Re: Low-level network hooks and rtnetlink

From: James Morris (jmorrisat_private)
Date: Sun Aug 05 2001 - 09:29:56 PDT

  • Next message: Stephen Smalley: "Re: Problems with some of the current hooks"

    On Thu, 2 Aug 2001, Stephen Smalley wrote:
    > On Fri, 3 Aug 2001, James Morris wrote:
    > > However, things become more complicated if the kernel is configured with
    > > rtnetlink enabled.  This is a separate mechanism for managing the same set
    > > of objects (see rtnetlink(7)), as well as a few others which may also need
    > > access/audit hooks for some implementations.
    > One other observation on this topic:  Notice that LSM has a hook in the
    > capable() function.  So assuming that the existing capable() calls provide
    > a consistent control over access to the routing table regardless of
    > whether you use a rtnetlink socket or an ioctl call, then a security
    > module also can provide a consistent control by performing its checking
    > in the capable() hook.
    Yes, ioctls which modify the main routing table, ARP table and the
    netdevices all check for CAP_NET_ADMIN, so we can provide coarse yet
    consistent controls on these objects.  Note that this will not provide
    control over read operations.
    > The only limitation of this approach is that the
    > capabilities are fairly coarse-grained (CAP_NET_ADMIN, in this case)
    > and cannot take into account other parameters.
    There are at least two existing implementations which use fine-grained
    controls on low-level network objects: selinux with labeled interfaces,
    and Malcolm Beattie's MAC with labeled routing tables (I'm not sure if
    this is currently under active development).
    If any implementations depend on these kinds of fine-grained controls, and
    have no viable workaround under LSM, capable() hooks will probably not be
    Also, after further investigation of option #3 from my last post, it looks
    like it will be a very messy job to hook all accesses to low-level network
    objects at some level underneath both ioctl() and rtnetlink.  I haven't
    come up with a good solution for this yet.
    - James
    James Morris
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Sun Aug 05 2001 - 09:31:32 PDT