<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Hi Ben,<div><br></div><div>You're correct that handle_packet callback is (unfortunately) tied to the e1000 interface and doing it in OSI could be a good alternative. The osi_linux_fd_to_filename function should work fine on FDs that map to things in /dev such as the tun device. </div><div><br></div><div>But it might be even easier if you instead use syscalls2 to hook `sys_recvfrom` and apply taint labels there. In <a href="https://github.com/panda-re/panda/blob/master/panda/python/examples/file_taint/file_network_taint.py#L66">this python example</a> we use syscalls2 to hook `sys_sendto` to check taint as packets are leaving the system. You could use the same approach but just flip the logic to add labels as packets enter the system.</div><div><br></div><div>Best,</div><div>Andrew</div><div><br></div><div>--</div><div>Andrew Fasano</div><div>MIT Lincoln Laboratory</div><div><br></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 21, 2020 at 10:59 AM <<a href="mailto:ben@breakpointingbad.com">ben@breakpointingbad.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I have an OSI question that I hope to get some advice on. After making a <br>
recording, during replay, I want to taint packets coming in on network <br>
interfaces in an Ubuntu 18.04 server, including the tun interfaces. I <br>
considered registering a "handle_packet" callback. Unfortunately, this <br>
function is not executed when packets traverse portions of the tun <br>
interface code. I verified this by running the "net" and "network" <br>
plugins. I believe this is because the tun interface is purely software <br>
and so the events recorded by the e1000 emulator are not captured (since <br>
the tun interface doesn't use that driver). This lead me to considering <br>
OSI as a solution. I would like to hook the kernel file object that <br>
describes the tun device, however, I am unsure whether the existing file <br>
resolution code (e.g., "osi_linux_fd_to_filename") in osi_linux will <br>
work for this use case. My question is, does the <br>
"osi_linux_fd_to_filename" function, or any of those in osi_linux, <br>
resolve device files like the tun device, is there a better method <br>
osi_linux provides to achieve this, or will I need to instrument <br>
additional capabilities? I'm still a panda and kernel newb, so apologies <br>
if my question doesn't make sense, I will try to clarify if needed. If I <br>
have to instrument additional functionality, that's OK, I just want to <br>
be sure there isn't an easier option before taking that route.<br>
<br>
Regards,<br>
Ben<br>
_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
</blockquote></div>