The main idea is to capture events coming from userspace, whenever a processus is doing some network syscall (sys_listen, sys_bind, ..). For that, it's seems that LSM structure is the most simple, as far as we just have to connect on LSM hooks with struct security_operations {}

snet is divided in two codes, a kernel part and a userspace part.
kernel code is using LSM, and communicate with userspace with libnl. userspace code is build as a library, so it's easy to use it in you own code, in order to intercept "event". here are some example of data you will get thanks to the library callback function:

verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256 pid=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80
verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123 pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0

As you can guess, at this point it's really easy to log this into database or build a personnal firewall.
The great improvement is that it's supporting transparently all network protocols and all network family.

Version 3:
[RFC,v3,01/10] lsm: add security_socket_closed()
[RFC,v3,02/10] Revert "lsm: Remove the socket_post_accept() hook"
[RFC,v3,03/10] snet: introduce snet_core
[RFC,v3,04/10] snet: introduce snet_event
[RFC,v3,05/10] snet: introduce snet_hooks
[RFC,v3,06/10] snet: introduce snet_netlink
[RFC,v3,07/10] snet: introduce snet_verdict
[RFC,v3,08/10] snet: introduce snet_ticket
[RFC,v3,09/10] snet: introduce snet_utils
[RFC,v3,10/10] snet: introduce security/snet, Makefile and Kconfig changes

Version 4:
[RFC,v4,01/11] lsm: add security_socket_closed()
[RFC,v4,02/11] Revert "lsm: Remove the socket_post_accept() hook"
[RFC,v4,03/11] snet: introduce snet_core
[RFC,v4,04/11] snet: introduce snet_event
[RFC,v4,05/11] snet: introduce snet_hooks
[RFC,v4,06/11] snet: introduce snet_netlink
[RFC,v4,07/11] snet: introduce snet_verdict
[RFC,v4,08/11] snet: introduce snet_ticket
[RFC,v4,09/11] snet: introduce snet_utils
[RFC,v4,10/11] snet: introduce snet_stats
[RFC,v4,11/11] snet: introduce security/snet, Makefile and Kconfig changes

• kernel
  Download latest kernel git version

  mkdir devel/
  cd devel/
  git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
  

  Download latest snet patches (version 4)

  mkdir linux-snet
  cd linux-snet
  wget http://www.synack.fr/project/snet/files/v4/linux-snet-v4.tar.bz2
  tar xjvf linux-snet-v4.tar.bz2
  cd ../
  

  Patch the linux kernel with snet patches

  cd linux
  for i in ../linux-snet/*.patch; do patch -p1 < $i; done
  

  Configure the kernel

  make menuconfig
  

  Set up the options for snet security module:

  Security options  ---> 
      [*] Socket and Networking Security Hooks
      [ ] NSA SELinux Support
      [ ] Simplified Mandatory Access Control Kernel Support
      [ ] TOMOYO Linux Support
      [ ] AppArmor support
      [*] snet - Security for NETwork syscalls
      Default security module (snet)  --->
  

  make and install kernel and modules

  make
  make modules
  sudo make modules_install
  sudo make install
  

  Before rebooting you should be aware of 2 important kernel options:

  snet_verdict_delay: the time in seconds before applying a default policy to the event
  snet_verdict_policy: the default behavior when delay is reached. 0:accept, 1:deny
  

  Once here, you are done with the kernel part
  
  
• userspace
  lib : libsnet-0.1.tar.bz2
  userspace exemple : snet-tools.tar.bz2

kernel code is release under the GPLv2.
lib code is release under the LGPL.

• Netfilter workshop 2007 résumé
• lwn.net article about snet
• snet patch on lwn.net
• Ubuntu Brainstorm: Idea #23333: Implement a "doorman"-feature, compareable to the OSX app "LittleSnitch"
• features opensuse: create interactive dialog for firewall

Samir Bellabes <sam at synack dot fr>