Le 12/01/2012 03:27, Tetsuo Handa a écrit : > Milton Yates wrote: >> I have found that Tomoyo generates logs like this: >> "network inet dgram send X.X.X.X 0" >> connection attempts on UDP port 0, for every outbound inet TCP >> connection the program makes. > > TOMOYO checks "send" permission rather than "connect" permission when connect() > is called on a connectionless socket, for connect() on a connectionless socket > is used for associating default destination address that will be used when > destination address is omitted upon subsequent sendmsg() request. Thus, > learning "network inet dgram send" entries upon connect() is a known behaviour. I am not sure this is what Tomoyo logs here, otherwise I did not clearly understood your point. >> Is sending to UDP 0 still how the OS finds a free port? > > I don't think so. bind() to port 0 is a way to let the OS find a free port, > but connect()/send() to port 0 do not make sense (with an exception that > connect(AF_UNSPEC) described in "man 2 connect"). > >> Would you recommend allowing this activity? > I don't know. You can try tracing your application like > strace -e trace=socket,bind,connect,send,sendmsg /path/to/your/app > to find what is happening. I will do that yes, it is just thunderbird or firefox though. For every new TCP connection it does that. >> Could it not be misused to communicate externally on port 0? > I think it is impossible to communicate with destination port == 0. It is definitely possible to communicate on port 0, both UDP and TCP (hping tool does that for example for network OS fingerprinting and other tricks), that's why I am not comfortable allowing UDP port 0 for every outgoing TCP connection needed. Regards, Milton.
TOMOYO
Fork