Re: Limiting IPC with SELinux?

On Fri, 2005-04-22 at 20:46 +0200, Thomas Bleher wrote:
> I had an idea a while ago which may help you. I wanted to implement it
> myself but don't have time to do any kernel-hacking currently, so if you
> want to try it, feel free.
> My idea was to build an iptables modules similar to the "Owner match"
> module which matches locally generated packets against a specific domain.
> That way you could probably achieve most of what you want.
> One problem here is: how do we cleanly match on security context? All 
> the logic should be in the security server and controllable by policy.
> The most sane way I came up with is this:
> Declare a new class "iptables" (or "netfilter") with one permission
> "match". Then put this into policy:
>       allow domain self:iptables match;
> The usermode iptables code passes a complete security context into the
> kernel which is converted into a sid internally. Now everytime the
> iptables module is called on a packet it asks the avc if <sid of sending
> packet>:<sid passed into kernel>:IPTABLES__MATCH is allowed in the
> policy.
> I do not know if this is the best approach but it does allow matching on
> specific domains, on specific contexts (if the constraints are adjusted)
> or on a group of domains (you could add a dummy type all_userdomains_t
> and add "allow userdomain all_userdomains_t:iptables match;" or
> something like that and then match on all_userdomains_t in the iptables
> rule)
> 
> I think such a module would be very useful. For example, the admin may
> want to specify that mozilla may only talk to the internal proxy server.
> 
> Of course, this depends on the fact that such a module is actually
> doable and sane. I looked at the code but I am no kernel hacker so I
> would appreciate any insight/ideas.

LIDS seems to have supported something similar at one time using the
iptables MARK module:
http://www.lids.org/document/lids_worm.html

-- 
Stephen Smalley <sds@xxxxxxxxxxxxx>
National Security Agency