search for: nbdkit_peer_pid

On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > used on Linux (only) to read the peer PID, UID and GID from clients > connected over a Unix domain socket. This can be used in the > preconnect phase to add additional filtering. > > One use for this is to add an extra layer of au...

New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be used on Linux (only) to read the peer PID, UID and GID from clients connected over a Unix domain socket. This can be used in the preconnect phase to add additional filtering. One use for this is to add an extra layer of authentication for local co...

This is just a simple update to: https://www.redhat.com/archives/libguestfs/2020-October/msg00015.html rebased on top of current nbdkit master because I pushed a few simple refactorings. Rich.

v2 was here: https://www.redhat.com/archives/libguestfs/2020-October/msg00019.html v3: * defence -> defense * Use int64_t instead of int. This compiles on Windows. * Add GC wrappers to OCaml bindings. * New FreeBSD patch. * Removed "pid:" example from the ip filter manual, and added a warning beside the pid documentation. Rich.

...it.mli index ececd5fd..8abfeb49 100644 --- a/plugins/ocaml/NBDKit.mli +++ b/plugins/ocaml/NBDKit.mli @@ -162,3 +162,10 @@ val shutdown : unit -> unit (** Print a debug message when nbdkit is in verbose mode. *) val debug : ('a, unit, string, unit) format4 -> 'a + +(** Binding for [nbdkit_peer_pid]. *) +val peer_pid : unit -> int +(** Binding for [nbdkit_peer_uid]. *) +val peer_uid : unit -> int +(** Binding for [nbdkit_peer_gid]. *) +val peer_gid : unit -> int diff --git a/plugins/ocaml/NBDKit.ml b/plugins/ocaml/NBDKit.ml index 739210fa..76fa3a77 100644 --- a/plugins/ocaml/NBDKit.m...

These two commits add new APIs and enhance nbdkit-ip-filter to allow filtering of Unix domain sockets by the client's PID, UID or GID. eg: nbdkit -U sock --filter=ip ... allow=uid:`id -u` deny=all Rich.

On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > used on Linux (only) to read the peer PID, UID and GID from clients > > connected over a Unix domain socket. This can be used in the > > preconnect phase to add additional filtering. > > > > One use for this is to...

On Mon, Oct 05, 2020 at 02:38:37PM +0100, Daniel P. Berrangé wrote: > On Mon, Oct 05, 2020 at 08:21:50AM -0500, Eric Blake wrote: > > On 10/3/20 1:50 PM, Richard W.M. Jones wrote: > > > New nbdkit_peer_pid, nbdkit_peer_uid and nbdkit_peer_gid calls can be > > > used on Linux (only) to read the peer PID, UID and GID from clients > > > connected over a Unix domain socket. This can be used in the > > > preconnect phase to add additional filtering. > > > > > &g...

...gt; --- a/plugins/ocaml/NBDKit.mli > +++ b/plugins/ocaml/NBDKit.mli > @@ -162,3 +162,10 @@ val shutdown : unit -> unit > > (** Print a debug message when nbdkit is in verbose mode. *) > val debug : ('a, unit, string, unit) format4 -> 'a > + > +(** Binding for [nbdkit_peer_pid]. *) > +val peer_pid : unit -> int > +(** Binding for [nbdkit_peer_uid]. *) > +val peer_uid : unit -> int > +(** Binding for [nbdkit_peer_gid]. *) > +val peer_gid : unit -> int Is int sufficient on 32-bit platforms, or do you need int32? But on 64-bit platforms, I don'...

...rule (const struct rule *rule, sin6 = (struct sockaddr_in6 *) addr; return ipv6_equal (sin6->sin6_addr, rule->u.ipv6, rule->prefixlen); + /* Note these work even if the underlying nbdkit_peer_* call fails. */ + case PID: + if (family != AF_UNIX) return false; + return nbdkit_peer_pid () == rule->u.id; + + case UID: + if (family != AF_UNIX) return false; + return nbdkit_peer_uid () == rule->u.id; + + case GID: + if (family != AF_UNIX) return false; + return nbdkit_peer_gid () == rule->u.id; + case BAD: default: abort (); @@ -430,8 +485,10 @@ che...