Page MenuHomePhabricator
Create Task
Maniphest T360

cpfpd define Address Families for hardening
Closed, InvalidPublic
Actions

Description

RestrictAdressFamilies, a systemd.exec feature would have been a good option to bring limit surface attack because it excludes obscure protocols from interacting with the daemon, but its not available on x86:

Quote:

"RestrictAddressFamilies=

 Note that this option has no effect on 32-bit x86 and is ignored (but
 works correctly on x86-64)."

Unfortunately iptables cannot recognize or limit address families it is something up to the process itself:

https://stackoverflow.com/a/19377464

This is something that can be defined in the python script by specifying
it as a socket parameter:

https://docs.python.org/2/library/socket.html

search for AF_INET

cpfpd's code could include this for further hardening.

Details

Impact
Normal

Event Timeline

HulaHoop created this task.Jun 21 2015, 5:59 PM
HulaHoop raised the priority of this task from to Needs Triage.
HulaHoop updated the task description. (Show Details)
HulaHoop set Impact to Needs Triage.
HulaHoop added subscribers: HulaHoop, troubadour.
Herald added a project: Whonix. · View Herald TranscriptJun 21 2015, 5:59 PM
Herald added subscribers: WhonixQubes, Patrick. · View Herald Transcript
HulaHoop added a comment.Jun 21 2015, 8:53 PM

Looks like I should have looked more carefully. Its already in there. My bad.

Connect to the real control port
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
HulaHoop closed this task as Invalid.Jun 21 2015, 8:53 PM
HulaHoop changed Impact from Needs Triage to Normal.
Patrick added projects: onion-grater (Control Port Filter Proxy), security, enhancement.Jun 21 2015, 9:09 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer