Page MenuHomePhabricator

cpfpd define Address Families for hardening
Closed, InvalidPublic


RestrictAdressFamilies, a systemd.exec feature would have been a good option to bring limit surface attack because it excludes obscure protocols from interacting with the daemon, but its not available on x86:



 Note that this option has no effect on 32-bit x86 and is ignored (but
 works correctly on x86-64)."

Unfortunately iptables cannot recognize or limit address families it is something up to the process itself:

This is something that can be defined in the python script by specifying
it as a socket parameter:

search for AF_INET

cpfpd's code could include this for further hardening.



Event Timeline

HulaHoop raised the priority of this task from to Needs Triage.
HulaHoop updated the task description. (Show Details)
HulaHoop set Impact to Needs Triage.
HulaHoop added subscribers: HulaHoop, troubadour.

Looks like I should have looked more carefully. Its already in there. My bad.

Connect to the real control port
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
HulaHoop changed Impact from Needs Triage to Normal.