summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
INSUN PYO [Wed, 3 Feb 2021 04:43:03 +0000 (13:43 +0900)]
Change systemd-devel package name
Change-Id: I89c19fdcf7d9f08f92a90149e4cba9d23d2684b8
Krzysztof Jackiewicz [Mon, 20 Jul 2020 16:16:54 +0000 (18:16 +0200)]
Switch to GPLv2.0
Change-Id: I103450eec4177ffc39b1239905bdb2aa0a792cef
Tomasz Swierczek [Wed, 15 Jan 2020 09:33:07 +0000 (10:33 +0100)]
Fixes for gcc 9
Change-Id: Ie4504973bd0057f7561053a8850059d6fcd99236
INSUN PYO [Wed, 26 Jun 2019 00:49:21 +0000 (09:49 +0900)]
Change the config value of the "PermissionsStartOnly=" ("true" -> "yes")
Change-Id: I473f0e5ddd5ef07f21fdd8aec5b31071d1b6cb91
Kim Kidong [Wed, 31 Oct 2018 01:07:55 +0000 (01:07 +0000)]
Merge "Change Nether rule to use raw table for UDP packet." into tizen
Pawel Kowalski [Thu, 16 Aug 2018 09:50:38 +0000 (11:50 +0200)]
Add Apache 2.0 license header
Change-Id: Iba56dc1b4da52decbcc468805c4ddfde64a4a62e
Pawel Kowalski [Thu, 16 Aug 2018 11:22:39 +0000 (13:22 +0200)]
Fix code style
Change-Id: Ia9b1218ab6d0e82de0837c6789b9bcaf067c3f7f
jin-gyu.kim [Wed, 4 Jul 2018 02:50:05 +0000 (11:50 +0900)]
Change Nether rule to use raw table for UDP packet.
UDP packets are dropped unexpectedly if those are included into NFQUEUE
simultaneously. This seems to be bug in conntrack, can be avoided
if raw table is used. It requires the kernel support to enable
CONFIG_IP_NF_RAW and change priority in nf_ip_hook_priorities.
Change-Id: I8f3b3e1ecf69a44486757f27c61b34da02f4fb42
Piotr Sawicki [Mon, 31 Jul 2017 10:11:18 +0000 (12:11 +0200)]
Release 0.0.2
This relase adds the ability of managing UDP, UDPLite and local DNS traffic.
Restoring of netfilter configuration has been moved from Nether executable to
systemd startup scripts. Managing of capabilities has been moved to
the security-config service. Furthermore, a few bugs has been fixed - defects
detected by Svace and those found during development of new features.
Change-Id: I43148e148952e1c19f0b379a3d9bce7c6e472234
jin-gyu.kim [Thu, 13 Jul 2017 05:06:04 +0000 (14:06 +0900)]
Remove caps option in spec file.
All capabilities need to be managed by security-config service.
Therefore, remove %caps option in spec file.
Change-Id: Icb6f620e2ebed561323f1ec427e5843bb3d4b3e8
Piotr Sawicki [Tue, 16 May 2017 09:49:20 +0000 (11:49 +0200)]
Add filtering of IGMP packets
When a user application registers itself in a multicast group
(IP_ADD_MEMBERSHIP), the underlying kernel mechanism sends appropriate
IGMP packets out. These packets don't contain any information about
credentials, as they are not associated with any socket. This additional
netfilter rule causes this kind of packets to be accepted before they reach
the Nether service. Prior to this change, IGMP packets were accepted by
Nether's default back-end, so this change is only for optimization purposes.
It is worth to mention that an application is not able to send IGMP packets
on its own, because the CAP_NET_RAW capability is required to do that.
Change-Id: Id2b6756f0e5737bed606742d87c5d09f04b6866a
Piotr Sawicki [Thu, 4 May 2017 08:54:58 +0000 (10:54 +0200)]
Let Nether manage UDPLite traffic and local DNS queries
A netfilter rule has been added to let Nether manage UDPLite traffic for
outgoing connections. There are some kernel configurations that don't have
NF_CT_PROTO_UDPLITE option turned on. For these kernel images, the rule that
uses the conntrack module do not catch packets of the UDPLite protocol.
Special rules have been introduced to inspect DNS queries sent by an app
to the Connman service (running on localhost). The Connman service, which
works as a DNS proxy, sends the queries out of the box on behalf
of the app.
Change-Id: Ib41e61d8367b8c78eb814b3e98396e6c1e5fa4b1
Zofia Abramowska [Wed, 31 May 2017 11:41:03 +0000 (11:41 +0000)]
Merge "Turn on NFQA_CFG_F_GSO option for NFQUEUE" into tizen
Piotr Sawicki [Wed, 17 May 2017 06:35:02 +0000 (08:35 +0200)]
Fix issues detected by SVACE
Change-Id: I290fd7453cc96326442e73a4250cd58650a10b85
Piotr Sawicki [Tue, 16 May 2017 11:58:34 +0000 (13:58 +0200)]
Properly handle Cynara errors
Added handling of all possible errors that may be returned by Cynara's async
API. From now, an unused entry in responseQueue is erased when the processing
of a packet is done. Moreover, packets with incomplete credentials are not
handled by Cynara's backend, they are passed to backup backends for further
processing. Fix a bug in cynaraErrorCodeToString().
Change-Id: Ia93c6912a4222aa0787b3d5f68149a4bc2a7ebc8
Piotr Sawicki [Tue, 16 May 2017 11:44:08 +0000 (13:44 +0200)]
Fix handling of unknown netlink messages
A severe netlink error should stop the service, but other kinds of errors,
like inability to parse a netlink message by libnetfilter_queue, should only
be registered in the system log. These errors may happen when Nether issues
a verdict to a nonexistent packet (in result the kernel replies with an
error message).
Change-Id: I69bb811d34a993c28a2cde0cb0e8290c25c895d3
Piotr Sawicki [Tue, 30 May 2017 08:59:20 +0000 (10:59 +0200)]
Turn on NFQA_CFG_F_GSO option for NFQUEUE
This patch is required to deal with fragmented IP packets. It has been
revealed that without this option Nether has IP fragments without valid
credentials (UID/GID, security context) delivered. These fragments are
passed to the backup back-end which accepts them.
In result some fragments reach a network interface, which is not
what we expect. Of course, a listener is not able to receive such
traffic because of lack of important fragments.
Change-Id: I7485cc97f298c0cc73e3c011421de445ef1aaa02
Piotr Sawicki [Tue, 23 May 2017 09:09:59 +0000 (11:09 +0200)]
Prevent from dereferencing nullptr returned by localtime()
Change-Id: I4245c0e856c06c7d5e9ad1902590f5196f0394e0
Piotr Sawicki [Tue, 16 May 2017 10:58:34 +0000 (12:58 +0200)]
Make main() return proper status code
Until now, in case of a netlink error, Nether's main() function returned 0.
In result, systemd was not informed about the necessity of restarting
the Nether service.
Change-Id: I82baa62425939bf6f27dc472f84a4775a3f5d23d
Piotr Sawicki [Tue, 16 May 2017 10:38:34 +0000 (12:38 +0200)]
Initialize uid and gid fields of NetherPacket
Under some circumstances, Nether may receive netlink packets which
don't contain uid and gid fields (e.g. IGMP packets generated by
the kernel). Prior to this change, uid and gid fields were not
properly initialized because the nfq_get_uid() and nfq_get_gid()
functions don't modify their second argument in case of an absence
of the UID/GID fields in an input packet.
Change-Id: I712d44a4eccb3603fdf5d8279e7eb1f49e8f34a7
Piotr Sawicki [Fri, 26 May 2017 13:28:50 +0000 (13:28 +0000)]
Merge "Modify iptables policy for policing all protocols, not only TCP" into tizen
Piotr Sawicki [Fri, 26 May 2017 13:28:08 +0000 (13:28 +0000)]
Merge "Load iptables rules from systemd unit file, not from nether program" into tizen
Rafal Krypa [Fri, 26 May 2017 12:11:35 +0000 (12:11 +0000)]
Merge "service file: make symlink /usr/lib/systemd/system/multi-user.target.wants/nether.service" into tizen
Rafal Krypa [Wed, 28 Dec 2016 10:42:29 +0000 (11:42 +0100)]
Load iptables rules from systemd unit file, not from nether program
Drop nether support for loading iptables rules. Such rules should ideally be
managed from a central place that implements multiple requirements, not only
nether. It is not right for nether to be the manager of iptables policy.
For now nether daemon will stop managing the rules, they will be loaded from
systemd unit files. It is already done for ip6tables rules, as nether never
handled ip6tables for IPv6, only iptables for IPv4.
Change-Id: Icb0cf1f42b54e0859c182a6a4baac42e85294388
jin-gyu.kim [Wed, 24 May 2017 02:17:58 +0000 (11:17 +0900)]
Set Restart option as Always
Nether should be always running as it is the security module.
Even it is killed with the unexpected reason, it needs to be running again.
Change-Id: I10f515278b5862c7d3a43f5f2b7c741b06ca492b
Rafal Krypa [Wed, 14 Dec 2016 12:00:34 +0000 (13:00 +0100)]
Remove nether.service file, it is autogenerated during build
The nether.service file is generated from nether.service.in. No need to keep the
generated version in the repository.
Change-Id: Id160521703b38d7e38cf1dda2a8d2b318d0edd2b
Rafal Krypa [Wed, 14 Dec 2016 11:44:01 +0000 (12:44 +0100)]
conf: remove packet counters from iptables rules
The packet counters were dumped from PC of developer who initially generated
the rules file. They are meaningless and confusing.
Change-Id: I184ae88999a937280bf11d5846fa3b0c0212c3e6
Rafal Krypa [Fri, 26 May 2017 11:59:58 +0000 (11:59 +0000)]
Merge "Prevents against unterminated user chains in iptables policy" into tizen
jin-gyu.kim [Wed, 26 Apr 2017 04:47:03 +0000 (13:47 +0900)]
Exclude loopback interface for setting secmark to 'System'
We gave secmark as 'System' as default.
Due to this, inter processes can send and receive with loopback
interface, without checking smack rules.
Therefore, we need to take loopback interface as the exception.
Change-Id: Ic7990521eba75e5204dd915f733eda3460501e3c
INSUN PYO [Wed, 19 Apr 2017 18:28:40 +0000 (03:28 +0900)]
service file: make symlink /usr/lib/systemd/system/multi-user.target.wants/nether.service
Before : /usr/lib/systemd/system/multi-user.target.wants/nether.service is legacy file.
After : /usr/lib/systemd/system/multi-user.target.wants/nether.service indicates ../nether.service
Signed-off-by: INSUN PYO <insun.pyo@samsung.com>
Change-Id: Ib216dddb187238a27c70ef205f8ebfc8bfe75a50
jin-gyu.kim [Wed, 29 Mar 2017 05:26:46 +0000 (14:26 +0900)]
Use %license macro to copy license file.
Change-Id: Ie00627d233f48b0098a05d0080eac878b22a8f86
Rafal Krypa [Tue, 28 Feb 2017 07:51:27 +0000 (08:51 +0100)]
Modify iptables policy for policing all protocols, not only TCP
A new rule passing packets for nether inspection is replacing the old one
that worked only for TCP.
The new rule makes a policy check for a first packet in each network flow, as
seen by the conntrack module. This is done by matching all packets that have
ctstate=NEW (the packet has started a new connection) but not checking those
that have ctstatus=CONFIRMED (connection is confirmed: originating packet has
left box). This rule causes to nether check for each first packet on the flow,
the minimum required for determining whether the connection should be allowed.
For TCP connections, this should work exactly as the old rule. For connection-
less protocols it will check the first packet of the network flow.
Change-Id: Iccbe8febd1568a615d8169123d7f45b4e998a47d
Anish Singhania [Thu, 9 Mar 2017 14:02:41 +0000 (19:32 +0530)]
Prevents against unterminated user chains in iptables policy
[Model] SM-Z400F
[BinType] AP
[Customer] Open
[Issue#]
[Request] PM
[Occurrence Version]
[Problem] Kernel panic occurs on enabling nether flags
[Cause & Measure] Add unconditional return rules to two use defined chains created
[Checking Method]
[Team] Security
[Developer] Anish Singhania
[Solution company] Samsung
[Change Type] Market Issue
Change-Id: I8a5cbacc2418d5268599ebbcc581cfe7227d88d1
Signed-off-by: Anish Singhania <a.singhania@samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
jin-gyu.kim [Wed, 8 Feb 2017 08:06:28 +0000 (17:06 +0900)]
Add missing initialization in constructor.
All member variables need to be set as the default value for the safe use.
Therefore, initialize 'processedPacket' in constructor as nullptr.
Change-Id: Ifa4c4695e764b29b0f070e7b745333da655f4c41
jin-gyu.kim [Fri, 23 Dec 2016 07:56:52 +0000 (16:56 +0900)]
Add parentheses to remove build warning.
Change-Id: I1c9b30c3d46864a7464f840f56fc4e13ac62f574
jooseong lee [Thu, 1 Dec 2016 06:30:27 +0000 (15:30 +0900)]
Set all packet's secmark to 'System' label on input iptables
It is hard to change packet's secmark in specific IP scope
to avoid Smack denial. Nether provides access control for
input and output packet better than IP management.
Change-Id: I7a6da0d53c313a7987217d62fefb16ef2f0b8a0f
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Fri, 25 Nov 2016 06:30:07 +0000 (15:30 +0900)]
Update nether.rules for multicast IP
Loopback communication should be allowed only for multicast address range.
In case, iptable will set packet's secmark to 'System' label to avoid
Smack deny issue.
Current -r option is for ipv4. ip6table will be updated on ExecStartPost.
* IPv4
- '224.0.1.187', IPv4 multicast address for "All CoAP Nodes"
* IPv6
- 'ff02::', IPv6 multicast address for "All CoAP Nodes", link-local scope
- 'fe80::ae5a:14ff:fe0e:b2c0', This is only for iotcon provisioning, but
should be removed.
Change-Id: Ic57d2205f8bb20ece23de4fe48db9d2cbad43ea8
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Fri, 25 Nov 2016 06:29:45 +0000 (15:29 +0900)]
Revert "Disable nether.service temporarily"
This reverts commit
66b8b92ac00109fbf1cb7e9f03b0ce3d8bcd545b.
Change-Id: Iec896baed3f01e462f32027f3ecb1bf2b208bc85
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Wed, 19 Oct 2016 04:16:07 +0000 (13:16 +0900)]
Disable nether.service temporarily
When enabling CONFIG_SECURITY_SMACK_NETFILTER in Linux kernel,
we have unexpected behavior of Smack. Disable nether.service until
we find the proper solution.
Change-Id: I8d6a85962b5fcbacc57344d3f5453f98de018725
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Zbigniew Jasinski [Tue, 26 Jul 2016 10:00:37 +0000 (12:00 +0200)]
Check if policy backend descriptor is set
We need to check if policy backend descriptor is set before we even
check if it's ready for reading/writing.
Change-Id: I35d414ff8723089ecb552d944382c808d618d215
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Rafal Krypa [Wed, 13 Jul 2016 14:20:16 +0000 (16:20 +0200)]
Fix for GCC 4.7 not supporting thread_local C++11 feature
It must be at least GCC 4.8 to use C++11 thread_local specifier.
Bump GCC version for C++11 workarounds to 4.8.
Change-Id: I1f96d307aec12aae87bc0749ab2c5d1acb60e765
Rafal Krypa [Wed, 13 Jul 2016 14:19:00 +0000 (16:19 +0200)]
Fix compilation with GCC 4.7
GCC 4.7 has some weird behaviour expecting some destructors to be declared
explicitly with "noexcept(true)":
In file included from /data/src/security/nether/src/nether_Manager.cpp:25:0:
/data/src/security/nether/src/../include/nether_Manager.h:37:3: error: looser throw specifier for ‘virtual NetherManager::~NetherManager()’
In file included from /data/src/security/nether/src/../include/nether_Manager.h:28:0,
from /data/src/security/nether/src/nether_Manager.cpp:25:
/data/src/security/nether/src/../include/nether_Types.h:200:11: error: overriding ‘virtual NetherVerdictListener::~NetherVerdictListener() noexcept (true)’
Change-Id: I2b12d7b6255d4057a3b9f198c1ca2c5c9d477ea1
Rafal Krypa [Wed, 13 Jul 2016 14:09:11 +0000 (16:09 +0200)]
Fix compilation with clang
Clang doesn't like mixing "enum" with "enum class":
error: enumeration previously declared as scoped
Stripping the "enum" keyword from NetherProtocolType.
Change-Id: Id62ef3514c90b2c7f26053558485ccb7f5a8af58
Yunjin Lee [Wed, 20 Jul 2016 10:28:42 +0000 (19:28 +0900)]
Set SmackProcessLabel to System
Change-Id: I31cceb7f0051b6f8f5c64c3b697962e9330cda90
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Zbigniew Jasinski [Tue, 12 Jul 2016 09:07:25 +0000 (11:07 +0200)]
Set capabilities for nether process and binary.
Nether running as non-privileged user needs CAP_NET_ADMIN for netfilter
to work. Additionally it needs CAP_NET_RAW to restore firewall with
iptables.
Change-Id: Ieb358e8837769ffe2039c608be2361e2feec8a1c
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
jin-gyu.kim [Thu, 7 Jul 2016 02:23:39 +0000 (11:23 +0900)]
Remove brackets in service file.
Change-Id: I9a27c41a23fdb2d3bd8bb6a2a9377d25029b0a49
keeho.yang [Thu, 30 Jun 2016 01:48:36 +0000 (10:48 +0900)]
change nether service to non-root service and drop capability.
Change-Id: I95aea0e4d64f1155f66d826fe8a9125fcae88c88
Tomasz Swierczek [Thu, 16 Jun 2016 08:25:14 +0000 (10:25 +0200)]
Revert "Disable nether.service temporarily for high memory usage"
This reverts commit
66efb1d04bd6168ccc6b7466643d33fdd7a68efb.
Change-Id: I5fc6143c020ae58db2012d4f00f711bf60c68333
Zbigniew Jasinski [Wed, 15 Jun 2016 09:40:07 +0000 (11:40 +0200)]
Fix high CPU load on nether startup
During startup nether tries to connect to Cynara backend.
In backend class constructor, Cynara file descriptor is set
to 0, which is valid, but not proper Cynara descriptor.
Change-Id: I4938a3074e1f1cf034a13f98768af89d0c20ebb3
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
jooseong lee [Fri, 10 Jun 2016 02:10:42 +0000 (11:10 +0900)]
Disable nether.service temporarily for high memory usage
USER PID PPID RSS SIZE VSZ %MEM %CPU TIME COMMAND
root 356 1 1364 332 4148 0.1 99.5 0:23:05 nether
Change-Id: I3ffdb7c32327846bcb27de15275954a4db41283e
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Zbigniew Jasinski [Mon, 6 Jun 2016 10:51:44 +0000 (03:51 -0700)]
Merge "Apply ASLR" into tizen
jin-gyu.kim [Thu, 26 May 2016 05:26:03 +0000 (14:26 +0900)]
Add missing 'break' in switch / case
Change-Id: I797936bb2546afda2f6633b4f0c02861fe69c0a1
Yunjin Lee [Fri, 20 May 2016 05:28:29 +0000 (14:28 +0900)]
Apply ASLR
Change-Id: Id2c349fd38fff6af5c14b2a69688908316f83cbb
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Zbigniew Jasinski [Thu, 7 Apr 2016 08:51:48 +0000 (10:51 +0200)]
Minor fixes
Change-Id: Ic66c9fe1c750bd1ef73abb782efdd9595d1b02b8
r.kubiak [Wed, 30 Mar 2016 14:50:10 +0000 (16:50 +0200)]
- added a disable_cipso script
- modified README.md for github (synced with wiki.tizen.org)
Change-Id: Ia2ee53fbb216f869ed91f46aecb0cac941c2ad6a
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
r.kubiak [Thu, 24 Mar 2016 13:37:14 +0000 (14:37 +0100)]
nether internal logic follow up
- mark is always int32_t and -1 means that
no packet marking is done, and the packet
should go through normal iptables rules
- when not copying packet, address and port
are zeroed to indicate this in logs
- the builtin privilege for cynara is used
unless specified in the policy file or
on the command line NETHER_CYNARA_INTERNET_PRIVILEGE
- new command line parameters for cynara
backend are "policy" - defines the path
of the policy file and "privname" - defines
the default privilege to use when doing
cynara checks
Change-Id: I1b4a91685af7f27fff162317a63e15a2d1b7319c
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
r.kubiak [Wed, 23 Mar 2016 16:58:56 +0000 (17:58 +0100)]
First draft of simple nether logic.
This allows to specify exclusion rules in the
cynara backend, so that certain privileges
can be marked with different packet marks
and thanks to iptables those packets can
hit other chains (not the default ones)
so they can pass through or get redirected
if needed.
Change-Id: I61092196c727bddf975d404171468a251db55ea4
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
r.kubiak [Fri, 11 Mar 2016 10:38:37 +0000 (11:38 +0100)]
Merge branch 'tizen' of ssh://review.tizen.org:29418/platform/core/security/nether into tizen
Roman Kubiak [Fri, 11 Mar 2016 10:19:53 +0000 (02:19 -0800)]
Merge "Add compiler warning flags and fix compile warning" into tizen
seong.chung [Thu, 10 Mar 2016 09:01:07 +0000 (18:01 +0900)]
Add compiler warning flags and fix compile warning
[Problem]
In case of adding compiler warning, there is one build error in class NetherCynaraBackend
The order of member variable between cynaraConfig and cynaraResult in class declaration is different from order of enumeration in constructor
* class declaration
class NetherCynaraBackend : public NetherPolicyBackend
{
....
private:
....
cynara_async_configuration *cynaraConfig;
std::vector<u_int32_t> responseQueue;
int cynaraResult;
}
* constructor
NetherCynaraBackend::NetherCynaraBackend(const NetherConfig &netherConfig)
: NetherPolicyBackend(netherConfig), currentCynaraDescriptor(0),
cynaraLastResult(CYNARA_API_UNKNOWN_ERROR), CynaraConfig(nullptr)
[Fix]
Change order between cynaraResult and cynaraConfig of class declaration
Change-Id: Ia03b10a33ee6b025ee28d76b82035e8f9cfb68d1
Signed-off-by: seong.chung <seong.chung@samsung.com>
r.kubiak [Fri, 4 Mar 2016 15:11:12 +0000 (16:11 +0100)]
cmake fix, added CXX flags from rpmbuild to be included
in the actual build (otherwise they were ignored)
r.kubiak [Wed, 24 Feb 2016 17:53:46 +0000 (18:53 +0100)]
Move iptables-restore after full init
This patch moves the loading of iptables rules
after all subsystems have been initialized. In
case any of the subsystems fails, nether will
not leave any rules behind.
Change-Id: I86b63848d7864a684f2ed5d3f10c9e4419712617
r.kubiak [Wed, 24 Feb 2016 16:51:11 +0000 (17:51 +0100)]
Temporary fix for images without proper nether patches.
If the nether patches are not in the kernel, the rule
that was commented out, will stop all outgoing network traffic.
This should not be the case thanks to the queue-bypass
parameter to iptables, but it seems to fail anyway.
Since the kernel patches are not yet merged, nether is
useless anyway. This will fix any issues until this changes.
Change-Id: Ic6c6876a62588f76d0f7e4105d2866320474149f
r.kubiak [Wed, 27 Jan 2016 11:44:39 +0000 (12:44 +0100)]
Fixed the -d option.
Change-Id: I82c08e1558bf23fb7c446f0eddd8540692a8d51e
r.kubiak [Wed, 27 Jan 2016 11:36:06 +0000 (12:36 +0100)]
Bump release version
Change-Id: I07b1c7ec8f0cc4c78c20fbaf3a3d5031d682ec17
r.kubiak [Tue, 24 Nov 2015 13:28:58 +0000 (14:28 +0100)]
This patch disables the "-d" option for systemd, nether
does not fork into background and systemd is keeping
nether alive.
Change-Id: I1674e27919694773814104c0f0045a7ee3d21694
r.kubiak [Thu, 19 Nov 2015 12:48:26 +0000 (13:48 +0100)]
Added apache LICENSE file
Change-Id: If9ab9b33a53e93121cfbbe227d2f9b77845a69da
Aleksander Zdyb [Wed, 18 Nov 2015 14:34:32 +0000 (15:34 +0100)]
Fix potential failures with inheritance
Classes being inherited should generally have virtual destructors.
There was no problem at the moment, but it will help preventing failures
in the future.
Change-Id: I5ddd7c6bf5f8bd4751082244bc3730bc3d78691c
r.kubiak [Thu, 8 Oct 2015 14:22:55 +0000 (16:22 +0200)]
Added performance test scripts and programs
Change-Id: Iaf497786d993e98e6020290e0c5cb33af1461e23
r.kubiak [Thu, 8 Oct 2015 13:32:24 +0000 (15:32 +0200)]
Added a cynara backend option (passed as a primary backend
option -P) cache-size, to control the client side of cynara
caache (default is 1000). This size is in cynara objects
not kilo-mega/bytes.
Change-Id: Ia02053990d01d37a00f8d78ab743d60a7a0e758b
r.kubiak [Wed, 7 Oct 2015 15:40:26 +0000 (17:40 +0200)]
Added loopback rules, so that the REJECT target
can transmit ICMP packets to the process.
Change-Id: Idb5494f72e380164ab1473d18ef1f41a83e03ebe
r.kubiak [Wed, 7 Oct 2015 15:39:19 +0000 (17:39 +0200)]
Cynaara backend init, needs to return a valid
descriptor otherwise an error will be reported.
Change-Id: I3ea749bd39b7a61cb05d00a8d2cb63c51336cebb
RomanKubiak [Thu, 20 Aug 2015 11:31:02 +0000 (13:31 +0200)]
Added a relaxed mode.
This allows to run nether in a permissive/relaxed
mode where all DENY requestes are actualy allowed
but logged via AUDIT.
Change-Id: I0f67f061b2697a80d610d1988b706bd92de05944
RomanKubiak [Thu, 13 Aug 2015 14:26:05 +0000 (16:26 +0200)]
Fixed cynara socket initialization.
Change-Id: I38fe7751f087a719657e9d6a6da58cea3bf4a9d4
RomanKubiak [Thu, 13 Aug 2015 11:06:23 +0000 (13:06 +0200)]
Added optional interface information (output interface only)
Small fix for daemon mode.
Change-Id: I8fa3974ad54f5fd4b403672ba3a4abe3c8e7c568
RomanKubiak [Mon, 10 Aug 2015 15:23:43 +0000 (17:23 +0200)]
Fix for bad policy install path
Change-Id: I90e8e565d8f9efd46c34833a74cf59012163d6b0
RomanKubiak [Tue, 4 Aug 2015 12:39:48 +0000 (14:39 +0200)]
Packet copying is now optional.
We need to copy packets to userspace to get
TCP/IP information (address, port, protocol)
This has been made optional now.
Change-Id: Ic753a8ecacdf460b2587f65457a80e1da9bb21a6
RomanKubiak [Tue, 4 Aug 2015 12:24:51 +0000 (14:24 +0200)]
Added a fix for malformed policy files.
Change-Id: Ia362e8003df4eb3af0ccb2d47482d58d1b3edee9
RomanKubiak [Tue, 4 Aug 2015 12:04:53 +0000 (14:04 +0200)]
Fixed a compilation error when cynara is not available.
Change-Id: Ifa595f3cc1ef31d758cb40f468a46e1a36f8abd7
RomanKubiak [Mon, 3 Aug 2015 13:19:40 +0000 (15:19 +0200)]
Modified sources to eliminate pedantic warnings
from gcc.
- split function declaration and implementation
- delt with unsigned/signed comparison in Cynara
backend
Change-Id: I1b77af78292915efa9e850d32445c97d5893c513
RomanKubiak [Fri, 24 Jul 2015 13:14:34 +0000 (15:14 +0200)]
Fixed EOLs/TABs/spaces
Included fixes and changes from change I16970c3dedd9071c970523a478fbf35e009d13ef
as commented by Jan Olszak and Rafal Krypa
refer to https://review.tizen.org/gerrit/#/c/44086/ for details
Removed const qualifiers on method return types.
Removed unused parameters from method definitions.
Change-Id: Ic03f4b35cdb476005749d2c93a413a83c09490fd
RomanKubiak [Thu, 23 Jul 2015 12:31:43 +0000 (14:31 +0200)]
Switched all enums to "enum class : uint8_t" types
Change-Id: I0c24cb67e2cb362a2c1970edca6f1947e05b806a
RomanKubiak [Wed, 22 Jul 2015 15:14:38 +0000 (17:14 +0200)]
runAsDaemon function to work in the background
a fix for iptables rules to only catch the first
"new" packet not ALL
Change-Id: Ib5f2359a7a74da97a9b48d808005a5fe166975bb
RomanKubiak [Mon, 20 Jul 2015 14:11:10 +0000 (16:11 +0200)]
Added audit support
Updated cmake to include certain constants
Made boost optional not required
Fixed spec
Added iptables-restore support
Change-Id: I3b965023bd5c5a07612f80fa2e040454e7db42a2
RomanKubiak [Thu, 16 Jul 2015 14:57:24 +0000 (16:57 +0200)]
Added the README.md file for github
Added license info to files
Using unique_ptr<> in manager
Broke up the process() method in manager
Change-Id: I980d281d7decae6d1e23b9f5937117449ac627e3
RomanKubiak [Thu, 16 Jul 2015 14:57:12 +0000 (16:57 +0200)]
Added nether helper scripts and a simple example policy
for the file backend.
Change-Id: Ife2f173d9964cb9f65a9c88d8779872020ab6e46
RomanKubiak [Thu, 16 Jul 2015 14:56:05 +0000 (16:56 +0200)]
Included vasum logger class.
Some modifications
- added an option to disable colours in stderr logger
- added a syslog backend if journal is not available
- added a file backend
Change-Id: Id6ed1c56f871be8970879277b331b26d0e3969f3
RomanKubiak [Thu, 16 Jul 2015 14:55:05 +0000 (16:55 +0200)]
Build subsystem for nether (cmake, codeblocks, spec)
Change-Id: I35e39dc7e34087126b0a8aa2999cd0f7eb733fe3
RomanKubiak [Thu, 16 Jul 2015 14:54:22 +0000 (16:54 +0200)]
Initial source code for nether 0.0.1 (source code only)
Change-Id: I16970c3dedd9071c970523a478fbf35e009d13ef
KyungMi Lee [Thu, 16 Jul 2015 07:46:44 +0000 (00:46 -0700)]
Initial empty repository
projects / platform / core / security / nether.git / log