--------- Received message begins Here --------- > > I apologize for providing little information in my > question and before I ask the next question I thought > I will read through the docs. Now LSM makes a little > sense to me :-). I will try my best to ask the same > question in another way. > > Consider a linux router. I want to implement certain > packet classification and filtering algorithms for the > packets coming in on an interface and leaving from > another interface. These packet algorithms can be as > simple as classifying the incoming traffic into > mail-traffic or web-traffic etc and filtering them > based on certain policies or any other complex > algorithm. I can use Netfilter hooks to recieve > packets and implement any such algorithms (which may > be straight forward). > > >From the docs I understand that "LSM allows modules to > mediate access to kernel objects by placing hooks in > the kernel code just ahead of the access", and as a > part of the IPv4 networking hooks Netfilter API is > used for intercepting packets as they traverse the IP > layer. At each Netfilter hook, LSM hook is called > before and after packets are passed to the Netfilter > framework. > > So what kind of acess control does LSM envision? (what > can preroute_first or preroute_last etc. do?) LSM is designed for security controls. In a network I would want it to be able to: 1. determine if security labels are present on incoming packets 2. make authorization decisions based on those labels 3. translate remote labels to local labels to maintain the security assignments on the data being passed 4. potentially verify the identity of the sender 5. block packets that do not meet the required security specifications (for example, do not pass unlabeled data to a host that is designated as requiring labels..., do not pass labeled data to a network that is not authorized for that label...) All of this depends on what kind of security model is provided. Most of the network hooks look to be preparing for an IPSec capable module - which to my knowlege, hasn't been written yet. > Can this access control be based on the header field > values of the IPv4 packets? Depends on the contents. If IPSec enhancements (including CIPSO labels) are present then yes. Depending on the security model being used, of course. > > If it is possible to perform access control based on > header field values of the IPv4 packets, then is there > any need for Netfilter? Yes - netfilter has a different purpose. It can redirect packets, filter based on content of the packet, make routing decisions, perform NAT operations. There can be some overlap. The LSM provides a central security control point such that all security related decisions made in the kernel can be done, and is isolated (sort of) from the mechanism for implementing/enforcing that decision. It allows flexibility in chosing the type of security desired, as well as the amount. > I dont know if these questions make any sense. > Thanks in advance for any replies. Not unreasonable, though I did think some of them should have been answered in a FAQ someplace. ------------------------------------------------------------------------- Jesse I Pollard, II Email: pollardat_private Any opinions expressed are solely my own. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Aug 14 2002 - 06:01:12 PDT