Foros: Open Discussion (Thread #40820)

Raw communication bypassing tomoyo/akari (2019-06-05 08:27 by intika #83070)

Hi,

First thing first as usual thanks you for your work and for maintaining this amazing tool :)

Raw communication like https://gist.github.com/austinmarton/1922600 is not intercepted by tomoyo/akari ...

The raw socket can be used like this:

- socket(AF_INET,RAW_SOCKET,...) means L3 socket , Network Layer Protocol = IPv4
- socket(AF_INET6,RAW_SOCKET,...) means L3 socket , Network Layer Protocol=IPv6
- socket(AF_IPX,RAW_SOCKET,...) means L3 socket , Network Layer Protocol = IPX
- socket(AF_PACKET,RAW_SOCKET,...) means L2 socket , Data-link Layer Protocol= Ethernet

The 2 first functions are handled but IPX and AF_PACKET are not intercepted because tomoyo/akari does not handle them... i did not yet reviewed
https://github.com/torvalds/linux/blob/master/include/linux/socket.h to check all the other possibilities of network communication that tomoyo/akari does not handle...

I don't have the time to work on this right now, but is adding support for this an easy task ?
(Last Update: 2019-06-05 08:29 by intika)

Re: Raw communication bypassing tomoyo/akari (2019-06-05 22:50 by kumaneko #83074)

Hello. Thank you for using TOMOYO/AKARI.

TOMOYO/AKARI handles only TCP/UDP/RAW on PF_INET/PF_INET6 and STREAM/DGRAM/SEQPACKET on PF_UNIX.
This is because other protocols are unlikely permitted due to firewalls even if applications try
to communicate using other protocols. As far as I know, none of upstreamed LSM modules check
addresses of other protocols (SELinux seems to check SCTP though). Adding support for checking
other protocols unlikely pays the complexity.

Why do you want to check PF_IPX and PF_PACKET etc. ? Why do you want to check
AF_IPX and AF_PACKET etc. addresses associated with TOMOYO/AKARI's domains?

I think that use of regular firewalls (or maybe made-to-order LSM module)
might fit better than trying to check other protocols using TOMOYO/AKARI.
Responder al #83070

Re: Raw communication bypassing tomoyo/akari (2019-06-06 10:06 by intika #83079)

Reply To Message #83074

Thank you for taking time to answer :)

The idea behind this is to make TOMOYO/AKARI handle the network fully without any blind spot (regarding the Linux Kernel) and also to prevent any communication from "bypassing" TOMOYO/AKARI...

As you advised I will check iptables rules and other firewall/kernel solutions to handle those protocols i guess this will be much easier than adding other protocol to TOMOYO/AKARI...
Responder al #83074

Re: Raw communication bypassing tomoyo/akari (2019-07-03 12:54 by intika #83186)

Reply To Message #83074
> Hello. Thank you for using TOMOYO/AKARI.

Just realized that that Tomoyo can handle capabilities yaaay :) ... so basically v1.8.x fix my problem... i'll look into that :) (i am too happy this avoid me some hours of programming :D)
Responder al #83074

Re: Raw communication bypassing tomoyo/akari (2019-07-03 13:09 by intika #83187)

Reply To Message #83074
>

Woot !!! you have capabilities like > use_kernel_module, use_packet, use_route... etc. THIS IS BRILLIANT !
i am exited to use all that :)
Responder al #83074

Re: Raw communication bypassing tomoyo/akari (2019-07-03 13:10 by intika #83188)

Reply To Message #83074
> Hello. Thank you for using TOMOYO/AKARI.

Sorry i posted here where this belong to tomoyo v1.8 branch...
Responder al #83074