Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Samir Bellabes <sam <at> synack.fr>
Subject: [RFC] snet - Security for NETwork syscalls
Newsgroups: gmane.linux.kernel.lsm
Date: Monday 19th January 2009 04:17:28 UTC (over 8 years ago)
hi lsm users,

as the discussion thread "RFC: Socket MAC LSM" put a question on how to
build a simple personnal firewall, I pleased to introduce the snet tool.

As you may remember [0], I worked on the "network event connector"
(cn_net). The main idea is to capture events coming from userspace,
whenever a processus is doing some network syscall (sys_listen,
sys_bind, ..) and send usefull related informations to userspace to
decided if the syscall as to be accepted or denied.

As cn_net was a proof of concept, I moved to this new tool snet.
main improvements are :
 * using the libnl, instead of connector.
 * having a library in userspace, instead of a direct daemon.

snet is a kernel patch and a userspace library + sample tools
 * kernel code is using LSM, and communicate with userspace with libnl.
 * userspace code is build as a library, so it's easy to use it in you
    own code, in order to intercept "event". 

here are the output of the example program available with the userspace
part.

    * verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256
      id=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80

    * verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123
      pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0

This informations are available throught the library callback function.

As you can guess, at this point it's really easy to log this into
database or build a personnal firewall.

The great idea is that it's supporting all network protocols and all
network family easily, as we are at the socket level.

I assume everything is not perfect for a "true" code release.
But this is working well for me. And I choose to stop delaying release
and show some code as more people are trying to do the same thing.

you can download the userspace part here :
http://www.synack.fr/project/snet/release/snetd-0.1.tar.bz2

homepage is available here http://www.synack.fr/project/snet/

[0] http://www.spinics.net/lists/netdev/msg24437.html

thanks

-- 

Samir Bellabes (6):
      snet: initial commit
      snet: filtering behaviour and default policy
      snet: support for socket_create()
      snet: fixing output format
      snet: support verdict timeout
      snet: make sequence number atomic

 Kconfig                     |    1 
 Makefile                    |    2 
 snet/Kconfig                |   12 
 snet/Makefile               |    8 
 snet/include/snet.h         |   21 +
 snet/include/snet_hash.h    |   18 +
 snet/include/snet_hooks.h   |   22 +
 snet/include/snet_netlink.h |  207 ++++++++++++++
 snet/include/snet_utils.h   |    8 
 snet/include/snet_verdict.h |   27 +
 snet/snet_core.c            |   90 ++++++
 snet/snet_hash.c            |  247 +++++++++++++++++
 snet/snet_hooks.c           |  624
++++++++++++++++++++++++++++++++++++++++++++
 snet/snet_netlink.c         |  624
++++++++++++++++++++++++++++++++++++++++++++
 snet/snet_utils.c           |   14 
 snet/snet_verdict.c         |  226 +++++++++++++++
 16 files changed, 2151 insertions(+)

--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
 
CD: 3ms