View All Products
Compute
Storage
Databases
Networking
Developer Tools
Delivery
Security
Services
Industries
Pricing
Community
Engage With Us
Community Questions Blocking or allowing a precise process
Log in to Ask a Question

Blocking or allowing a precise process

networking

Hello, I was thinking that it would be useful to be able to allow or deny network access to specific processes.

In particular I would like to be able to define such rules through the process name.

I thought that iptables could do that, but googling I discovered that the "cmd-owner" feature is long gone.

Trying to use a rule like:

iptables -A OUTPUT -m owner --cmd-owner foo -j DROP

gives only this result:

ipt_owner: pid, sid and command matching not supported anymore
iptables: Invalid argument

Unfortunately user id and group id don't give the granularity I could achieve with the name of the process. For example when a parent process starts children processes with the same uid and gid, but different names.

So I would like to ask if anybody knows a way to block (or allow) network access only for specific processes, using their names as a discriminant.

4 Replies

SELInux? Probably more effort than you want to go to, though.

Can/are the processes in question be built against libwrap?

Thanks for your feedback.

Unfortunately I'm trying to restrict precompiled binaries whose sources aren't available and indeed SELInux is too much for me to manage.

Still I could obtain the desired result by starting the processes I want to restrict with sudo, using a system account created for this purpose, and then deploying iptables rules that match the user id.

It surely isn't an elegant solution but still allows me to block processes easily. I should have thought about it earlier.

However I hope the option to restrict processes by name will come back in the future since with my current solution I still can't block only the parent process or the children. Fortunately I don't need this behaviour anymore so I can cope with the current limitations.

Thanks again for your suggestions, I'll keep them in mind if I bump again into similar issues.

> –pid-owner processid

Matches if the packet was created by a process with the given process id.

--sid-owner sessionid

Matches if the packet was created by a process in the given session group.

--cmd-owner name

Matches if the packet was created by a process with the given command name. ****(this option is present only if ipta-

bles was compiled under a kernel supporting this feature)****

NOTE: pid, sid and command matching are broken on SMP

Try it with –uid-owner (uid)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct