hey so, linux firewall question is there a way to make packets from application with basename "foo" to go directly to eth0 but everything else to go via default route? censorship resistance doesn't play well with low latency
-
-
Replying to @whitequark
the closest to what you want is probably the iptables "owner" module, which you could use to set a mark and then use that in the routing table? but that can only access UID and GID, because a socket doesn't track much more about its opener. (see owner_mt() in the kernel.)
1 reply 0 retweets 1 like -
Replying to @tehjh @whitequark
so a dirty hack without changing kernel code would be to make the binary setgid to some new group, and then match against that GID in the iptables rules, I think?
1 reply 0 retweets 3 likes -
-
Replying to @whitequark
(a kernel design rule is that (in theory), read()/write() can't look at the caller other than accessing the supplied buffer, so you can safely pass FDs around. access checks are relative to the opener, who might have died already.
1 reply 0 retweets 1 like -
Replying to @tehjh @whitequark
any process info you want to access on write() must be captured at open time, and should be cheap to store.
1 reply 0 retweets 0 likes -
Replying to @tehjh @whitequark
files have an ->f_cred pointer. creds are only duplicated on privilege transition, so the kernel doesn't have to store many, but they can't contain a process name.)
2 replies 0 retweets 2 likes
(so if you feel like writing kernel code, a way to implement this in a less hacky way might be to use SELinux or AppArmor to do an automatic domain transition on file execution, and then add code to xt_owner and SELinux/AppArmor that permits matching on the domain from netfilter)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.