ucspi-socket-rules-check — check local socket connections against access control rules
ucspi-socket-rules-check [--verbose] {next-prog}
ucspi-socket-rules-check expects a process environment
that has been set up per the UCSPI conventions by
local-stream-socket-accept(1)
or
tcp-socket-accept(1).
It checks what is contained in the environment against a database of access
control rules, and (if the access checks pass)
it then chain loads to
next-prog with the
execvp(3)
function.
If the access checks fail, it exits without running anything.
next-prog may contain its own command line options, which ucspi-socket-rules-check will ignore.
Overall behaviour is guided by the value of the PROTO environment
variable.
If PROTO has the value UNIX:
If the value of UNIXREMOTEEUID is the same as the process's effective UID and a directory named uid/self/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
If the value of UNIXREMOTEEGID is the same as the process's effective GID and a directory named gid/self/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
If a directory named uid/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
$UNIXREMOTEEUID
If a directory named gid/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
$UNIXREMOTEEGID
If a directory named uid/default exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
Otherwise access is denied.
If PROTO has the value TCP:
A group of directories, forming progressively larger supernets of the IP address, are checked.
If the value of TCPREMOTEIP is a human-readable IPv4 address,
then, for each prefix length N from 32 down to 0 an IP string
is constructed using the netmask
$TCPREMOTEIP/$Nip4/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP_$N
Thus ip4/0.0.0.0_0 is a catch-all rule.
If the value of TCPREMOTEIP is a human-readable IPv6 address,
then, for each prefix length N from 128 down to 0 an IP string
is constructed using the netmask
$TCPREMOTEIP/$Nip6/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP_$N
Thus ip6/::_0 is a catch-all rule.
Otherwise access is denied.
If PROTO has the value TCP6:
A group of directories, forming progressively larger supernets of the IP address, are checked.
If the value of TCP6REMOTEIP is a human-readable IPv4 address,
then, for each prefix length N from 32 down to 0 an IP string
is constructed using the netmask
$TCP6REMOTEIP/$Nip4/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP_$N
Thus ip4/0.0.0.0_0 is a catch-all rule.
If the value of TCP6REMOTEIP is a human-readable IPv6 address,
then, for each prefix length N from 128 down to 0 an IP string
is constructed using the netmask
$TCP6REMOTEIP/$Nip6/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP_$N
Thus ip6/::_0 is a catch-all rule.
Otherwise access is denied.
Otherwise access is denied.