Linode.com Forum Forum Index Linode.com Forum
Linode Community Forums
 


Blocking or allowing a precise process

Click here to go to the original topic

 
       Linode.com Forum Forum Index -> Linux Networking
Author Message
jvm



Joined: 26 Dec 2007
Posts: 10
Posted: Mon Feb 25, 2008 4:20 pm    Post subject: Blocking or allowing a precise process  
Hello, I was thinking that it would be useful to be able to allow or deny network access to specific processes.

In particular I would like to be able to define such rules through the process name.
I thought that iptables could do that, but googling I discovered that the "cmd-owner" feature is long gone.

Trying to use a rule like:
Code: iptables -A OUTPUT -m owner --cmd-owner foo -j DROP
gives only this result:
Code: ipt_owner: pid, sid and command matching not supported anymore
iptables: Invalid argument

Unfortunately user id and group id don't give the granularity I could achieve with the name of the process. For example when a parent process starts children processes with the same uid and gid, but different names.

So I would like to ask if anybody knows a way to block (or allow) network access only for specific processes, using their names as a discriminant.
Back to top  
SteveG



Joined: 30 Nov 2003
Posts: 214
Posted: Mon Feb 25, 2008 6:13 pm    Post subject:  
SELInux? Probably more effort than you want to go to, though.
Back to top  
rhashimoto



Joined: 13 Aug 2003
Posts: 55
Posted: Mon Feb 25, 2008 8:00 pm    Post subject:  
Can/are the processes in question be built against libwrap?
Back to top  
jvm



Joined: 26 Dec 2007
Posts: 10
Posted: Tue Feb 26, 2008 10:31 am    Post subject:  
Thanks for your feedback.

Unfortunately I'm trying to restrict precompiled binaries whose sources aren't available and indeed SELInux is too much for me to manage.

Still I could obtain the desired result by starting the processes I want to restrict with sudo, using a system account created for this purpose, and then deploying iptables rules that match the user id.

It surely isn't an elegant solution but still allows me to block processes easily. I should have thought about it earlier.
However I hope the option to restrict processes by name will come back in the future since with my current solution I still can't block only the parent process or the children. Fortunately I don't need this behaviour anymore so I can cope with the current limitations.
Thanks again for your suggestions, I'll keep them in mind if I bump again into similar issues.
Back to top  
jdlspeedy



Joined: 31 Jan 2008
Posts: 3
Posted: Tue Feb 26, 2008 2:07 pm    Post subject:  
Quote:
--pid-owner processid
Matches if the packet was created by a process with the given process id.

--sid-owner sessionid
Matches if the packet was created by a process in the given session group.

--cmd-owner name
Matches if the packet was created by a process with the given command name. (this option is present only if ipta-
bles was compiled under a kernel supporting this feature)

NOTE: pid, sid and command matching are broken on SMP


Try it with --uid-owner (uid)
Back to top  
 
       Linode.com Forum Forum Index -> Linux Networking
Page 1 of 1