Skip to content
This repository was archived by the owner on May 22, 2023. It is now read-only.

Restrict components #134

Open
1 of 2 tasks
jklmnn opened this issue Jan 14, 2020 · 1 comment
Open
1 of 2 tasks

Restrict components #134

jklmnn opened this issue Jan 14, 2020 · 1 comment

Comments

@jklmnn
Copy link
Member

jklmnn commented Jan 14, 2020

Currently when the server is asked for a service it opens a socket pair and then passes one file descriptor to the client. This requires that the server has the ability to open arbitrary file descriptors. To further restrict the servers capabilities the broker should open the socket pair instead and send one file descriptor to the server. Once the server accepted the connection the broker sends the other socket to the requesting client.
The only downside is that the broker needs to keep track of pending connection requests.

There's a StackOverflow question on how to prevent processes on Linux from opening arbitrary file descriptors.

  • Change broker to be the only component opening file descriptors
  • Restrict components with seccomp
@jklmnn
Copy link
Member Author

jklmnn commented Jan 21, 2020

As a convention pairs of file descriptors are always send client first, server second to the server. If multiple pairs are sent this order is kept and they are kept as pairs. The server will answer with a confirm message with one or more client file descriptors or with a reject message without any file descriptor.

jklmnn added a commit that referenced this issue Jan 21, 2020
jklmnn added a commit that referenced this issue Feb 21, 2020
jklmnn added a commit that referenced this issue May 20, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant