You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
systemd often uses dynamically-chosen UIDs for services (DynamicUser=yes). This means that rules matching with the uid operand will no longer match when a service/the system is next restarted and the process gets a newly-assigned uid. As a consequence, I have to allow a binary for all users on the system, instead of just allowing a daemon user to make connections with a binary.
At process discovery, OpenSnitch should use user.LookupId(uid) to look up the name currently assigned to a uid, and allow the result to be matched with an operand.
In addition, or perhaps in lieu, it would be helpful to match by a process's cgroup name. systemd will assign a unique cgroup to each service, so this would ensure that even if a process happens to somehow be launched as the correct user, it will still not be able to evade rules. This information is available in /proc/$pid/cgroup. For example:
However in the scenario described, using DynamicUser=, it won't work. On the one hand because usernames are allocated dynamically and doesn't exist in the system, so user.LookupId() won't find it when loading the rule.
On the other hand, if User= is specified and it doesn't exist in the system, user.LookupId() won't find the UID for the same reason.
Summary:
systemd
often uses dynamically-chosen UIDs for services (DynamicUser=yes
). This means that rules matching with theuid
operand will no longer match when a service/the system is next restarted and the process gets a newly-assigned uid. As a consequence, I have to allow a binary for all users on the system, instead of just allowing a daemon user to make connections with a binary.At process discovery, OpenSnitch should use
user.LookupId(uid)
to look up the name currently assigned to a uid, and allow the result to be matched with an operand.In addition, or perhaps in lieu, it would be helpful to match by a process's cgroup name. systemd will assign a unique cgroup to each service, so this would ensure that even if a process happens to somehow be launched as the correct user, it will still not be able to evade rules. This information is available in
/proc/$pid/cgroup
. For example:This could be especially useful for desktop apps, because you could allow
wget
to be used from Konsole without also allowing it to be used by Spotify.The text was updated successfully, but these errors were encountered: