Re: IP address for processes

From: Michael Clark (mclark@klaatu.patho.gen.nz)
Date: Fri Mar 03 2000 - 17:46:14 EST


Steve Rihards wrote:
>
> I dont think any one has done this because it makes no sense. What does "IP
> address for a process" even mean? IP addresses are required for routing a
> packet to a computer... once there, you use ports to get to an
> application...

I think the idea would add security to a system as i have pondered this
before. Say for instance you virtual host 200 sites and have 200 ip
aliases and 200 different UIDs (1 UID for each site as is best common
practice for security) - it would be nice for CGI or shell programs that
makes socket connections running as UID X to source packets with *the
associated IP address* Y - this would allow per user packet filtering
rules and for example allow you to restrict access to network resources
based on the UID of the remote process.

*** IP per User
One way would be to (in net/ipv4/af_inet.c) inspect sock->inode->i_uid
in inet_bind(...) and inet_stream_connect(...) and read from an in
kernel table [uid->ip] and change addr->sin_addr.s_addr (The source
address is usually 0.0.0.0 which means selected automatically -
otherwise an error could be returned if the specific bind address does
not match the allowed address). Add some sort of configuration interface
(populated during boot). I have tried this but not added the
configuration interface. I have not yet investigated how this would be
approached in a transport independant way.

*** IP per Process
Another way suggested by Chris is to add an address to the process
struct and add a 'chbind' syscall to change it - although this would
require changes to popular programs like apache to make use of this
functionality.

I am informed that FreeBSD's jail (sort of like a fancy chroot)
functionality has this (jail->ip) sort of functionality.

~mc

Vijay Subramani wrote:
>
> Hi,
>
> This may sound odd, but i want to know if any body
> has done any work on assigning IP addresses (may be
> Virtual IP) to processes. I am exploring ways on how
> to provide IP addresses for processes, files, other
> resources , etc. . I would like to get your opinion on
> this.
>
> Thanks in advance,
> Vijay
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu



This archive was generated by hypermail 2b29 : Tue Mar 07 2000 - 21:00:27 EST