mirror of
https://github.com/gravitational/teleport
synced 2024-10-20 09:13:39 +00:00
67c0eb3b4c
Adds the ability to block network traffic on SSH sessions. The deny/allow lists of IPs are specified in teleport.yaml file. Supports both IPv4 and IPv6 communication. This feature currently relies on enhanced recording for cgroup management so that needs to be enabled as well. -- Design rationale: This patch uses Linux Security Module (LSM) hooks, specifically security_socket_connect and security_socket_sendmsg, to control egress traffic. The LSM provides two advantages over socket filtering program types. - It's executed early enough that the task information is available. This makes it easy to report PID, COMM, etc. - It becomes a model for extending restrictions beyond networking. The set of enforced cgroups is stored in a BPF hash map and the deny/allow lists are stored in BPF trie maps. An IP address is first checked against the allow list. If found, it's checked for an override in the deny list. The policy is default deny. However, the absence of the NetworkRestrictions API object is allow all. IPv4 addresses are additionally registered in IPv6 trie (as mapped) to account for dual stacks. However it is unclear if this is sufficient as 4-to-6 transition methods utilize a multitude of translation and tunneling methods. |
||
---|---|---|
.. | ||
restricted.bpf.c |