Re: RFC: Network privilege separation.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Andi Kleen

Subject: Re: RFC: Network privilege separation.

Date: Wednesday, January 7, 2009 - 8:10 pm

On Wed, Jan 07, 2009 at 09:31:11PM -0500, Michael Stone wrote:
quoted text>     -- if it's different from Joe User's regular uid, then where did it come
>        from and how is Joe going to clean it up when he no longer needs it?

You always create  joe-nonet one when you create joe

Now writing to joe's files: you can either use ACLs or do everything
through group accesses (it's very common to have a "joe" group for this
purpose for each user) 

But perhaps it's a good idea to not allow writing to all of Joe's
files by those "no network" processes too. It at least sounds like 
that might be useful to combine.

quoted text>   * so far as I know, netfilter is only commonly used to filter IP traffic. 
>   Can
>     I really use it to limit connections to abstract unix sockets?

No you can't. But is that really your requirement? Why limiting Unix
sockets and not e.g. named pipes? Unix sockets do not talk to the network.

I suppose I don't understand your requirements very well.

quoted text> 
>   * I think there are some problems with resource acquisition, trust, and
>     finalization:
> 
>     -- something has to work out the actual firewall rules which need to be
>        added. 
> 
>         + why should you or your sysadmin trust whatever is doing this to 
>         pick
>           the right ones?

You always define static ones at system boot. 

It would probably not scale to a lot of users, but I understand you're
talking about the OLPC which probably only has a limited set of users?

Even on a true multiuser system it could be done in a PAM module.

quoted text> 
>     -- something (with privilege) needs to install the firewall rules and 
>     needs
>        to remove unneeded rules or you've got a space leak.
> 
>         + are there any significant race conditions between whatever is
>           installing the rules and whatever is removing the dead rules?
> 
> Conclusion: so far as I can see, RLIMIT_NETWORK is, in every way, a smaller
> expansion of the end user's trusted code base and should therefore be 
> preferred
> in comparison netfilter-based solutions for process-level network privilege
> separation tasks. Do you see things differently?

Your arguments don't seem very convincing to me, but 
the big problem is more the control of incoming packets. I think
it would be possible to fix OWNER match to support the INPUT chain
though.

-Andi
-- 
ak@linux.intel.com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

RFC: Network privilege separation., Michael Stone, (Tue Jan 6, 10:48 pm)

[PATCH] Security: Implement and document RLIMIT_NETWORK., Michael Stone, (Tue Jan 6, 10:48 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Evgeniy Polyakov, (Wed Jan 7, 4:47 am)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Rémi Denis-Courmont, (Wed Jan 7, 9:52 am)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Evgeniy Polyakov, (Wed Jan 7, 10:48 am)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., C. Scott Ananian, (Wed Jan 7, 11:35 am)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Evgeniy Polyakov, (Wed Jan 7, 12:02 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Evgeniy Polyakov, (Wed Jan 7, 12:39 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Rémi Denis-Courmont, (Wed Jan 7, 1:54 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Michael Stone, (Wed Jan 7, 2:07 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Wed Jan 7, 2:10 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Evgeniy Polyakov, (Wed Jan 7, 2:42 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Evgeniy Polyakov, (Wed Jan 7, 2:59 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Michael Stone, (Wed Jan 7, 5:56 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., James Morris, (Wed Jan 7, 6:22 pm)

Re: RFC: Network privilege separation., Michael Stone, (Wed Jan 7, 7:31 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Wed Jan 7, 8:10 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Michael Stone, (Wed Jan 7, 8:34 pm)

Re: [PATCH] Security: Implement and document RLIMIT_NETWORK., Evgeniy Polyakov, (Wed Jan 7, 9:27 pm)

Re: RFC: Network privilege separation., Michael Stone, (Wed Jan 7, 9:51 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Wed Jan 7, 10:41 pm)

Re: RFC: Network privilege separation., Oliver Hartkopp, (Thu Jan 8, 12:05 am)

Re: RFC: Network privilege separation., david, (Thu Jan 8, 12:52 am)

Re: RFC: Network privilege separation., Alan Cox, (Thu Jan 8, 3:43 am)

Re: RFC: Network privilege separation., Valdis.Kletnieks, (Mon Jan 12, 11:44 am)

Re: RFC: Network privilege separation., Bryan Donlan, (Mon Jan 12, 12:09 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Mon Jan 12, 12:43 pm)

Re: RFC: Network privilege separation., Rémi Denis-Courmont, (Mon Jan 12, 12:47 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Mon Jan 12, 1:14 pm)

Re: RFC: Network privilege separation., Rémi Denis-Courmont, (Mon Jan 12, 1:15 pm)

Re: RFC: Network privilege separation., Evgeniy Polyakov, (Mon Jan 12, 1:27 pm)

Re: RFC: Network privilege separation., Rémi Denis-Courmont, (Mon Jan 12, 1:30 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Mon Jan 12, 1:39 pm)

Re: RFC: Network privilege separation., Rémi Denis-Courmont, (Mon Jan 12, 1:47 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Mon Jan 12, 1:55 pm)

Re: RFC: Network privilege separation., Andi Kleen, (Mon Jan 12, 2:50 pm)


linux-kernel:
Ingo Molnar	Re: [PATCH 0/3] v2 Make hierarchical RCU less IPI-happy and add more tracing
Jeremy Fitzhardinge	Re: Linux 2.6.28.10 and Linux 2.6.29.6 XEN Guest Support Broken x86_64 in BUILD
Nick Piggin	Re: [patch] CFS (Completely Fair Scheduler), v2
Gary Hade	Re: [PATCH 0/5][RFC] Physical PCI slot objects
Dave Johnson	Re: expected behavior of PF_PACKET on NETIF_F_HW_VLAN_RX device?
linux-netdev:
Arnd Bergmann	Re: 64-bit net_device_stats
Stephens, Allan	RE: [PATCH]: tipc: Fix oops on send prior to entering networked mode
frank.blaschka	[patch 3/5] [PATCH] qeth: support z/VM VSWITCH Port Isolation
Wu Fengguang	Re: [PATCH] dm9601: handle corrupt mac address
David Miller	Re: [PATCH net-2.6.24] Fix refcounting problem with netif_rx_reschedule()
git:
Junio C Hamano	Re: [PATCH] [RFC] add Message-ID field to log on git-am operation
Junio C Hamano	Re: Handling large files with GIT
Karl	Re: [ANNOUNCE] pg - A patch porcelain for GIT
Josh Triplett	Re: [RFC][PATCH 00/10] Sparse: Git's "make check" target
Pierre Habouzit	Re: [PATCH] git-daemon: more powerful base-path/user-path settings, using formats.
git-commits-head:
Linux Kernel Mailing List	MIPS: RBTX4939: Fix IOC pin-enable register updating
Linux Kernel Mailing List	regulator: update email address for Liam Girdwood
Linux Kernel Mailing List	[SCSI] ipr: add message to error table
Linux Kernel Mailing List	powerpc/32: Wire up the trampoline code for kdump
Linux Kernel Mailing List	USB: omap_udc: sync with OMAP tree
openbsd-misc:
Josh Grosse	Re: error : pkg add phpMyAdmin
Brian Candler	Re: OBSD's perspective on SELinux
Jacob Meuser	Re: /dev/audio: Device busy
David Vasek	Re: Inexpensive, low power, "wall wart" computer
William Boshuck	Re: Richard Stallman...