[Libguestfs] [PATCH nbdkit v2 2/3] ip: Add filtering by process ID, user ID and group ID.
Eric Blake
eblake at redhat.com
Mon Oct 5 13:37:14 UTC 2020
On 10/3/20 1:50 PM, Richard W.M. Jones wrote:
> ---
> filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++-----
> tests/Makefile.am | 14 ++++++-
> filters/ip/ip.c | 69 +++++++++++++++++++++++++++++---
> tests/test-ip-filter-gid.sh | 51 ++++++++++++++++++++++++
> tests/test-ip-filter-pid.sh | 70 +++++++++++++++++++++++++++++++++
> tests/test-ip-filter-uid.sh | 51 ++++++++++++++++++++++++
> 6 files changed, 301 insertions(+), 18 deletions(-)
>
> +
> + nbdkit -U $tmpdir/sock --filter=ip [...] allow=uid:`id -u` deny=all
> +
> +Only allow the current user (S<C<id -u>>) to connect over the socket.
> +It is better to use this as an additional line of defence — also
defense
> +create a temporary directory, make sure it is only accessible by the
> +user, and place the socket there.
> +
> + nbdkit -U sock --filter=ip [...] allow=gid:`id -g` deny=all
> +
> +Allow anyone in the same group as the current user to connect to the
> +Unix domain socket.
>
> +++ b/filters/ip/ip.c
> @@ -62,12 +62,13 @@ int ip_debug_rules;
>
> struct rule {
> struct rule *next;
> - enum { BAD = 0, ANY, ANYV4, ANYV6, IPV4, IPV6 } type;
> + enum { BAD = 0, ANY, ANYV4, ANYV6, IPV4, IPV6, PID, UID, GID } type;
> union {
> - struct in_addr ipv4;
> + struct in_addr ipv4; /* for IPV4, IPV6 */
> struct in6_addr ipv6;
> + int id; /* for PID, UID and GID */
Do you want to use id_t here? POSIX requires that type to be a superset
of pid_t, uid_t, and gid_t - on Linux, it is still 32-bit, but it might
be more robust if we have to compile on systems with 64-bit pid_t.
Sadly, there is no handy printf specifier for id_t, so using int does
make life easier elsewhere.
> } u;
> - unsigned prefixlen;
> + unsigned prefixlen; /* for IPV4, IPV6 */
> };
>
> static struct rule *allow_rules, *allow_rules_last;
> @@ -100,6 +101,16 @@ print_rule (const char *name, const struct rule *rule, const char *suffix)
> nbdkit_debug ("%s=ipv6:[%s]/%u%s", name, u.addr6, rule->prefixlen, suffix);
> break;
>
> + case PID:
> + nbdkit_debug ("%s=pid:%d%s", name, rule->u.id, suffix);
For example, this becomes more complicated if we use id_t instead of int.
ACK
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20201005/3a137d23/attachment.sig>
More information about the Libguestfs
mailing list