Don't service local requests.
There are security- and privacy-related issues with allowing local
processes - Chrome, for example - to access the p2p HTTP server. This
change blocks all access from the loopback interface.
BUG=chromium:309708
TEST=Unit tests pass and manually tested by running "curl
http://${IP}:16725" and checking that the connection is refused
for IP being 127.0.0.1 and an IP address assigned to one of the
interfaces.
Change-Id: I75d6bbf37e3e242fef8bca3b207fafcb1e67e957
Reviewed-on: https://chromium-review.googlesource.com/174396
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: David Zeuthen <zeuthen@chromium.org>
Tested-by: David Zeuthen <zeuthen@chromium.org>
diff --git a/data/p2p.conf b/data/p2p.conf
index fb14dbd..eb60cdb 100644
--- a/data/p2p.conf
+++ b/data/p2p.conf
@@ -10,6 +10,8 @@
# similar) by software (such as the auto-update system) that
# wants to advertise or find content.
+env P2P_PORT=16725
+
respawn
pre-start script
@@ -21,15 +23,20 @@
# Ensure Avahi is running
initctl start avahi || true
- # Add a rule to the firewall to allow HTTP traffic
- iptables -A INPUT -p tcp --dport 16725 -j ACCEPT
- ip6tables -A INPUT -p tcp --dport 16725 -j ACCEPT
+ # Add a rule to the firewall to allow HTTP traffic except from the
+ # loopback interface (to prevent e.g. Chrome from connecting.)
+ iptables -I INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
+ ip6tables -I INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
+ iptables -A INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
+ ip6tables -A INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
end script
-exec minijail0 -u p2p -g p2p /usr/sbin/p2p-server
+exec minijail0 -u p2p -g p2p /usr/sbin/p2p-server --port=${P2P_PORT}
post-stop script
# Delete the rules we previously added
- iptables -D INPUT -p tcp --dport 16725 -j ACCEPT
- ip6tables -D INPUT -p tcp --dport 16725 -j ACCEPT
+ iptables -D INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
+ ip6tables -D INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
+ iptables -D INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
+ ip6tables -D INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
end script