From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Hassan Sultan" <hsultan@thefroid.net>
Subject: Re: Filtering Connect syscalls for af_inet only
Date: Thu, 05 Feb 2015 12:26:44 -0800
Message-ID: <op.xtlpqulb1jp0b1@win8mac>
References: <CABXp1cs4rj_BN+QLvHSFnYJhigQpjL2kcFGbE1EPm8rJGnfP2A@mail.gmail.com>
	<r3na90uvaxh.fsf@perdido.sfo.corp.google.com>
	<CABXp1csz7aTWDVn24P0T0os6Sde_2sT5No8scOHqaaw7auUQWw@mail.gmail.com>
	<CABXp1cszjrfR0G6aMc02ZXzxDxRF7B=uHbgXbs1NGQD9LKEHYg@mail.gmail.com>
	<CABXp1cuidB0ut_qG=fSd=qrPODGKdL62mWnowyOSkkZnABrMKw@mail.gmail.com>
	<CAHC9VhSdJOOJRAqCiUOD62T6caLjBtum4hQ=PbDfsnb3Jg0JtQ@mail.gmail.com>
	<CABXp1csszX4e-tJD8Gihz0vTdEvsHpTHS22OvNuZPetqmHpdwA@mail.gmail.com>
	<CAHC9VhSCv+Y7E98H_pPs+cZXYFbCw2nDu7O_FRmwjfB1mDouUw@mail.gmail.com>
	<CABXp1ctf0yhkdtwMscrPRq1-Pjm9hZNKPmwQ5yvTGaRz4MGomw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2727473088244618974=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com
	[10.5.110.20])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id t15KQiPi029087
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=FAIL)
	for <linux-audit@redhat.com>; Thu, 5 Feb 2015 15:26:44 -0500
Received: from homiemail-a93.g.dreamhost.com (sub5.mail.dreamhost.com
	[208.113.200.129])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t15KQgaw030420
	for <linux-audit@redhat.com>; Thu, 5 Feb 2015 15:26:43 -0500
In-Reply-To: <CABXp1ctf0yhkdtwMscrPRq1-Pjm9hZNKPmwQ5yvTGaRz4MGomw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <paul@paul-moore.com>, F Rafi <farhanible@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

--===============2727473088244618974==
Content-Type: multipart/alternative; boundary=----------006IxC3cz6wNa7w9Zz4SUe

------------006IxC3cz6wNa7w9Zz4SUe
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit

Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter  
only connect, and one on a3 for the sockaddr size ?

Basically, on x86 you have one rule : the one with 2 comparisons
On x64 you have 2 rules : one on the connect syscall, and one on the  
socketcall syscall with 2 comparisons

Thanks,

Hassan

On Thu, 05 Feb 2015 11:06:03 -0800, F Rafi <farhanible@gmail.com> wrote:

> I did some digging and now I understand the different size variations of  
> sockaddr_storage. I guess I can just filter on a2!=6e then.
>
> And we'd have to keep an eye out for x86 systems. I understand that  
> x86_64 does not use socketcall() but, do you know if multiarch support  
> somehow >allows 32bit apps on x86_64 to use / translate these calls?
>
> Thanks again!
> Farhan
>
> On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul@paul-moore.com> wrote:
>> On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote:
>>> Ahh..thanks Paul!
>>>
>>> Is there a better way to intercept outbound network access calls while
>>> avoiding af_unix?
>>
>> I'm not sure, I'm not overly familiar with the auditd/auditctl
>> filtering capabilities.  There are several people on this list that
>> are far more knowledgeable about that than me.
>>
>>>>> I assume sockaddr_storage is just a different size (I think 128?)
>>
>> The idea behind the sockaddr_storage struct was to create a structure
>> that could be used to represent any address family that the system
>> supports.  I don't believe there is a standard size across OSes due to
>> different level of support, padding, etc; in other words, it's
>> probably best not to rely on a specific size of sockaddr_storage.
>>
>>>> --
>> paul moore
>> www.paul-moore.com
------------006IxC3cz6wNa7w9Zz4SUe
Content-Type: multipart/related; boundary=----------006IxC3cz6wNa7IhNx9pm1

------------006IxC3cz6wNa7IhNx9pm1
Content-Type: text/html; charset=iso-8859-15
Content-ID: <op.1423168004481.93767f655d6bbff4@192.168.1.103>
Content-Transfer-Encoding: Quoted-Printable

<!DOCTYPE html><html><head>
<style type=3D"text/css">body { font-family:'Times New Roman'; font-size=
:13px}</style>
</head>
<body><div>Wouldn't x86 simply be a filter with 2 comparisons : one on a=
0 to filter only connect, and one on a3 for the sockaddr size ?</div><di=
v><br></div><div>Basically, on x86 you have one rule : the one with 2 co=
mparisons</div><div>On x64 you have 2 rules : one on the connect syscall=
, and one on the socketcall syscall with 2 comparisons</div><div><br></d=
iv><div>Thanks,</div><div><br></div><div>Hassan</div><div><br></div><div=
>On Thu, 05 Feb 2015 11:06:03 -0800, F Rafi &lt;farhanible@gmail.com&gt;=
 wrote:<br></div><br><blockquote style=3D"margin: 0 0 0.80ex; border-lef=
t: #0000FF 2px solid; padding-left: 1ex"><div dir=3D"ltr">I did some dig=
ging and now I understand the different size variations of sockaddr_stor=
age. I guess I can just filter on a2!=3D6e then.<div><br></div><div>And =
we'd have to keep an eye out for x86 systems. I understand that x86_64 d=
oes not use socketcall() but, do you know if multiarch support somehow a=
llows 32bit apps on x86_64 to use / translate these calls?</div><div><br=
></div><div>Thanks again!</div><div>Farhan</div></div><div class=3D"gmai=
l_extra"><br><div class=3D"gmail_quote">On Thu, Feb 5, 2015 at 10:38 AM,=
 Paul Moore <span dir=3D"ltr">&lt;<a href=3D"mailto:paul@paul-moore.com"=
 target=3D"_blank">paul@paul-moore.com</a>&gt;</span> wrote:<br><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #cc=
c solid;padding-left:1ex"><span class=3D"">On Thu, Feb 5, 2015 at 10:31 =
AM, F Rafi &lt;<a href=3D"mailto:farhanible@gmail.com">farhanible@gmail.=
com</a>&gt; wrote:<br>
&gt; Ahh..thanks Paul!<br>
&gt;<br>
&gt; Is there a better way to intercept outbound network access calls wh=
ile<br>
&gt; avoiding af_unix?<br>
<br>
</span>I'm not sure, I'm not overly familiar with the auditd/auditctl<br=
>
filtering capabilities.&nbsp; There are several people on this list that=
<br>
are far more knowledgeable about that than me.<br>
<span class=3D""><br>
&gt; I assume sockaddr_storage is just a different size (I think 128?)<b=
r>
<br>
</span>The idea behind the sockaddr_storage struct was to create a struc=
ture<br>
that could be used to represent any address family that the system<br>
supports.&nbsp; I don't believe there is a standard size across OSes due=
 to<br>
different level of support, padding, etc; in other words, it's<br>
probably best not to rely on a specific size of sockaddr_storage.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
paul moore<br>
<a href=3D"http://www.paul-moore.com" target=3D"_blank">www.paul-moore.c=
om</a><br>
</font></span></blockquote></div><br></div>
</blockquote><br><br><br></body></html>
------------006IxC3cz6wNa7IhNx9pm1--

------------006IxC3cz6wNa7w9Zz4SUe--


--===============2727473088244618974==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============2727473088244618974==--