From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 78A2CC433B4 for ; Sun, 25 Apr 2021 13:35:16 +0000 (UTC) Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 0BA8261363 for ; Sun, 25 Apr 2021 13:35:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0BA8261363 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmx.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org Received: from localhost ([::1] helo=shelob.surriel.com) by shelob.surriel.com with esmtp (Exim 4.94) (envelope-from ) id 1laeuN-0000h4-4q; Sun, 25 Apr 2021 09:34:47 -0400 Received: from mout.gmx.net ([212.227.17.20]) by shelob.surriel.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94) (envelope-from ) id 1laeuL-0000gA-Ch for kernelnewbies@kernelnewbies.org; Sun, 25 Apr 2021 09:34:45 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1619357681; bh=h83Az1X+LgXY4K9IfFdTSY7KfIojj/RFpytetppGX3U=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=SPfg8Oaz/FlGJbWAgq/z3ANznj8SxBq2QkY4u0MBarTFkGlWeAE7QpmL/Qxi/PtEy KNaxyfLzg62gay7AcYjCcVPYvU7amOTwkjIIDZoZOQh71lPIeiQDILyMGNpo0qenCw BTlfhieNjJXQBekzKmLwJo9qYvWZCKYC50pelUDk= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ubuntu ([83.52.229.92]) by mail.gmx.net (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1M4b1y-1la6PW2x8w-001j39; Sun, 25 Apr 2021 15:34:40 +0200 Date: Sun, 25 Apr 2021 15:34:30 +0200 From: John Wood To: Jeffrey Walton , kernelnewbies Subject: Re: Test if a socket accept is from external network Message-ID: <20210425133430.GA3407@ubuntu> References: <20210425110841.GA15467@ubuntu> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:xDa54l5KKivrWpyeOVg5aGheJ4rZEBIv8ng8CTlvVu5gcJE3eHY SSlZhv1Uqm3qba48ij7eq2iHho3nC0S6kTfuhYwQyl8ovWekJjJOYgoVVjax//MbVDhx5lx WK8+IX+urVEbGFESj2jBXox2YZgeezqvYwJRAnJ6VVAkdYn5OvuHeW1zt9Lvf0NJprUCCL6 Qz/Vmvd7OZos0DraDPkmQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:VO7ThAyDdAg=:iDf1hsCMnJcup6WmAKrLbU mzCeAqTqCF2zKe7Egg+XfbjA99iFGOIXpEnuVSCXYDVMdF/Eaeq42rQXm9/EDbsSSaxDJPzl8 gpZlsXrbbj44YiogcUkGHRm0GHLgcJvUW3nY0tDzE6SJYZR/j+Z7FkL3EJb0UZi/xodMBkJ6N IFJJ6ds4EzpImwKp9wftonBhgs8RjQEWeAi1IHfdoHIwxW7U6T3uVbMTTk8z5AUW3f2LfTtWz 9omrgm5dTiOB0nM3UFYLzYdElwyOjL15v4h/xTPcWOpdhZmatjboBsfo7206sE/YN0ljTa8P4 crXbGATYpXPZXY049bK10Tbpq0Vdt1Exmc1rPVvgmpQQ3XeiUs8EsWb00XRaqH9MmbQo84Wlt TvJeeY6IT4MQoEKe/rwWt+QMENNQWwqx89WLa6A0AVaaZvbXu5/PP3vHr8eallCozQYD5yYUd Nx9j5vBWZWcNtWMknwjcLzmHJI0oqQXoKOUal3X5o+4bhAYnBQr8W1Nct8vJy/FR2PKaeO2f9 wo7bDrgjr+HvpdGZfPy0r9h5iTne79QUN544H0ZCJqqscyiDNwP8zMkl4uQbiF4IjugmDRiYn v1K6XiCsOf9QwT6e+EXHZm/9Mdwh/NbGHweiMP/2NO0oib7uyQqunEfDxmsXkzmUONnnSWqJA Y19j2iA1gitg1TQS6rvg86n5+U0b5JM7LR2v64vvfzmS4rgETrGWh4EqdY8USzc6GsgBc7Mc2 EReL/5Jp66Giv+9ozgl7B43n6nGqRSOusuuoQCWhqN38BvIASWn6qMj8W46nemcVZ18x9K1fN UpH+i0EZJEmqKtQopfH1BapnF8Vm+Cv78z2nrJihVpJX/sO4igvKNslzLaxj6Ag8XpE53OtR7 Rrhy+eXWluoC4npacEN8jNB0Dlest0Qk5kblk7YCIqcg2jcm03zaqgA52Wyr1rOY2D0jusfMv H/rNgKxjyl/RIzzhCEysYi3Az8VS6j//o9H0ABhHuDUbBEkS5CDGcvDY1kXfuJ5JqiiykvKqo PNNdi/wDHOOIfJZQHHuTkzSpqLAmGg0enLVSB9kKjg6sqXoLoFbrvJ+CibrdfAP/hQrYE7N7A HSlPWvHDRxQjh4Wvl6SnnIszR7eH6mOB9j8ONuZ3jCsZ0pVBo6LLixTTL5sMjK2lwdR8c9MEr FXMKo/7HsGDHQsod2aImBt44f/KA/9OBkh3u5wPTzubYFMg4MkSZ52CqWD+wOTPOkzveM= Cc: John Wood X-BeenThere: kernelnewbies@kernelnewbies.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Learn about the Linux kernel List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kernelnewbies-bounces@kernelnewbies.org Hi, On Sun, Apr 25, 2021 at 08:01:55AM -0400, Jeffrey Walton wrote: > On Sun, Apr 25, 2021 at 7:09 AM John Wood wrote: > > > > I'm working in a LSM to detect and mitigate fork brute force attacks > > against vulnerable userspace applications. Now, to fine tuning the > > detection I want to detect a network activity. ... > > How can I detect that an external connection (using a net device) is > > accepted and avoid internal network communication? > > One caveat that may (or may not) apply... > > Systemd opens sockets for services even when a service is disabled. It > could appear that a system is accepting traffic even when the service > is unavailable. But if the service is unavailable it will not accept connections. I hope. If we use the socket_accept LSM hook it will not be called under this scenario. John Wood _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies