File LICENSE of Package libsnet

w3m -dump http://www.synack.fr/project/snet/snet.html
retrieved 2011-10-03
===
synack.fr
main about project
snet - userspace Security for NETwork syscalls
idea
The main idea is to capture events coming from userspace, whenever a processus
is doing some network syscall (sys_listen, sys_bind, ..). For that, it's seems
that LSM structure is the most simple, as far as we just have to connect on LSM
hooks with struct security_operations {}
tools
snet is divided in two codes, a kernel part and a userspace part.
kernel code is using LSM, and communicate with userspace with libnl. userspace
code is build as a library, so it's easy to use it in you own code, in order to
intercept "event". here are some example of data you will get thanks to the
library callback function:

verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256 pid=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80
verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123 pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0

As you can guess, at this point it's really easy to log this into database or
build a personnal firewall.
The great improvement is that it's supporting transparently all network
protocols and all network family.
patches
Version 3:
[RFC,v3,01/10] lsm: add security_socket_closed()
[RFC,v3,02/10] Revert "lsm: Remove the socket_post_accept() hook"
[RFC,v3,03/10] snet: introduce snet_core
[RFC,v3,04/10] snet: introduce snet_event
[RFC,v3,05/10] snet: introduce snet_hooks
[RFC,v3,06/10] snet: introduce snet_netlink
[RFC,v3,07/10] snet: introduce snet_verdict
[RFC,v3,08/10] snet: introduce snet_ticket
[RFC,v3,09/10] snet: introduce snet_utils
[RFC,v3,10/10] snet: introduce security/snet, Makefile and Kconfig changes

Version 4:
[RFC,v4,01/11] lsm: add security_socket_closed()
[RFC,v4,02/11] Revert "lsm: Remove the socket_post_accept() hook"
[RFC,v3,03/11] snet: introduce snet_core
[RFC,v3,04/11] snet: introduce snet_event
[RFC,v3,05/11] snet: introduce snet_hooks
[RFC,v3,06/11] snet: introduce snet_netlink
[RFC,v3,07/11] snet: introduce snet_verdict
[RFC,v3,08/11] snet: introduce snet_ticket
[RFC,v3,09/11] snet: introduce snet_utils
[RFC,v3,10/11] snet: introduce snet_stats
[RFC,v3,11/11] snet: introduce security/snet, Makefile and Kconfig changes
howto

• kernel
    Download latest kernel git version

mkdir devel/
    cd devel/
    git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

Download latest snet patches (version 4)

mkdir linux-snet
    cd linux-snet
    wget http://www.synack.fr/project/snet/files/v4/linux-snet-v4.tar.bz2
    tar xjvf linux-snet-v4.tar.bz2
    cd ../

Patch the linux kernel with snet patches

cd linux
    for i in ../linux-snet/*.patch; do patch -p1 < $i; done

Configure the kernel

make menuconfig

Set up the options for snet security module:

Security options  --->
        [*] Socket and Networking Security Hooks
        [ ] NSA SELinux Support
        [ ] Simplified Mandatory Access Control Kernel Support
        [ ] TOMOYO Linux Support
        [ ] AppArmor support
        [*] snet - Security for NETwork syscalls
        Default security module (snet)  --->

make and install kernel and modules

make
    make modules
    sudo make modules_install
    sudo make install

Before rebooting you should be aware of 2 important kernel options:

snet_verdict_delay: the time in seconds before applying a default policy to the event
    snet_verdict_policy: the default behavior when delay is reached. 0:accept, 1:deny

Once here, you are done with the kernel part

• userspace
    lib : libsnet-0.1.tar.bz2
    userspace exemple : snet-tools.tar.bz2

license
kernel code is release under the GPLv2.
lib code is release under the LGPL.
Links

• Netfilter workshop 2007 résumé
  • lwn.net article about snet
  • snet patch on lwn.net
  • Ubuntu Brainstorm: Idea #23333: Implement a "doorman"-feature, compareable
    to the OSX app "LittleSnitch"
  • features opensuse: create interactive dialog for firewall

contact
Samir Bellabes <sam at synack dot fr>