Features Download
From: Paul Moore <paul.moore <at> hp.com>
Subject: Re: [RFC] snet - Security for NETwork syscalls
Newsgroups: gmane.linux.kernel.lsm
Date: Wednesday 21st January 2009 14:55:13 UTC (over 9 years ago)
On Wednesday 21 January 2009 3:37:07 am Peter Dolding wrote:
> On Wed, Jan 21, 2009 at 8:52 AM, Samir Bellabes  wrote:
> > Paul Moore  writes:
> >> On Sunday 18 January 2009 11:17:28 pm Samir Bellabes wrote:
> >>> hi lsm users,
> >>>
> >>> as the discussion thread "RFC: Socket MAC LSM" put a question on
> >>> how to build a simple personnal firewall, I pleased to introduce
> >>> the snet tool ...
> >>
> >> Hello,
> >>
> >> Thanks for posting this, but as it stands right now I think we
> >> need a bit more discussion before we pursue a personal firewall
> >> solution.
> >
> > sure
> >
> >> Regardless, I do like the approach you took of deferring the
> >> actual decision processing to userspace; this should allow
> >> multiple personal firewall implementations without the need for
> >> extensive kernel modifications (make everyone's life easier).
> >
> > Yes, at first I wrote a daemon in userspace, responsive of
> > dispatching the information to subsystems (logging, sending
> > verdict, graphical tool to ask the user, database to check user
> > rules rather than interactive ask, ..) but I finaly make the effort
> > to build a library, which is easier for maintenance of the kernel
> > part, and let the user build is own system.
> >
> > sam
> Yes I am repeating myself.   Why hook in the LSM.   netfilter already
> does outgoing packet blocking based on Process ID.  Its not that hard
> to expand it to application.

I'm not defending the concept of a personal firewall, my opinion is that 
it is a poor option for security and typically only results in training 
the user to click the "allow" button when the pfwall diaglog box pops 
up on his/her screen.  However, ignoring that for a moment I believe 
the motivation for why LSM and why not netfilter is that based on the 
requirements we have seen so far the pfwall developers are not 
interested in controlling packets directly but rather socket operations 
(bind, listen, connect, etc.).  I am not a netfilter expert, but it 
appears that netfilter is more focused on traffic flow and not socket 
operations while the LSM framework appears better suited for 
controlling socket operations in a manner which the pfwall developers 

paul moore
linux @ hp
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
CD: 3ms