#1040 F19 Feature: firewalld Lockdown - https://fedoraproject.org/wiki/Features/FirewalldLockdown
Closed None Opened 9 years ago by jreznik.

For the 2013-02-06 meeting as Feature was announced on devel-announce list on 2013-01-30.

http://lists.fedoraproject.org/pipermail/devel/2013-January/177605.html

No concerns were raised on the Fedora devel list (as for 2013-02-05).

Nominating to vote "en block" on this feature.


AGREED: Feature is deferred for now, feature owner to provide more details.

Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt). With this feature the administator can lock the firewall configuration so that either none or only applications that are in the allowed list are able to request firewall changes.

The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default. Comprehensive user and application policies will be added later on.

If enabled the user can be sure that there are no unwanted configuration changes for the firewall from local applications or services.

Here is the relevant part of the FESCO discussion:
{{{
19:23:47 <nirik> I htink the lockdown applies to dbus sending apps
19:23:51 <notting> my understanding is that it locks local applications from changing the firewall (not users)
19:24:16 <nirik> yeah, so system-config-printers couldn't tell it to open cups ports
19:24:19 <mitr> notting: We don't have "application" as a security concept at all
19:24:21 <nirik> for example
19:24:58 <mitr> There's nothing to reliably distinguish system-config-printer from firewall-cmd, it's just a D-Bus caller with a valid polkit authorization running in an users' session.
19:25:37 <nirik> yeah, it seems like it's the interface perhaps? or is it looking at names?
}}}

The question of what is an "application" for the purpose of lockdown is still unclear to me.

firewalld gets the sender id for all method calls. With this sender id it is possible to get pid, uid, gid, .. and in the end the command line of the sender from /proc. This information is used to have a simple white list mechanism for applications or services if the lockdown feature is enabled, which defaults to off. The lockdown feature might get enabled by the administrator on servers or in environments, where local firewall changes should not be allowed or limited to a pre-selected list of commands.

firewalld lockdown feature was accepted (+5.5,-0,0)

Login to comment on this ticket.

Metadata