From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B875C433ED for ; Sun, 25 Apr 2021 11:09:30 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id E89CF61164 for ; Sun, 25 Apr 2021 11:09:29 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E89CF61164 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmx.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1lacdJ-0002lE-Dt; Sun, 25 Apr 2021 07:09:01 -0400 Received: from mout.gmx.net ([212.227.15.18]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1lacdH-0002jG-AH for kernelnewbies@kernelnewbies.org; Sun, 25 Apr 2021 07:08:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1619348934; bh=NG1T0b2VGgBAOZh5H0Yl0w2ASJwtxCzgTrRHm+FoHfE=; h=X-UI-Sender-Class:Date:From:To:Subject; b=IMsotKEf0x2CPlHTG7ImMIUcsBPa+Lp5M6xyyDY7/MAfSy7hbJkz1ClvKWMPSAhCx 49QlNaZRoW7lNxgJtjvbQg66k7tyCefeo6Q1bmFd1InM9vtNN5ZL+tPcPljO2reG6D HM4vix/3qi9bY3rUyj1j11zIpUhJuJeuK6FqQpGQ= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ubuntu ([83.52.229.92]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MQv8n-1lvjzF1sIh-00NzIj for ; Sun, 25 Apr 2021 13:08:54 +0200 Date: Sun, 25 Apr 2021 13:08:41 +0200 From: John Wood To: kernelnewbies@kernelnewbies.org Subject: Test if a socket accept is from external network Message-ID: <20210425110841.GA15467@ubuntu> MIME-Version: 1.0 Content-Disposition: inline X-Provags-ID: V03:K1:9u0C8532TO3o8KqAtk2ydVylGq4bKVT+3yv+XbhZpWWSna9YGwQ lCoW9Rt5Go1P1daHCTkcKPp+w0f6DljJ+MYyyGw2OCX2IwlzkmVldlLSA70q9r2/BfkfY6X 3wkMvqjeDJDZCQJN3PtTagN8QDYhaffbszyraBRDEi/UN+Yz6m9e0tEU+Pxev8TA/lcuEVr EXu+1Vddi1ZlAw78fOgkw== X-UI-Out-Filterresults: notjunk:1;V03:K0:6ISRV2Y87N0=:6dRwhLJh4OGw5oMUzTq7yf +cnqEFWrwwqOdYf70+FmYfI784yzdplP4liT/PxWDaxOduVjHnNNsWRlmtiQFYvhhhg2r5d0p PlqtcXiKLjlAYFAqLXeUjATQ6O0INaIUNhkOp/3UF0g6W8ACTUXTp2WmJYerc9Q9Hl8D0mWn2 GKd1+ALR7ypGYOBPRov0TVU+xhQEIsSxapjd80kXAIEz9WcpN01K1ll2hJByyIEs3XldLqCGS I043wiamVG3UgRqvc9YzSB33G6QRKrB0eJuRIa2V5Vzn7ujftg+bnfmsuUXY1SUgTP/s1zChL kyy0RnDtcAN9+yKzt3G60Qq9T0bdI2ux7pQLozks4ntBVF67qxodp4JJMWKsw6M/A6fPS+ypz 2AcAwrtGfQV9dMTr/5/qojzCJoKrAaj+6dkb4msyEXkYQmO6o0qeKOFG7QSzAvQaasnQIvP/x 5Gkx21yH7pqb9YZcEIGWy/JQs1bGvw7owPGuTxKmIGVLo9N/u4+RbDpUKVMh29kA7c7B/FHjW rSv2woEgKCoTQf1xMs6ZWi8QE/44Q+4Fizo3IAqEowrxWvIPeUEHegtafrC/qXaxsYTXYV4nx wimLyV08B2F74zpNLP4uFI3CsGpJYDqIeRDdNim7++sZWt7kYgjRUmOXJ3+TW278hCN1BNcBN X/E9kBn7L7/W3q7SuBHZc8emSLzAE6u6f8zUXselyMC1UQCOGmiYN8t7Bz9vUoLKOU2JXgeiH ceQLwEMmglBvWv9pIvyrfRd9PHwak8f2ZMNkGEf2ik/9NaT/Rh4EbW5EGD7wg35Rd+hVza5p8 RO+OT/24hciDkrILkj9Os8u/nx/lOEhCDisvJRFsgX6nKleOvf/KPhboyoQpshIMuGl1BGLrh WAh4ISPQdVghOFeDOTteSUmsB6qPFdpBzwofuqgtftWBFX2ZXA7h9Bgew/7wR/kYKsYTUuKc6 a4MS+ZV7jDzZfuu/zmH6mKztzaz2QEpS2udRuxFDkk7JSvszWCsY9bNhU96DpoxTwz1AAHm8d dOG6BA0v3KVtE8XaBbpzZjkC9upnD5nVF8TNgNyTwLRH9TXzt/GfOfCbz86KzMjEBg9Vwf89b eBwpGBPyRJbGxIAaOSIdAUQ/YZ2m9RaZMik5a3Ftq9IAUTqxhAQd2erYZwj2ZiOg7hfRL6vbW Ix59Uin4tX0pGtbm03rn2lpsM8CY+RcH5g+OY82lrPYqWToQZ8Bv4vZX0As9iMFAAWVX8= X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kernelnewbies-bounces@kernelnewbies.org Hi, I'm working in a LSM to detect and mitigate fork brute force attacks against vulnerable userspace applications. Now, to fine tuning the detection I want to detect a network activity. To do so, I can use the following code in the "socket_sock_rcv_skb" hook: static int brute_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { if (!skb->dev || (skb->dev->flags & IFF_LOOPBACK)) return 0; network_activity = true; return 0; } This way, only external connections are taken into account. Or in other words, the communication using local sockets are skipped. The drawback with this approach is that the commented hook is call with every packet received. So, I have decided to use the hook that is called only when a connection is accepted: "socket_accept". static int brute_socket_accept(struct socket *sock, struct socket *newsock) { /* I need to detect external connections */ return 0; } But now I don't be able to detect only external connections. Now, I don't have access to the device (or I don't know how to do it). I have tried with the "sock->sk->sk_bound_dev_if" member of the sock struct but its value is always 0 for internal and external connections (at least in my tests). How can I detect that an external connection (using a net device) is accepted and avoid internal network communication? Any help would be greatly appreciated. Thanks in advance. John Wood _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies