TOMOYO
ForkMilton Yates wrote:
> I'm using Tomoyo 1.8.3 on linux 3.1, migrating from in-kernel Tomoyo
> 2.4, I have started using socket filtering which is pretty cool!
Thank you. Socket filtering for local and outgoing addresses is also available
in in-kernel TOMOYO 2.5 (which is in Linux 3.2 and is backportable to Linux
2.6.33 and later).
> I have found that Tomoyo generates logs like this:
> "network inet dgram send X.X.X.X 0"
> connection attempts on UDP port 0, for every outbound inet TCP
> connection the program makes.
TOMOYO checks "send" permission rather than "connect" permission when connect()
is called on a connectionless socket, for connect() on a connectionless socket
is used for associating default destination address that will be used when
destination address is omitted upon subsequent sendmsg() request. Thus,
learning "network inet dgram send" entries upon connect() is a known behaviour.
For example,
----- test.c start -----
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
int main(int argc, char *argv[])
{
int fd1 = socket(PF_INET, SOCK_STREAM, 0);
int fd2 = socket(PF_INET, SOCK_DGRAM, 0);
struct sockaddr_in addr;
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr("127.0.0.2");
addr.sin_port = htons(0);
connect(fd1, (struct sockaddr *) &addr, sizeof(addr));
addr.sin_addr.s_addr = inet_addr("127.0.0.3");
sendto(fd2, "", 1, 0, (struct sockaddr *) &addr, sizeof(addr));
addr.sin_addr.s_addr = inet_addr("127.0.0.4");
connect(fd2, (struct sockaddr *) &addr, sizeof(addr));
return 0;
}
----- test.c end -----
causes TOMOYO to learn
network inet stream connect 127.0.0.2 0
network inet dgram send 127.0.0.3 0
network inet dgram send 127.0.0.4 0
entries and causes strace to print
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4
connect(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.2")}, 16) = -1 ECONNREFUSED (Connection refused)
sendto(4, "\0", 1, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.3")}, 16) = -1 EINVAL (Invalid argument)
connect(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("127.0.0.4")}, 16) = 0
lines.
> Is sending to UDP 0 still how the OS finds a free port?
I don't think so. bind() to port 0 is a way to let the OS find a free port,
but connect()/send() to port 0 do not make sense (with an exception that
connect(AF_UNSPEC) described in "man 2 connect").
> Would you recommend allowing this activity?
I don't know. You can try tracing your application like
strace -e trace=socket,bind,connect,send,sendmsg /path/to/your/app
to find what is happening.
> Could it not be misused to communicate externally on port 0?
I think it is impossible to communicate with destination port == 0.