headers
Samir Bellabes | 2 Jan 2010 14:04
Picon
Favicon

[RFC 8/9] snet: introduce snet_verdict.c and snet_verdict.h

This patch adds the snet's subsystem responsive of managing verdicts

snet is using the word 'verdict' for the returning value of LSM hooks.
Different states exist (grant/deny/pending/none).

This patch introduces a hashtable 'verdict_hash' and operations (set/get/search..)
in order to manage verdicts. Syscalls are waiting, inside a classical waitqueue,
for theirs verdicts or for a timeout. Timeout value and the default verdict
policy are configurable at boot.
With the help of the communication's subsystem, verdicts are coming from userspace.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet_verdict.h |   33 ++++++
 security/snet/snet_verdict.c         |  210 ++++++++++++++++++++++++++++++++++
 2 files changed, 243 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet_verdict.h
 create mode 100644 security/snet/snet_verdict.c

diff --git a/security/snet/include/snet_verdict.h b/security/snet/include/snet_verdict.h
new file mode 100644
index 0000000..fd9a5e5
--- /dev/null
+++ b/security/snet/include/snet_verdict.h
 <at>  <at>  -0,0 +1,33  <at>  <at> 
+#ifndef _SNET_VERDICT_H
+#define _SNET_VERDICT_H
+
+extern unsigned int verdict_hash_size;
+extern unsigned int snet_verdict_delay;
(Continue reading)

Permalink | Reply | 0 comments |
headers
Samir Bellabes | 2 Jan 2010 14:04
Picon
Favicon

[RFC 7/9] snet: introduce snet_netlink.c and snet_netlink.h

this patch adds the snet communication's subsystem.

snet_netlink is using genetlink for sending/receiving messages to/from userspace.
the genetlink operations permit to receive orders to manage the table of events
- events are values [syscall, protocol] - which is used to know which syscall
and protocol have to be protected. genl operations are also used to manage
communication of events to userspace, and to receive the related verdict.

Signed-off-by: Samir Bellabes <sam <at> synack.fr>
---
 security/snet/include/snet_netlink.h |  201 +++++++++++++
 security/snet/snet_netlink.c         |  541 ++++++++++++++++++++++++++++++++++
 2 files changed, 742 insertions(+), 0 deletions(-)
 create mode 100644 security/snet/include/snet_netlink.h
 create mode 100644 security/snet/snet_netlink.c

diff --git a/security/snet/include/snet_netlink.h b/security/snet/include/snet_netlink.h
new file mode 100644
index 0000000..d739f66
--- /dev/null
+++ b/security/snet/include/snet_netlink.h
 <at>  <at>  -0,0 +1,201  <at>  <at> 
+#ifndef _SNET_NETLINK_H
+#define _SNET_NETLINK_H
+
+/*
+ * The following payloads are supported.
+ *
+ * o VERSION:
+ *   Sent by an application to verify the snet version.
(Continue reading)

Permalink | Reply | 13 comments |
headers
Michael Farrell | 3 Jan 2010 08:22
Picon

Re: xtables-addons: patch for addition of "no-change" option for xt_quota2

2010/1/1 Jan Engelhardt <jengelh <at> medozas.de>:
> On Monday 2009-12-28 16:23, Michael Farrell wrote:
>>
>>I've written a patch to add an option to xt_quota2 called "no-change".
>>The effect of this option, while it is enabled, is that it will skip
>>incrementing or decrementing the quota counter.
>
> I applied the patch, with a number of changes.
>
> [snip]

Okay, thanks for those changes, I wasn't entirely sure of the procedure.

--Michael Farrell
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Samir Bellabes | 3 Jan 2010 23:26
Picon
Favicon

Re: [RFC 6/9] snet: introduce snet_hooks.c and snet_hook.h

Stephen Hemminger <shemminger <at> vyatta.com> writes:

> On Sun, 03 Jan 2010 12:10:53 +0100
> Samir Bellabes <sam <at> synack.fr> wrote:
>
>> I know it's ugly, but code in security hooks are duplicated.
>> functions (inline or not), which replace this macros, will resulte of
>> having lots of parameters. macros with external object seems to be the
>> most simple at this point.
>
> Macro's with references to thing outside of the argument are just
> plain wrong. They introduce bugs that humans don't see.

right.
I will move this macros to inline functions.

thanks,
sam
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Patrick McHardy | 4 Jan 2010 13:50
Favicon

Re: Bypass rules using conntrack helpers

Jan Engelhardt wrote:
> On Sunday 2009-12-27 09:11, Роман Цисык wrote:
>> А questionable point exists in the conntrack expectations design. What
>> happens if somebody opened fake outgoing connection which would match
>> conntrack helpers' signatures? Conntrack module will be able to add
>> records in expectation table.
>> Unfortunately, all users from 192.168.0.0/24 will have problems with
>> an active FTP. Users will force administrators to read boring manuals
>> as alredy founded and load nf_connrack_ftp + nf_nat_ftp to "overcome"
>> the problem.
>> Next, if malicious software would initiate connection as in the
>> previous case, NAT subsystem will forward (y << 8 | z) port to outside
>> by changing source PORT command and, in fact, forwarding a port
>> inside. So, if we something would open connections to remote 21 port
>> and send our PORT commands, we can transparently open ANY port from
>> INTERNAL server to the public Internet, regardless NAT. Hereinafter,
>> I'll call this "conntrack back-connection issue".
> 
> That is what helpers are supposed to do. If that poses a security risk,
> to your network, I advise not to use them. In case of FTP that is easily
> worked around by using passive ftp.

It should also be pointed out that helpers don't allow anything,
the rule accepting RELATED packets does. And it can be preceeded
by filtering rules to restrict what the helper is able to do.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
(Continue reading)

Permalink | Reply | 0 comments |
headers
Patrick McHardy | 4 Jan 2010 13:57
Favicon

Re: Question about ipt_REJECT

Xiong Wu wrote:
> Hi All,
> 
> I found the TCP RST packet sent from ipt_REJECT target isn't able to
> update related conntrack state.
> 
> I install a 2.6.30.10 kernel as a router and add a iptables rule with
> REJECT target to reset specific connections.  However  I found  when
> the packets is handled by the ipt_REJECT and the TCP RST packet is
> sent, the related conntrack state isn't updated to CLOSE state.
> 
> Then I review the ipt_REJECT codes. I found the target attach the old
> conntrack to RST packet as:
> {
>    nf_ct_attach(nskb, oldskb);
>    ip_local_out(nskb);
> }
> 
> Therefor the nf_conntrack_in() will ignore this RST packet due to the
> nfct is valid in skb.
> {
>      if (skb->nfct) {
>                     NF_CT_STAT_INC_ATOMIC(net, ignore);
>                     return NF_ACCEPT;
>      }
> }
> 
> 
> Is there any reason to attach the old conntrack to new RST skb?  I
> think let the RST packet lookup and update related conntrack is
(Continue reading)

Permalink | Reply | 2 comments |
headers
Patrick McHardy | 4 Jan 2010 15:23
Favicon

Re: [PATCH 5/5] net/ipv4 : Correct the size argument to kzalloc

Julia Lawall wrote:
> From: Julia Lawall <julia <at> diku.dk>
> 
> obj has type struct snmp_object **, not struct snmp_object *.  But indeed
> it is not even clear why kmalloc is needed.  The memory is freed by the end
> of the function, so the local variable of pointer type should be sufficient.

Thanks. As this is basically just an unneeded and oversized allocation
without any bad consequences, I've applied it to nf-next-2.6.git.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Patrick McHardy | 4 Jan 2010 16:08
Favicon

Re: [RFC 7/9] snet: introduce snet_netlink.c and snet_netlink.h

Samir Bellabes wrote:
> +++ b/security/snet/include/snet_netlink.h
>  <at>  <at>  -0,0 +1,201  <at>  <at> 
> +#ifndef _SNET_NETLINK_H
> +#define _SNET_NETLINK_H
> +
> +#include <linux/in6.h>
> +#include "snet_hooks.h"
> +
> +extern unsigned int snet_verdict_delay;

As this file defines the userspace interface, it probably shouldn't
contain declarations of kernel-internal variables (same for
snet_hooks.h). It would also be better placed in include/linux as
the other netlink API definitions.

> +
> +/* commands */
> +enum {
> +	SNET_C_UNSPEC,
> +	SNET_C_VERSION,
> +	SNET_C_REGISTER,
> +	SNET_C_UNREGISTER,
> +	SNET_C_INSERT,
> +	SNET_C_REMOVE,
> +	SNET_C_FLUSH,
> +	SNET_C_LIST,
> +	SNET_C_VERDICT,
> +	SNET_C_VERDICT_DELAY,
> +	__SNET_C_MAX,
(Continue reading)

Permalink | Reply | 12 comments |
headers
Patrick McHardy | 4 Jan 2010 16:26
Favicon

Re: [PATCH 1/3] netfilter: xt_recent: save 8 bytes per htable

Jan Engelhardt wrote:
> Moving rnd_inited into the hole after the uint8 lets go of the uint32
> rnd_inited was using, plus the padding that would follow the int group.

Applied, thanks Jan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |
headers
Patrick McHardy | 4 Jan 2010 16:27
Favicon

Re: [PATCH 2/3] netfilter: xtables: do not grab random bytes at __init

Jan Engelhardt wrote:
> References: http://bugzilla.netfilter.org/show_bug.cgi?id=621
> 
> "It is deliberately not done in the init function, since we might not
> have sufficient random while booting."

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo <at> vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Permalink | Reply | 0 comments |

Gmane