On Sat, Oct 03, 2020 at 07:50:01PM +0100, Richard W.M. Jones wrote:
---
filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++-----
tests/Makefile.am | 14 ++++++-
filters/ip/ip.c | 69 +++++++++++++++++++++++++++++---
tests/test-ip-filter-gid.sh | 51 ++++++++++++++++++++++++
tests/test-ip-filter-pid.sh | 70 +++++++++++++++++++++++++++++++++
tests/test-ip-filter-uid.sh | 51 ++++++++++++++++++++++++
6 files changed, 301 insertions(+), 18 deletions(-)
diff --git a/filters/ip/nbdkit-ip-filter.pod b/filters/ip/nbdkit-ip-filter.pod
index 17108617..aa91cff2 100644
--- a/filters/ip/nbdkit-ip-filter.pod
+++ b/filters/ip/nbdkit-ip-filter.pod
@@ -1,6 +1,7 @@
=head1 NAME
-nbdkit-ip-filter - filter clients by IP address
+nbdkit-ip-filter - filter clients by IP address, process ID, user ID
+or group ID
=head1 SYNOPSIS
@@ -14,6 +15,10 @@ address. Usually it is better to control this outside nbdkit, for
example using TCP wrappers or a firewall, but this filter can be used
if these are not available.
+nbdkit E<ge> 1.24 added the ability to filter clients connecting over
+local Unix domain sockets by client process ID, user ID and group ID.
+This currently only works on Linux.
+
=head1 EXAMPLES
nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all
@@ -28,13 +33,29 @@ network.
nbdkit --filter=ip [...] allow=anyipv6 deny=all
-Allow IPv6 clients to connect from anywhere, deny all IPv4
-connections.
+Allow IPv6 clients to connect from anywhere, deny all other sources.
+
+ nbdkit -U sock --filter=ip [...] allow=pid:1234 deny=all
+
+Only process ID 1234 can connect to the server over the local Unix
+domain socket.
NB using PID as an access control token on its own is racy due to the
possibility of PID reuse. There was a major CVE against polkit many
years back due to use of PID alone:
https://access.redhat.com/security/cve/CVE-2013-4288
The safe way to check PIDs is to use the (PID, start time, uid) triple.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|