[Libguestfs] [PATCH nbdkit v2 2/3] ip: Add filtering by process ID, user ID and group ID.

Daniel P. Berrangé berrange at redhat.com
Mon Oct 5 13:48:41 UTC 2020 

On Sat, Oct 03, 2020 at 07:50:01PM +0100, Richard W.M. Jones wrote:
> ---
>  filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++-----
>  tests/Makefile.am               | 14 ++++++-
>  filters/ip/ip.c                 | 69 +++++++++++++++++++++++++++++---
>  tests/test-ip-filter-gid.sh     | 51 ++++++++++++++++++++++++
>  tests/test-ip-filter-pid.sh     | 70 +++++++++++++++++++++++++++++++++
>  tests/test-ip-filter-uid.sh     | 51 ++++++++++++++++++++++++
>  6 files changed, 301 insertions(+), 18 deletions(-)
> 
> diff --git a/filters/ip/nbdkit-ip-filter.pod b/filters/ip/nbdkit-ip-filter.pod
> index 17108617..aa91cff2 100644
> --- a/filters/ip/nbdkit-ip-filter.pod
> +++ b/filters/ip/nbdkit-ip-filter.pod
> @@ -1,6 +1,7 @@
>  =head1 NAME
>  
> -nbdkit-ip-filter - filter clients by IP address
> +nbdkit-ip-filter - filter clients by IP address, process ID, user ID
> +or group ID
>  
>  =head1 SYNOPSIS
>  
> @@ -14,6 +15,10 @@ address.  Usually it is better to control this outside nbdkit, for
>  example using TCP wrappers or a firewall, but this filter can be used
>  if these are not available.
>  
> +nbdkit E<ge> 1.24 added the ability to filter clients connecting over
> +local Unix domain sockets by client process ID, user ID and group ID.
> +This currently only works on Linux.
> +
>  =head1 EXAMPLES
>  
>   nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all
> @@ -28,13 +33,29 @@ network.
>  
>   nbdkit --filter=ip [...] allow=anyipv6 deny=all
>  
> -Allow IPv6 clients to connect from anywhere, deny all IPv4
> -connections.
> +Allow IPv6 clients to connect from anywhere, deny all other sources.
> +
> + nbdkit -U sock --filter=ip [...] allow=pid:1234 deny=all
> +
> +Only process ID 1234 can connect to the server over the local Unix
> +domain socket.

NB using  PID as an access control token on its own is racy due to the
possibility of PID reuse.  There was a major CVE against polkit many
years back due to use of PID alone:

   https://access.redhat.com/security/cve/CVE-2013-4288

The safe way to check PIDs is to use the (PID, start time, uid) triple.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the Libguestfs mailing list