Test if a socket accept is from external network

[John Wood <john.wood@gmx.com>]

Hi,

I'm working in a LSM to detect and mitigate fork brute force attacks
against vulnerable userspace applications. Now, to fine tuning the
detection I want to detect a network activity. To do so, I can use the
following code in the "socket_sock_rcv_skb" hook:

static int brute_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
	if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK))
		return 0;

	network_activity = true;
	return 0;
}

This way, only external connections are taken into account. Or in other
words, the communication using local sockets are skipped. The drawback
with this approach is that the commented hook is call with every packet
received. So, I have decided to use the hook that is called only when
a connection is accepted: "socket_accept".

static int brute_socket_accept(struct socket *sock, struct socket *newsock)
{
	/* I need to detect external connections */
	return 0;
}

But now I don't be able to detect only external connections. Now, I don't
have access to the device (or I don't know how to do it). I have tried
with the "sock->sk->sk_bound_dev_if" member of the sock struct but its
value is always 0 for internal and external connections (at least in my
tests).

How can I detect that an external connection (using a net device) is
accepted and avoid internal network communication?

Any help would be greatly appreciated. Thanks in advance.
John Wood

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies