- 论坛徽章:
- 0
|
原帖由 lszh 于 2008-6-21 03:30 发表 ![]()
如题。
在linux系统中如何禁止特定程序访问网络?基于对程序的控制,而不是基于端口。
提问前搜索过,但用了多种关键词组合都没有找到相关的资料。
若是目前架構,可以用 iptables 來規範,不過好一點應該用 selinux 的 policy 來限制規範。前者比較簡單,後者比較通盤考量。
man iptables:
- owner
- This module attempts to match various characteristics of the packet creator, for locally-generated pack-
- ets. It is only valid in the OUTPUT chain, and even this some packets (such as ICMP ping responses) may
- have no owner, and hence never match.
- --uid-owner userid
- Matches if the packet was created by a process with the given effective user id.
- --gid-owner groupid
- Matches if the packet was created by a process with the given effective group id.
- --pid-owner processid
- Matches if the packet was created by a process with the given process id.
- --sid-owner sessionid
- Matches if the packet was created by a process in the given session group.
- --cmd-owner name
- Matches if the packet was created by a process with the given command name. (this option is
- present only if iptables was compiled under a kernel supporting this feature)
- NOTE: pid, sid and command matching are broken on SMP
复制代码
--cmd-owner 就是所需要的。不過依據我個人多台機器測試,早期的 iptables 可以使用,但是目前已經不大支援,跑 dmesg 會看到:
- ipt_owner: pid, sid and command matching not supported anymore
复制代码
所以 iptables 目前版本就無法達成所需要的項目。當然啦,若是要傳入 --uid-owner 這類參數還是可以的,只是這個作者需求無關就是。
那考慮用 selinux 的話自己寫 policy 是困難一點就是,若有研究的話倒是可以改用簡化的 selinux policy 來達成該需求。可以先參考 seedit project。
http://seedit.sourceforge.net/
這是一個簡化 selinux 規格配置並提供 policy 編寫的 project。若是要使用該 project 需要熟悉 selinux,而且要改用他的 policy database (一般預設系統是使用 targeted 的 selinux policy database),該 project 提供 GUI 的編寫工具,就可以設定相關 RBAC rule 設定相關程序是否可以存取某個文件甚至網路連線。
rule 像是:
http://seedit.sourceforge.net/doc/2.1/spdl_spec/node34.html
http://seedit.sourceforge.net/doc/2.1/spdl_spec/node32.html
-- |
|