Network Events Connector
Idea
The main idea is to capture events coming from
userspace, whenever a processus is doing some network syscall
(sys_listen, sys_bind, ..). For that, it's seems that LSM structure is
the most simple, as far as we just have to connect on LSM hooks with
struct security_operations {}
This project is no longer supported. See project
snet for update
Fig 0. goal of the network events connector
Tools
The Network Events Connector can be extended in
order to be fully useful, and for that, the cn_net_daemon is using
D-Bus, as a abstract layer, then all tools can use data coming from
kernel. For exemple, the application cn_net_sql is able to listen for
DATA messages coming from kernel, and to send its content to a sql
database, in order to log or to analyse it.
Fig 1. global architecture
Protocol
Here is the kernel to userspace protocol.
Fig 2. userspace <-> kernel protocol
Architecture
So there is the connector callback cn_net_ctl()
which is receiving messages from userspace and is dealing with the
msg_type. There is also the struct security_operations {} which is
catching the network events, and then we dealing with user
configuration.
Fig 3. internal architecture
gcn_net : Gtk-frontend to cn_net
Now, there is also a gtk status icon for managing
cn_net.
Here are screenshoots
Fig 4. notifying user
If user clicks on 'Process' from the above notification, the next dialog is displayed
Fig 5. 'Create a rule' dialog
There is also a 'security console' for managing rules
Fig 6. 'Security console' dialog
Others screenshoots
Futur / todo
First version - no update for it
- Wrote documentation on the D-Bus protocol
- Wrote other userspace tool other than cn_net_sql
Moving hashtable to a rbtree done, asked by Evgeniy PolyakovFix coding style done, asked by David MillerWrote a user tool to configure rules started, named gcn_net- Add others syscalls (?) like sys_socket, sys_accept, ..
- Wrote documentation on the rules are managed, for the moment
in a sqlite3 database and howto add your own system's management
Second version
- Moving the code from the netlink connector to Generic Netlink -
libnl /
Generic Netlink Howto
- Add others LSM hook to the security operations
Patchs
First version - you are strongly recommended to not use this
version. It's more a proof of concept than a software.
Links
Thanks
Arnaldo Carvalho de Melo <acme at redhat dot com>
Luiz Capitulino <lcapitulino at mandriva dot com>
Frédéric Crozat <fcrozat at mandriva dot com> on DBus
Contact
Samir Bellabes <sam at synack dot fr>
Last modified: Mon Jan 19 04:13:14 CET 2009
