File LICENSE of Package libsnet
w3m -dump http://www.synack.fr/project/snet/snet.html
retrieved 2011-10-03
===
synack.fr
main about project
snet - userspace Security for NETwork syscalls
idea
The main idea is to capture events coming from userspace, whenever a processus
is doing some network syscall (sys_listen, sys_bind, ..). For that, it's seems
that LSM structure is the most simple, as far as we just have to connect on LSM
hooks with struct security_operations {}
tools
snet is divided in two codes, a kernel part and a userspace part.
kernel code is using LSM, and communicate with userspace with libnl. userspace
code is build as a library, so it's easy to use it in you own code, in order to
intercept "event". here are some example of data you will get thanks to the
library callback function:
verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256 pid=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80
verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123 pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0
As you can guess, at this point it's really easy to log this into database or
build a personnal firewall.
The great improvement is that it's supporting transparently all network
protocols and all network family.
patches
Version 3:
[RFC,v3,01/10] lsm: add security_socket_closed()
[RFC,v3,02/10] Revert "lsm: Remove the socket_post_accept() hook"
[RFC,v3,03/10] snet: introduce snet_core
[RFC,v3,04/10] snet: introduce snet_event
[RFC,v3,05/10] snet: introduce snet_hooks
[RFC,v3,06/10] snet: introduce snet_netlink
[RFC,v3,07/10] snet: introduce snet_verdict
[RFC,v3,08/10] snet: introduce snet_ticket
[RFC,v3,09/10] snet: introduce snet_utils
[RFC,v3,10/10] snet: introduce security/snet, Makefile and Kconfig changes
Version 4:
[RFC,v4,01/11] lsm: add security_socket_closed()
[RFC,v4,02/11] Revert "lsm: Remove the socket_post_accept() hook"
[RFC,v3,03/11] snet: introduce snet_core
[RFC,v3,04/11] snet: introduce snet_event
[RFC,v3,05/11] snet: introduce snet_hooks
[RFC,v3,06/11] snet: introduce snet_netlink
[RFC,v3,07/11] snet: introduce snet_verdict
[RFC,v3,08/11] snet: introduce snet_ticket
[RFC,v3,09/11] snet: introduce snet_utils
[RFC,v3,10/11] snet: introduce snet_stats
[RFC,v3,11/11] snet: introduce security/snet, Makefile and Kconfig changes
howto
• kernel
Download latest kernel git version
mkdir devel/
cd devel/
git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Download latest snet patches (version 4)
mkdir linux-snet
cd linux-snet
wget http://www.synack.fr/project/snet/files/v4/linux-snet-v4.tar.bz2
tar xjvf linux-snet-v4.tar.bz2
cd ../
Patch the linux kernel with snet patches
cd linux
for i in ../linux-snet/*.patch; do patch -p1 < $i; done
Configure the kernel
make menuconfig
Set up the options for snet security module:
Security options --->
[*] Socket and Networking Security Hooks
[ ] NSA SELinux Support
[ ] Simplified Mandatory Access Control Kernel Support
[ ] TOMOYO Linux Support
[ ] AppArmor support
[*] snet - Security for NETwork syscalls
Default security module (snet) --->
make and install kernel and modules
make
make modules
sudo make modules_install
sudo make install
Before rebooting you should be aware of 2 important kernel options:
snet_verdict_delay: the time in seconds before applying a default policy to the event
snet_verdict_policy: the default behavior when delay is reached. 0:accept, 1:deny
Once here, you are done with the kernel part
• userspace
lib : libsnet-0.1.tar.bz2
userspace exemple : snet-tools.tar.bz2
license
kernel code is release under the GPLv2.
lib code is release under the LGPL.
Links
• Netfilter workshop 2007 résumé
• lwn.net article about snet
• snet patch on lwn.net
• Ubuntu Brainstorm: Idea #23333: Implement a "doorman"-feature, compareable
to the OSX app "LittleSnitch"
• features opensuse: create interactive dialog for firewall
contact
Samir Bellabes <sam at synack dot fr>
