LSM stacking/secondary modules / RFC: Socket MAC LSM

Grzegorz Nosek root at localdomain.pl
Thu Jan 15 07:35:31 PST 2009


On Thu, Jan 15, 2009 at 02:57:12PM +0100, Stephan Peijnik wrote:
> Okay, that idea does sound nice. However, to me it rather looks like
> another use-case for the framework/interface I am proposing (ie. sactl).
> 
> Using sactl the cgroup-based approach could easily hook the relevant
> socket calls. sactl might need some refining for this, but then again
> it's just a proposal and not anywhere being a final interface.

How is sactl different from the iptables hooks Paul proposed? The "fake
packet" abstraction is maybe not very natural (at least that was my
first impression) but quite flexible, as it allows some degree of
socket manipulation. My use case that sparked the discussion was
transparently remapping bind() and connect() operations to use a
per-cgroup source IP address. How do I do that with sactl?

> On the other hand the cgroup-based approach could provide a similar
> interface to the userspace, which would also be an option.

I guess the net result would comprise two parts:
 - iptable_control, possibly based on Paul's code (hook
   socket/connect/bind/accept calls into iptables)
 - ipt_cgroup, matching the cgroup the requesting process is a member
   of (I'd also need a target to remap the source address but it would
   probably a minor thing to do)

One thing I'm not quite sure about is matching the cgroups. Should I
attempt to match the cgroup path? Or some per-cgroup cookie stored in a
virtual file? Both don't seem too pretty, need help :/

> > > Presumably one possible iptables target would be something which
> > > launches a popup window to ask the user 'should task firefox in
> > > cgroup webclient be allowed to access google.com'?
> 
> If such a target is implemented it could also be done this way. To be
> honest I am not really sure about which road to take myself.

Wouldn't NFQUEUE and some userspace tool suffice without creating new
interfaces (never used it, just guessing)? BTW, how are you going to
know that I wanted to connect to foo.example.com, not bar.example.com
(which share the IP address)?

Best regards,
 Grzegorz Nosek


More information about the Containers mailing list