From: "Hassan Sultan" <hsultan@thefroid.net>
To: Paul Moore <paul@paul-moore.com>, F Rafi <farhanible@gmail.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Filtering Connect syscalls for af_inet only
Date: Thu, 05 Feb 2015 12:26:44 -0800 [thread overview]
Message-ID: <op.xtlpqulb1jp0b1@win8mac> (raw)
In-Reply-To: <CABXp1ctf0yhkdtwMscrPRq1-Pjm9hZNKPmwQ5yvTGaRz4MGomw@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 1719 bytes --]
Wouldn't x86 simply be a filter with 2 comparisons : one on a0 to filter
only connect, and one on a3 for the sockaddr size ?
Basically, on x86 you have one rule : the one with 2 comparisons
On x64 you have 2 rules : one on the connect syscall, and one on the
socketcall syscall with 2 comparisons
Thanks,
Hassan
On Thu, 05 Feb 2015 11:06:03 -0800, F Rafi <farhanible@gmail.com> wrote:
> I did some digging and now I understand the different size variations of
> sockaddr_storage. I guess I can just filter on a2!=6e then.
>
> And we'd have to keep an eye out for x86 systems. I understand that
> x86_64 does not use socketcall() but, do you know if multiarch support
> somehow >allows 32bit apps on x86_64 to use / translate these calls?
>
> Thanks again!
> Farhan
>
> On Thu, Feb 5, 2015 at 10:38 AM, Paul Moore <paul@paul-moore.com> wrote:
>> On Thu, Feb 5, 2015 at 10:31 AM, F Rafi <farhanible@gmail.com> wrote:
>>> Ahh..thanks Paul!
>>>
>>> Is there a better way to intercept outbound network access calls while
>>> avoiding af_unix?
>>
>> I'm not sure, I'm not overly familiar with the auditd/auditctl
>> filtering capabilities. There are several people on this list that
>> are far more knowledgeable about that than me.
>>
>>>>> I assume sockaddr_storage is just a different size (I think 128?)
>>
>> The idea behind the sockaddr_storage struct was to create a structure
>> that could be used to represent any address family that the system
>> supports. I don't believe there is a standard size across OSes due to
>> different level of support, padding, etc; in other words, it's
>> probably best not to rely on a specific size of sockaddr_storage.
>>
>>>> --
>> paul moore
>> www.paul-moore.com
[-- Attachment #1.2.1: Type: text/html, Size: 2708 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2015-02-05 20:26 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-03 22:57 Filtering Connect syscalls for af_inet only F Rafi
2015-02-03 23:21 ` Peter Moody
2015-02-03 23:24 ` F Rafi
2015-02-03 23:53 ` F Rafi
2015-02-05 1:19 ` F Rafi
2015-02-05 14:39 ` Paul Moore
2015-02-05 15:31 ` F Rafi
2015-02-05 15:38 ` Paul Moore
2015-02-05 19:06 ` F Rafi
2015-02-05 20:16 ` Paul Moore
2015-02-05 20:26 ` Hassan Sultan [this message]
2015-02-05 20:34 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=op.xtlpqulb1jp0b1@win8mac \
--to=hsultan@thefroid.net \
--cc=farhanible@gmail.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox