Re: [patch] update: _working_ code to add device+inode check to ipt_owner.c
From: Luke Kenneth Casson Leighton
Date: Thu Sep 09 2004 - 18:59:39 EST
On Thu, Sep 09, 2004 at 04:04:49PM -0700, Chris Wright wrote:
> > what's the disconnect between the task_list and the sockets (sk_buff)
> > that makes that [not knowing which one will be woken up] relevant?
> There's nothing stopping the following:
> exec good_proc
> socket()
> fork
> exec bad_proc
> Now good_proc and bad_proc are sharing a socket. Packet comes in
> destined for that socket. Rule says it's ok to deliver to socket
> (because of good_proc).
> Packet delivered to socket, wakes up waiters
> (good and bad). Now, what's stopping the bad_proc from reading from the
> socket?
i am not so worried about this scenario _because_:
under an selinux system, you would set up a policy which only
allowed the good_proc to exec other_good_procs (with the
macro can_exec(good_proc, { other_good_proc1, other_good_proc2 })
consequently, you'd design your firewall rules (in conjunction with
your selinux policy) to add _two_ dev+inode-program-enabled firewall rules
to cover the same socket, e.g. apache2 (good_proc) and some cgi script
helper (other_good_proc) - one for each program:
iptables -A INPUT -m tcp --dport=80 -m program --exe=/usr/bin/apache2 -j ACCEPT
iptables -A INPUT -m tcp --dport=80 -m program --exe=/usr/cgi-bin/blahblah -j ACCEPT
> > so it's a socket: let's take an example - and i'm assuming for now
> > that things like passing file descriptors over unix-domain-sockets
> > between processes just ... doesn't happen, okay? :)
> These do happen, which is part of the problem ;-)
i would not consider this to be a problem [in an environment where
you specify DENY as the default and ALLOW specific instances]
under such circumstances [file descs passed between programs]...
you would end up having to create _two_ program-specific rules, like
one for each of the two programs.
[this has got to be better than the present situation, where you have
to "iptables -A OUTPUT -m tcp --sport=25" and that allows ANY process
under the sun to have data escaping on port 25.]
Truth, honesty and respect are rare commodities that all spring from
the same well: Love. If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
<a href=""> </a> <br />
<a href="mailto:lkcl@xxxxxxxx"> lkcl@xxxxxxxx </a> <br />
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at