On Sat, Oct 03, 2020 at 07:50:01PM +0100, Richard W.M. Jones wrote: > --- > filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++----- > tests/Makefile.am | 14 ++++++- > filters/ip/ip.c | 69 +++++++++++++++++++++++++++++--- > tests/test-ip-filter-gid.sh | 51 ++++++++++++++++++++++++ > tests/test-ip-filter-pid.sh | 70 +++++++++++++++++++++++++++++++++ > tests/test-ip-filter-uid.sh | 51 ++++++++++++++++++++++++ > 6 files changed, 301 insertions(+), 18 deletions(-) > > diff --git a/filters/ip/nbdkit-ip-filter.pod b/filters/ip/nbdkit-ip-filter.pod > index 17108617..aa91cff2 100644 > --- a/filters/ip/nbdkit-ip-filter.pod > +++ b/filters/ip/nbdkit-ip-filter.pod > @@ -1,6 +1,7 @@ > =head1 NAME > > -nbdkit-ip-filter - filter clients by IP address > +nbdkit-ip-filter - filter clients by IP address, process ID, user ID > +or group ID > > =head1 SYNOPSIS > > @@ -14,6 +15,10 @@ address. Usually it is better to control this outside > nbdkit, for > example using TCP wrappers or a firewall, but this filter can be used > if these are not available. > > +nbdkit E<ge> 1.24 added the ability to filter clients connecting over > +local Unix domain sockets by client process ID, user ID and group ID. > +This currently only works on Linux. > + > =head1 EXAMPLES > > nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all > @@ -28,13 +33,29 @@ network. > > nbdkit --filter=ip [...] allow=anyipv6 deny=all > > -Allow IPv6 clients to connect from anywhere, deny all IPv4 > -connections. > +Allow IPv6 clients to connect from anywhere, deny all other sources. > + > + nbdkit -U sock --filter=ip [...] allow=pid:1234 deny=all > + > +Only process ID 1234 can connect to the server over the local Unix > +domain socket.
NB using PID as an access control token on its own is racy due to the possibility of PID reuse. There was a major CVE against polkit many years back due to use of PID alone: https://access.redhat.com/security/cve/CVE-2013-4288 The safe way to check PIDs is to use the (PID, start time, uid) triple. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
