Re: [Libguestfs] [PATCH nbdkit v2 2/3] ip: Add filtering by process ID, user ID and group ID.
On 10/3/20 1:50 PM, Richard W.M. Jones wrote:
---
filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++-----
tests/Makefile.am | 14 ++++++-
filters/ip/ip.c | 69 +++++++++++++++++++++++++++++---
tests/test-ip-filter-gid.sh | 51 ++++++++++++++++++++++++
tests/test-ip-filter-pid.sh | 70 +++++++++++++++++++++++++++++++++
tests/test-ip-filter-uid.sh | 51 ++++++++++++++++++++++++
6 files changed, 301 insertions(+), 18 deletions(-)
+
+ nbdkit -U $tmpdir/sock --filter=ip [...] allow=uid:`id -u` deny=all
+
+Only allow the current user (S<C<id -u>>) to connect over the socket.
+It is better to use this as an additional line of defence — also
defense
+create a temporary directory, make sure it is only accessible by
the
+user, and place the socket there.
+
+ nbdkit -U sock --filter=ip [...] allow=gid:`id -g` deny=all
+
+Allow anyone in the same group as the current user to connect to the
+Unix domain socket.
+++ b/filters/ip/ip.c
@@ -62,12 +62,13 @@ int ip_debug_rules;
struct rule {
struct rule *next;
- enum { BAD = 0, ANY, ANYV4, ANYV6, IPV4, IPV6 } type;
+ enum { BAD = 0, ANY, ANYV4, ANYV6, IPV4, IPV6, PID, UID, GID } type;
union {
- struct in_addr ipv4;
+ struct in_addr ipv4; /* for IPV4, IPV6 */
struct in6_addr ipv6;
+ int id; /* for PID, UID and GID */
Do you want to use id_t here? POSIX requires that type to be a superset
of pid_t, uid_t, and gid_t - on Linux, it is still 32-bit, but it might
be more robust if we have to compile on systems with 64-bit pid_t.
Sadly, there is no handy printf specifier for id_t, so using int does
make life easier elsewhere.
} u;
- unsigned prefixlen;
+ unsigned prefixlen; /* for IPV4, IPV6 */
};
static struct rule *allow_rules, *allow_rules_last;
@@ -100,6 +101,16 @@ print_rule (const char *name, const struct rule *rule, const char
*suffix)
nbdkit_debug ("%s=ipv6:[%s]/%u%s", name, u.addr6, rule->prefixlen,
suffix);
break;
+ case PID:
+ nbdkit_debug ("%s=pid:%d%s", name, rule->u.id, suffix);
For example, this becomes more complicated if we use id_t instead of int.
ACK
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 488 bytes)