Google Git
Sign in
chromium / chromiumos / platform / p2p / refs/heads/stabilize-5116.113.B^! / .
commite7b650a78599d0b8314fe687507b640be67d6045[log] [tgz]
authorDavid Zeuthen <zeuthen@chromium.org>Thu Oct 24 23:52:24 2013
committerchrome-internal-fetch <chrome-internal-fetch@google.com>Fri Oct 25 03:09:39 2013
treedb6e7bf0f93c9df013a79a4cc9308f9ab75778fd
parent8752b859ab7e4a15dc065883790b1ac2662e1275 [diff]
Don't service local requests.

There are security- and privacy-related issues with allowing local
processes - Chrome, for example - to access the p2p HTTP server. This
change blocks all access from the loopback interface.

BUG=chromium:309708
TEST=Unit tests pass and manually tested by running "curl
    http://${IP}:16725" and checking that the connection is refused
    for IP being 127.0.0.1 and an IP address assigned to one of the
    interfaces.

Change-Id: I75d6bbf37e3e242fef8bca3b207fafcb1e67e957
Reviewed-on: https://chromium-review.googlesource.com/174396
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Commit-Queue: David Zeuthen <zeuthen@chromium.org>
Tested-by: David Zeuthen <zeuthen@chromium.org>

diff --git a/data/p2p.conf b/data/p2p.conf
index fb14dbd..eb60cdb 100644
--- a/data/p2p.conf
+++ b/data/p2p.conf

@@ -10,6 +10,8 @@
 #       similar) by software (such as the auto-update system) that
 #       wants to advertise or find content.
 
+env P2P_PORT=16725
+
 respawn
 
 pre-start script
@@ -21,15 +23,20 @@
   # Ensure Avahi is running
   initctl start avahi || true
 
-  # Add a rule to the firewall to allow HTTP traffic
-  iptables -A INPUT -p tcp --dport 16725 -j ACCEPT
-  ip6tables -A INPUT -p tcp --dport 16725 -j ACCEPT
+  # Add a rule to the firewall to allow HTTP traffic except from the
+  # loopback interface (to prevent e.g. Chrome from connecting.)
+  iptables -I INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
+  ip6tables -I INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
+  iptables -A INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
+  ip6tables -A INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
 end script
 
-exec minijail0 -u p2p -g p2p /usr/sbin/p2p-server
+exec minijail0 -u p2p -g p2p /usr/sbin/p2p-server --port=${P2P_PORT}
 
 post-stop script
   # Delete the rules we previously added
-  iptables -D INPUT -p tcp --dport 16725 -j ACCEPT
-  ip6tables -D INPUT -p tcp --dport 16725 -j ACCEPT
+  iptables -D INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
+  ip6tables -D INPUT -p tcp --dport ${P2P_PORT} -j ACCEPT
+  iptables -D INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
+  ip6tables -D INPUT -i lo -p tcp --dport ${P2P_PORT} -j REJECT
 end script