Check out the new USENIX Web site. next up previous
Next: Other Hooks Up: Implementation Previous: Filesystem Hooks

Network Hooks

Application layer access to networking is mediated using a set of socket hooks. These hooks, which include the interposition of all socket system calls, provide coarse mediation coverage of all socket-based protocols. Since active user sockets have an associated inode structure, a separate security field was not added to the socket structure or to the lower-level sock structure. As the socket hooks allow general mediation of network traffic in relation to processes, LSM significantly expands the kernel's network access control framework (which is already handled at the network layer by Netfilter [36]). For example, the sock_rcv_skb hook allows an inbound packet to be mediated in terms of its destination application, prior to being queued at the associated userspace socket.

Additional finer-grained hooks have been implemented for the IPv4, UNIX domain, and Netlink protocols, which were considered essential for the implementation of a minimally useful system. Similar hooks for other protocols may be implemented at a later stage.

Network data traverses the stack in packets encapsulated by an sk_buff (socket buffer) structure. LSM adds a security field to the sk_buff structure, so that security state may be managed across network layers on a per-packet basis. A set of sk_buff hooks is provided for lifecycle management of this security field.

Hardware and software network devices are encapsulated by a net_device structure. A security field was added to this structure so that security state can be maintained on a per-device basis.

Coverage of low level network support components, such as routing tables and traffic classifiers is somewhat limited due to the invasiveness of the code which would be required to implement consistent fine-grained hooks. Access to these objects can be mediated at higher levels (for example, using ioctl), although granularity may be reduced by TOCTTOU issues.

next up previous
Next: Other Hooks Up: Implementation Previous: Filesystem Hooks
Chris Wright 2002-05-13