Re: [Libguestfs] [PATCH nbdkit v2 2/3] ip: Add filtering by process ID, user ID and group ID.

[Eric Blake]

On 10/3/20 1:50 PM, Richard W.M. Jones wrote:
> ---
>  filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++-----
>  tests/Makefile.am               | 14 ++++++-
>  filters/ip/ip.c                 | 69 +++++++++++++++++++++++++++++---
>  tests/test-ip-filter-gid.sh     | 51 ++++++++++++++++++++++++
>  tests/test-ip-filter-pid.sh     | 70 +++++++++++++++++++++++++++++++++
>  tests/test-ip-filter-uid.sh     | 51 ++++++++++++++++++++++++
>  6 files changed, 301 insertions(+), 18 deletions(-)
> 

> +
> + nbdkit -U $tmpdir/sock --filter=ip [...] allow=uid:`id -u` deny=all
> +
> +Only allow the current user (S<C<id -u>>) to connect over the socket.
> +It is better to use this as an additional line of defence — also

defense

> +create a temporary directory, make sure it is only accessible by the
> +user, and place the socket there.
> +
> + nbdkit -U sock --filter=ip [...] allow=gid:`id -g` deny=all
> +
> +Allow anyone in the same group as the current user to connect to the
> +Unix domain socket.
>  

> +++ b/filters/ip/ip.c
> @@ -62,12 +62,13 @@ int ip_debug_rules;
>  
>  struct rule {
>    struct rule *next;
> -  enum { BAD = 0, ANY, ANYV4, ANYV6, IPV4, IPV6 } type;
> +  enum { BAD = 0, ANY, ANYV4, ANYV6, IPV4, IPV6, PID, UID, GID } type;
>    union {
> -    struct in_addr ipv4;
> +    struct in_addr ipv4;        /* for IPV4, IPV6 */
>      struct in6_addr ipv6;
> +    int id;                     /* for PID, UID and GID */

Do you want to use id_t here? POSIX requires that type to be a superset
of pid_t, uid_t, and gid_t - on Linux, it is still 32-bit, but it might
be more robust if we have to compile on systems with 64-bit pid_t.
Sadly, there is no handy printf specifier for id_t, so using int does
make life easier elsewhere.

>    } u;
> -  unsigned prefixlen;
> +  unsigned prefixlen;           /* for IPV4, IPV6 */
>  };
>  
>  static struct rule *allow_rules, *allow_rules_last;
> @@ -100,6 +101,16 @@ print_rule (const char *name, const struct rule *rule, 
> const char *suffix)
>      nbdkit_debug ("%s=ipv6:[%s]/%u%s", name, u.addr6, rule->prefixlen, 
> suffix);
>      break;
>  
> +  case PID:
> +    nbdkit_debug ("%s=pid:%d%s", name, rule->u.id, suffix);

For example, this becomes more complicated if we use id_t instead of int.

ACK

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

signature.asc
Description: OpenPGP digital signature

_______________________________________________
Libguestfs mailing list
Libguestfs@redhat.com
https://www.redhat.com/mailman/listinfo/libguestfs