[Libguestfs] [PATCH nbdkit v2 2/3] ip: Add filtering by process ID, user ID and group ID.
Daniel P. Berrangé
berrange at redhat.com
Mon Oct 5 13:48:41 UTC 2020
On Sat, Oct 03, 2020 at 07:50:01PM +0100, Richard W.M. Jones wrote:
> ---
> filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++-----
> tests/Makefile.am | 14 ++++++-
> filters/ip/ip.c | 69 +++++++++++++++++++++++++++++---
> tests/test-ip-filter-gid.sh | 51 ++++++++++++++++++++++++
> tests/test-ip-filter-pid.sh | 70 +++++++++++++++++++++++++++++++++
> tests/test-ip-filter-uid.sh | 51 ++++++++++++++++++++++++
> 6 files changed, 301 insertions(+), 18 deletions(-)
>
> diff --git a/filters/ip/nbdkit-ip-filter.pod b/filters/ip/nbdkit-ip-filter.pod
> index 17108617..aa91cff2 100644
> --- a/filters/ip/nbdkit-ip-filter.pod
> +++ b/filters/ip/nbdkit-ip-filter.pod
> @@ -1,6 +1,7 @@
> =head1 NAME
>
> -nbdkit-ip-filter - filter clients by IP address
> +nbdkit-ip-filter - filter clients by IP address, process ID, user ID
> +or group ID
>
> =head1 SYNOPSIS
>
> @@ -14,6 +15,10 @@ address. Usually it is better to control this outside nbdkit, for
> example using TCP wrappers or a firewall, but this filter can be used
> if these are not available.
>
> +nbdkit E<ge> 1.24 added the ability to filter clients connecting over
> +local Unix domain sockets by client process ID, user ID and group ID.
> +This currently only works on Linux.
> +
> =head1 EXAMPLES
>
> nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all
> @@ -28,13 +33,29 @@ network.
>
> nbdkit --filter=ip [...] allow=anyipv6 deny=all
>
> -Allow IPv6 clients to connect from anywhere, deny all IPv4
> -connections.
> +Allow IPv6 clients to connect from anywhere, deny all other sources.
> +
> + nbdkit -U sock --filter=ip [...] allow=pid:1234 deny=all
> +
> +Only process ID 1234 can connect to the server over the local Unix
> +domain socket.
NB using PID as an access control token on its own is racy due to the
possibility of PID reuse. There was a major CVE against polkit many
years back due to use of PID alone:
https://access.redhat.com/security/cve/CVE-2013-4288
The safe way to check PIDs is to use the (PID, start time, uid) triple.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the Libguestfs
mailing list