summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Krzysztof Jackiewicz [Mon, 20 Jul 2020 16:16:54 +0000 (18:16 +0200)]
Switch to GPLv2.0
Change-Id: I103450eec4177ffc39b1239905bdb2aa0a792cef
jin-gyu.kim [Fri, 23 Dec 2016 07:56:52 +0000 (16:56 +0900)]
Add parentheses to remove build warning.
Change-Id: I1c9b30c3d46864a7464f840f56fc4e13ac62f574
jooseong lee [Thu, 1 Dec 2016 06:30:27 +0000 (15:30 +0900)]
Set all packet's secmark to 'System' label on input iptables
It is hard to change packet's secmark in specific IP scope
to avoid Smack denial. Nether provides access control for
input and output packet better than IP management.
Change-Id: I7a6da0d53c313a7987217d62fefb16ef2f0b8a0f
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Fri, 25 Nov 2016 06:30:07 +0000 (15:30 +0900)]
Update nether.rules for multicast IP
Loopback communication should be allowed only for multicast address range.
In case, iptable will set packet's secmark to 'System' label to avoid
Smack deny issue.
Current -r option is for ipv4. ip6table will be updated on ExecStartPost.
* IPv4
- '224.0.1.187', IPv4 multicast address for "All CoAP Nodes"
* IPv6
- 'ff02::', IPv6 multicast address for "All CoAP Nodes", link-local scope
- 'fe80::ae5a:14ff:fe0e:b2c0', This is only for iotcon provisioning, but
should be removed.
Change-Id: Ic57d2205f8bb20ece23de4fe48db9d2cbad43ea8
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Fri, 25 Nov 2016 06:29:45 +0000 (15:29 +0900)]
Revert "Disable nether.service temporarily"
This reverts commit
66b8b92ac00109fbf1cb7e9f03b0ce3d8bcd545b.
Change-Id: Iec896baed3f01e462f32027f3ecb1bf2b208bc85
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Wed, 19 Oct 2016 04:16:07 +0000 (13:16 +0900)]
Disable nether.service temporarily
When enabling CONFIG_SECURITY_SMACK_NETFILTER in Linux kernel,
we have unexpected behavior of Smack. Disable nether.service until
we find the proper solution.
Change-Id: I8d6a85962b5fcbacc57344d3f5453f98de018725
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Zbigniew Jasinski [Tue, 26 Jul 2016 10:00:37 +0000 (12:00 +0200)]
Check if policy backend descriptor is set
We need to check if policy backend descriptor is set before we even
check if it's ready for reading/writing.
Change-Id: I35d414ff8723089ecb552d944382c808d618d215
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
Rafal Krypa [Wed, 13 Jul 2016 14:20:16 +0000 (16:20 +0200)]
Fix for GCC 4.7 not supporting thread_local C++11 feature
It must be at least GCC 4.8 to use C++11 thread_local specifier.
Bump GCC version for C++11 workarounds to 4.8.
Change-Id: I1f96d307aec12aae87bc0749ab2c5d1acb60e765
Rafal Krypa [Wed, 13 Jul 2016 14:19:00 +0000 (16:19 +0200)]
Fix compilation with GCC 4.7
GCC 4.7 has some weird behaviour expecting some destructors to be declared
explicitly with "noexcept(true)":
In file included from /data/src/security/nether/src/nether_Manager.cpp:25:0:
/data/src/security/nether/src/../include/nether_Manager.h:37:3: error: looser throw specifier for ‘virtual NetherManager::~NetherManager()’
In file included from /data/src/security/nether/src/../include/nether_Manager.h:28:0,
from /data/src/security/nether/src/nether_Manager.cpp:25:
/data/src/security/nether/src/../include/nether_Types.h:200:11: error: overriding ‘virtual NetherVerdictListener::~NetherVerdictListener() noexcept (true)’
Change-Id: I2b12d7b6255d4057a3b9f198c1ca2c5c9d477ea1
Rafal Krypa [Wed, 13 Jul 2016 14:09:11 +0000 (16:09 +0200)]
Fix compilation with clang
Clang doesn't like mixing "enum" with "enum class":
error: enumeration previously declared as scoped
Stripping the "enum" keyword from NetherProtocolType.
Change-Id: Id62ef3514c90b2c7f26053558485ccb7f5a8af58
Yunjin Lee [Wed, 20 Jul 2016 10:28:42 +0000 (19:28 +0900)]
Set SmackProcessLabel to System
Change-Id: I31cceb7f0051b6f8f5c64c3b697962e9330cda90
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Zbigniew Jasinski [Tue, 12 Jul 2016 09:07:25 +0000 (11:07 +0200)]
Set capabilities for nether process and binary.
Nether running as non-privileged user needs CAP_NET_ADMIN for netfilter
to work. Additionally it needs CAP_NET_RAW to restore firewall with
iptables.
Change-Id: Ieb358e8837769ffe2039c608be2361e2feec8a1c
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
jin-gyu.kim [Thu, 7 Jul 2016 02:23:39 +0000 (11:23 +0900)]
Remove brackets in service file.
Change-Id: I9a27c41a23fdb2d3bd8bb6a2a9377d25029b0a49
keeho.yang [Thu, 30 Jun 2016 01:48:36 +0000 (10:48 +0900)]
change nether service to non-root service and drop capability.
Change-Id: I95aea0e4d64f1155f66d826fe8a9125fcae88c88
Tomasz Swierczek [Thu, 16 Jun 2016 08:25:14 +0000 (10:25 +0200)]
Revert "Disable nether.service temporarily for high memory usage"
This reverts commit
66efb1d04bd6168ccc6b7466643d33fdd7a68efb.
Change-Id: I5fc6143c020ae58db2012d4f00f711bf60c68333
Zbigniew Jasinski [Wed, 15 Jun 2016 09:40:07 +0000 (11:40 +0200)]
Fix high CPU load on nether startup
During startup nether tries to connect to Cynara backend.
In backend class constructor, Cynara file descriptor is set
to 0, which is valid, but not proper Cynara descriptor.
Change-Id: I4938a3074e1f1cf034a13f98768af89d0c20ebb3
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
jooseong lee [Fri, 10 Jun 2016 02:10:42 +0000 (11:10 +0900)]
Disable nether.service temporarily for high memory usage
USER PID PPID RSS SIZE VSZ %MEM %CPU TIME COMMAND
root 356 1 1364 332 4148 0.1 99.5 0:23:05 nether
Change-Id: I3ffdb7c32327846bcb27de15275954a4db41283e
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Zbigniew Jasinski [Mon, 6 Jun 2016 10:51:44 +0000 (03:51 -0700)]
Merge "Apply ASLR" into tizen
jin-gyu.kim [Thu, 26 May 2016 05:26:03 +0000 (14:26 +0900)]
Add missing 'break' in switch / case
Change-Id: I797936bb2546afda2f6633b4f0c02861fe69c0a1
Yunjin Lee [Fri, 20 May 2016 05:28:29 +0000 (14:28 +0900)]
Apply ASLR
Change-Id: Id2c349fd38fff6af5c14b2a69688908316f83cbb
Signed-off-by: Yunjin Lee <yunjin-.lee@samsung.com>
Zbigniew Jasinski [Thu, 7 Apr 2016 08:51:48 +0000 (10:51 +0200)]
Minor fixes
Change-Id: Ic66c9fe1c750bd1ef73abb782efdd9595d1b02b8
r.kubiak [Wed, 30 Mar 2016 14:50:10 +0000 (16:50 +0200)]
- added a disable_cipso script
- modified README.md for github (synced with wiki.tizen.org)
Change-Id: Ia2ee53fbb216f869ed91f46aecb0cac941c2ad6a
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
r.kubiak [Thu, 24 Mar 2016 13:37:14 +0000 (14:37 +0100)]
nether internal logic follow up
- mark is always int32_t and -1 means that
no packet marking is done, and the packet
should go through normal iptables rules
- when not copying packet, address and port
are zeroed to indicate this in logs
- the builtin privilege for cynara is used
unless specified in the policy file or
on the command line NETHER_CYNARA_INTERNET_PRIVILEGE
- new command line parameters for cynara
backend are "policy" - defines the path
of the policy file and "privname" - defines
the default privilege to use when doing
cynara checks
Change-Id: I1b4a91685af7f27fff162317a63e15a2d1b7319c
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
r.kubiak [Wed, 23 Mar 2016 16:58:56 +0000 (17:58 +0100)]
First draft of simple nether logic.
This allows to specify exclusion rules in the
cynara backend, so that certain privileges
can be marked with different packet marks
and thanks to iptables those packets can
hit other chains (not the default ones)
so they can pass through or get redirected
if needed.
Change-Id: I61092196c727bddf975d404171468a251db55ea4
Signed-off-by: Zbigniew Jasinski <z.jasinski@samsung.com>
r.kubiak [Fri, 11 Mar 2016 10:38:37 +0000 (11:38 +0100)]
Merge branch 'tizen' of ssh://review.tizen.org:29418/platform/core/security/nether into tizen
Roman Kubiak [Fri, 11 Mar 2016 10:19:53 +0000 (02:19 -0800)]
Merge "Add compiler warning flags and fix compile warning" into tizen
seong.chung [Thu, 10 Mar 2016 09:01:07 +0000 (18:01 +0900)]
Add compiler warning flags and fix compile warning
[Problem]
In case of adding compiler warning, there is one build error in class NetherCynaraBackend
The order of member variable between cynaraConfig and cynaraResult in class declaration is different from order of enumeration in constructor
* class declaration
class NetherCynaraBackend : public NetherPolicyBackend
{
....
private:
....
cynara_async_configuration *cynaraConfig;
std::vector<u_int32_t> responseQueue;
int cynaraResult;
}
* constructor
NetherCynaraBackend::NetherCynaraBackend(const NetherConfig &netherConfig)
: NetherPolicyBackend(netherConfig), currentCynaraDescriptor(0),
cynaraLastResult(CYNARA_API_UNKNOWN_ERROR), CynaraConfig(nullptr)
[Fix]
Change order between cynaraResult and cynaraConfig of class declaration
Change-Id: Ia03b10a33ee6b025ee28d76b82035e8f9cfb68d1
Signed-off-by: seong.chung <seong.chung@samsung.com>
r.kubiak [Fri, 4 Mar 2016 15:11:12 +0000 (16:11 +0100)]
cmake fix, added CXX flags from rpmbuild to be included
in the actual build (otherwise they were ignored)
r.kubiak [Wed, 24 Feb 2016 17:53:46 +0000 (18:53 +0100)]
Move iptables-restore after full init
This patch moves the loading of iptables rules
after all subsystems have been initialized. In
case any of the subsystems fails, nether will
not leave any rules behind.
Change-Id: I86b63848d7864a684f2ed5d3f10c9e4419712617
r.kubiak [Wed, 24 Feb 2016 16:51:11 +0000 (17:51 +0100)]
Temporary fix for images without proper nether patches.
If the nether patches are not in the kernel, the rule
that was commented out, will stop all outgoing network traffic.
This should not be the case thanks to the queue-bypass
parameter to iptables, but it seems to fail anyway.
Since the kernel patches are not yet merged, nether is
useless anyway. This will fix any issues until this changes.
Change-Id: Ic6c6876a62588f76d0f7e4105d2866320474149f
r.kubiak [Wed, 27 Jan 2016 11:44:39 +0000 (12:44 +0100)]
Fixed the -d option.
Change-Id: I82c08e1558bf23fb7c446f0eddd8540692a8d51e
r.kubiak [Wed, 27 Jan 2016 11:36:06 +0000 (12:36 +0100)]
Bump release version
Change-Id: I07b1c7ec8f0cc4c78c20fbaf3a3d5031d682ec17
r.kubiak [Tue, 24 Nov 2015 13:28:58 +0000 (14:28 +0100)]
This patch disables the "-d" option for systemd, nether
does not fork into background and systemd is keeping
nether alive.
Change-Id: I1674e27919694773814104c0f0045a7ee3d21694
r.kubiak [Thu, 19 Nov 2015 12:48:26 +0000 (13:48 +0100)]
Added apache LICENSE file
Change-Id: If9ab9b33a53e93121cfbbe227d2f9b77845a69da
Aleksander Zdyb [Wed, 18 Nov 2015 14:34:32 +0000 (15:34 +0100)]
Fix potential failures with inheritance
Classes being inherited should generally have virtual destructors.
There was no problem at the moment, but it will help preventing failures
in the future.
Change-Id: I5ddd7c6bf5f8bd4751082244bc3730bc3d78691c
r.kubiak [Thu, 8 Oct 2015 14:22:55 +0000 (16:22 +0200)]
Added performance test scripts and programs
Change-Id: Iaf497786d993e98e6020290e0c5cb33af1461e23
r.kubiak [Thu, 8 Oct 2015 13:32:24 +0000 (15:32 +0200)]
Added a cynara backend option (passed as a primary backend
option -P) cache-size, to control the client side of cynara
caache (default is 1000). This size is in cynara objects
not kilo-mega/bytes.
Change-Id: Ia02053990d01d37a00f8d78ab743d60a7a0e758b
r.kubiak [Wed, 7 Oct 2015 15:40:26 +0000 (17:40 +0200)]
Added loopback rules, so that the REJECT target
can transmit ICMP packets to the process.
Change-Id: Idb5494f72e380164ab1473d18ef1f41a83e03ebe
r.kubiak [Wed, 7 Oct 2015 15:39:19 +0000 (17:39 +0200)]
Cynaara backend init, needs to return a valid
descriptor otherwise an error will be reported.
Change-Id: I3ea749bd39b7a61cb05d00a8d2cb63c51336cebb
RomanKubiak [Thu, 20 Aug 2015 11:31:02 +0000 (13:31 +0200)]
Added a relaxed mode.
This allows to run nether in a permissive/relaxed
mode where all DENY requestes are actualy allowed
but logged via AUDIT.
Change-Id: I0f67f061b2697a80d610d1988b706bd92de05944
RomanKubiak [Thu, 13 Aug 2015 14:26:05 +0000 (16:26 +0200)]
Fixed cynara socket initialization.
Change-Id: I38fe7751f087a719657e9d6a6da58cea3bf4a9d4
RomanKubiak [Thu, 13 Aug 2015 11:06:23 +0000 (13:06 +0200)]
Added optional interface information (output interface only)
Small fix for daemon mode.
Change-Id: I8fa3974ad54f5fd4b403672ba3a4abe3c8e7c568
RomanKubiak [Mon, 10 Aug 2015 15:23:43 +0000 (17:23 +0200)]
Fix for bad policy install path
Change-Id: I90e8e565d8f9efd46c34833a74cf59012163d6b0
RomanKubiak [Tue, 4 Aug 2015 12:39:48 +0000 (14:39 +0200)]
Packet copying is now optional.
We need to copy packets to userspace to get
TCP/IP information (address, port, protocol)
This has been made optional now.
Change-Id: Ic753a8ecacdf460b2587f65457a80e1da9bb21a6
RomanKubiak [Tue, 4 Aug 2015 12:24:51 +0000 (14:24 +0200)]
Added a fix for malformed policy files.
Change-Id: Ia362e8003df4eb3af0ccb2d47482d58d1b3edee9
RomanKubiak [Tue, 4 Aug 2015 12:04:53 +0000 (14:04 +0200)]
Fixed a compilation error when cynara is not available.
Change-Id: Ifa595f3cc1ef31d758cb40f468a46e1a36f8abd7
RomanKubiak [Mon, 3 Aug 2015 13:19:40 +0000 (15:19 +0200)]
Modified sources to eliminate pedantic warnings
from gcc.
- split function declaration and implementation
- delt with unsigned/signed comparison in Cynara
backend
Change-Id: I1b77af78292915efa9e850d32445c97d5893c513
RomanKubiak [Fri, 24 Jul 2015 13:14:34 +0000 (15:14 +0200)]
Fixed EOLs/TABs/spaces
Included fixes and changes from change I16970c3dedd9071c970523a478fbf35e009d13ef
as commented by Jan Olszak and Rafal Krypa
refer to https://review.tizen.org/gerrit/#/c/44086/ for details
Removed const qualifiers on method return types.
Removed unused parameters from method definitions.
Change-Id: Ic03f4b35cdb476005749d2c93a413a83c09490fd
RomanKubiak [Thu, 23 Jul 2015 12:31:43 +0000 (14:31 +0200)]
Switched all enums to "enum class : uint8_t" types
Change-Id: I0c24cb67e2cb362a2c1970edca6f1947e05b806a
RomanKubiak [Wed, 22 Jul 2015 15:14:38 +0000 (17:14 +0200)]
runAsDaemon function to work in the background
a fix for iptables rules to only catch the first
"new" packet not ALL
Change-Id: Ib5f2359a7a74da97a9b48d808005a5fe166975bb
RomanKubiak [Mon, 20 Jul 2015 14:11:10 +0000 (16:11 +0200)]
Added audit support
Updated cmake to include certain constants
Made boost optional not required
Fixed spec
Added iptables-restore support
Change-Id: I3b965023bd5c5a07612f80fa2e040454e7db42a2
RomanKubiak [Thu, 16 Jul 2015 14:57:24 +0000 (16:57 +0200)]
Added the README.md file for github
Added license info to files
Using unique_ptr<> in manager
Broke up the process() method in manager
Change-Id: I980d281d7decae6d1e23b9f5937117449ac627e3
RomanKubiak [Thu, 16 Jul 2015 14:57:12 +0000 (16:57 +0200)]
Added nether helper scripts and a simple example policy
for the file backend.
Change-Id: Ife2f173d9964cb9f65a9c88d8779872020ab6e46
RomanKubiak [Thu, 16 Jul 2015 14:56:05 +0000 (16:56 +0200)]
Included vasum logger class.
Some modifications
- added an option to disable colours in stderr logger
- added a syslog backend if journal is not available
- added a file backend
Change-Id: Id6ed1c56f871be8970879277b331b26d0e3969f3
RomanKubiak [Thu, 16 Jul 2015 14:55:05 +0000 (16:55 +0200)]
Build subsystem for nether (cmake, codeblocks, spec)
Change-Id: I35e39dc7e34087126b0a8aa2999cd0f7eb733fe3
RomanKubiak [Thu, 16 Jul 2015 14:54:22 +0000 (16:54 +0200)]
Initial source code for nether 0.0.1 (source code only)
Change-Id: I16970c3dedd9071c970523a478fbf35e009d13ef
KyungMi Lee [Thu, 16 Jul 2015 07:46:44 +0000 (00:46 -0700)]
Initial empty repository