systemd often uses dynamically-chosen UIDs for services (DynamicUser=yes). This means that rules matching with the uid operand will no longer match when a service/the system is next restarted and the process gets a newly-assigned uid. As a consequence, I have to allow a binary for all users on the system, instead of just allowing a daemon user to make connections with a binary.
At process discovery, OpenSnitch should use user.LookupId(uid) to look up the name currently assigned to a uid, and allow the result to be matched with an operand.
In addition, or perhaps in lieu, it would be helpful to match by a process's cgroup name. systemd will assign a unique cgroup to each service, so this would ensure that even if a process happens to somehow be launched as the correct user, it will still not be able to evade rules. This information is available in /proc/$pid/cgroup. For example:
Summary:
systemd
often uses dynamically-chosen UIDs for services (DynamicUser=yes
). This means that rules matching with theuid
operand will no longer match when a service/the system is next restarted and the process gets a newly-assigned uid. As a consequence, I have to allow a binary for all users on the system, instead of just allowing a daemon user to make connections with a binary.At process discovery, OpenSnitch should use
user.LookupId(uid)
to look up the name currently assigned to a uid, and allow the result to be matched with an operand.In addition, or perhaps in lieu, it would be helpful to match by a process's cgroup name. systemd will assign a unique cgroup to each service, so this would ensure that even if a process happens to somehow be launched as the correct user, it will still not be able to evade rules. This information is available in
/proc/$pid/cgroup
. For example:This could be especially useful for desktop apps, because you could allow
wget
to be used from Konsole without also allowing it to be used by Spotify.