Ahh..thanks Paul!
Is there a better way to intercept outbound network access calls while
avoiding af_unix?
I assume sockaddr_storage is just a different size (I think 128?)
Thanks
Farhan
On Thursday, February 5, 2015, Paul Moore <paul(a)paul-moore.com> wrote:
On Wed, Feb 4, 2015 at 8:19 PM, F Rafi <farhanible(a)gmail.com
<javascript:;>> wrote:
> After some log analysis it looks like filtering on "a2=10" only shows
> network activity. From what I understand, this is the address length (int
> addrlen) argument in the sys_connect function.
>
> Traced it down to this comment in socket.c. Sounds like filtering for
a2=10
> and a2=18 (to account for IPv6) may work.
>
> #define MAX_SOCK_ADDR 128
> /* 108 for Unix domain -
> 16 for IP,
> 16 for IPX,
> 24 for IPv6,
> about 80 for AX.
> 25 must be at least one bigger than the AF_UNIX size (see
netunix/af_unix.c
> :unix_mkname())
> */
>
> 10 hex = 16 dec and 18 hex = 24 dec
>
> I hope someone can correct me if I sound like I'm not all there.
[Ooops, hit "reply" instead of "reply-to-all"]
A few things come to mind with this approach:
* This will not work on x86 due to the socketcall() syscall multiplexer.
* This doesn't solve the problem for applications that leverage the
address family independent sockaddr_storage structure.
--
paul moore
www.paul-moore.com