux/security.h |   38 ++
  net/socket.c |   40 ++--
  security/dummy.c |   11 +--
  3 files changed, 77 insertions(+), 12 deletions(-)
 
 diff -upr a/include/linux/security.h b/include/linux/security.h
 --- a/include/linux/security.h2007-07-03 10:07:14.0 +0900
 +++ b/include/linux/security.h2007-07-09 10:51:04.0 +0900
 @@ -748,8 +748,12 @@ struct request_sock;
   * @socket_post_accept:
   *   This hook allows a security module to copy security
   *   information into the newly created socket\'s inode.
 + *   This hook also allows a security module to filter connections
 + *   from unwanted peers.
 + *   The connection will be aborted if this hook returns nonzero.
   *   @sock contains the listening socket structure.
   *   @newsock contains the newly created server socket for connection.
 + *   Return 0 if permission is granted.
   * @socket_sendmsg:
   *   Check permission before transmitting a message to another socket.
   *   @sock contains the socket structure.
 @@ -763,6 +767,15 @@ struct request_sock;
   *   @size contains the size of message structure.
   *   @flags contains the operational flags.
   *   Return 0 if permission is granted.  
 + * @socket_post_recvmsg:
 + *   Check peer\'s address after receiving a message from a socket.
 + *   This hook allows a security module to filter messages
 + *   from unwanted peers.
 + *   @sock contains the socket structure.
 + *   @msg contains the message structure.
 + *   @size contains the size of message structure.
 + *   @flags contains the operational flags.
 + *   Return 0 if permission is granted.
   * @socket_getsockname:
   *   Check permission before the local address (name) of the socket object
   *   @sock is retrieved.
 @@ -1343,12 +1356,14 @@ struct security_operations {
  struct sockaddr * address, int addrlen);
   int (*socket_listen) (struct socket * sock, int backlog);
   int (*socket_accept) (struct socket * sock, struct socket * newsock);
 - void (*socket_post_accept) (struct socket * sock,
 + int (*socket_post_accept) (struct socket *sock,
   struct socket * newsock);
   int (*socket_sendmsg) (struct socket * sock,
  struct msghdr * msg, int size);
   int (*socket_recvmsg) (struct socket * sock,
  struct msghdr * msg, int size, int flags);
 + int (*socket_post_recvmsg) (struct socket *sock, struct msghdr *msg,
 + int size, int flags);
   int (*socket_getsockname) (struct socket * sock);
   int (*socket_getpeername) (struct socket * sock);
   int (*socket_getsockopt) (struct socket * sock, int level, int optname);
 @@ -2853,10 +2868,10 @@ static inline int security_socket_accept
   return security_ops-socket_accept(sock, newsock);
  }
  
 -static inline void security_socket_post_accept(struct socket * sock, 
 +static inline int security_socket_post_accept(struct socket *sock,
  struct socket * newsock)
  {
 - security_ops-socket_post_accept(sock, newsock);
 + return security_ops-socket_post_accept(sock, newsock);
  }
  
  static inline int security_socket_sendmsg(struct socket * sock, 
 @@ -2872,6 +2887,13 @@ static inline int security_socket_recvms
   return security_ops-socket_recvmsg(sock, msg, size, flags);
  }
  
 +static inline int security_socket_post_recvmsg(struct socket *sock,
 +struct msghdr *msg,
 +int size, int flags)
 +{
 + return security_ops-socket_post_recvmsg(sock, msg, size, flags);
 +}
 +
  static inline int

Re: [RFC] Allow LSM to use IP address/port number.

Re: [RFC] Allow LSM to use IP address/port number.

Re: [RFC] Allow LSM to use IP address/port number. (was Re: [PATCH 1/1] Add post accept()/recvmsg() hooks.)

Re: [RFC] Allow LSM to use IP address/port number.

Re: [RFC] Allow LSM to use IP address/port number.

Re: [RFC] Allow LSM to use IP address/port number. (was Re: [PATCH 1/1] Add post accept()/recvmsg() hooks.)

6 matches

Site Navigation

Mail list logo

Footer information