upvote

points

by mixedbit12 hours ago |
comments
upvoteby littlesnitch11 hours ago|
next
[-]
It depends. Little Snitch for Linux has a two level namespace for processes. It takes the process doing the connection and its parent process into account when evaluating rules.

Also: If an interpreter is run via `#!/bin/interpreter` in the script binary, it makes the rule for the script file path, not the interpreter. This does not work when running the script as `interpreter script`, though.

reply
upvoteby arsome8 hours ago|
prev|
next
[-]
This gets even more involved when you consider things like loading libraries, there's also the impact of calls like OpenProcess/WriteProcessMemory/CreateRemoteThread (Windows-land versions, though I'm sure similar exists elsewhere).

The "good" Windows firewalls like Outpost and Zone Alarm used to have features to catch this, they'd detect when a process tried to invoke or open a running process which had internet access. They'd also do things like detect when a process tried to write a startup item. This went by names like "Leak Control" but it was basically providing near-complete HIDS features with local control.

reply
upvoteby zamadatix12 hours ago|
prev|
next
[-]
With the literal rules described it would not be blocked. A more detailed rule (in Open Snitch at least, not as familiar with the other variants) could match e.g. whether the process's parent tree contained the python binary rather than just if python is the process binding the socket.
reply
upvoteby mixedbit12 hours ago|
parent|
next
[-]
OK, I see, so a limitation is also that I cannot block an individual script, I need to block a Python interpreter.
reply
upvoteby zamadatix11 hours ago|
parent|
[-]
Not necessarily (with Open Snitch at least), it just depends how complex you want to make your firewall rules and what the specific goal is (block this specific script, block scripts which try to do this activity, block connection to evil.net, block python scripts, etc).

The more granular one gets the more likely they aren't really meaning to ask how to do it in the firewall layer though. E.g. if we take it further to wanting to prevent python -c "specific logic" it's clearer what you can do in the firewall is not necessarily the same as what's practical or useful.

reply
upvoteby duskdozer12 hours ago|
parent|
prev|
[-]
Would it silently allow or would you still get the notif or whatever (iirc from littlesnitch years ago)?
reply
upvoteby zamadatix11 hours ago|
parent|
[-]
The allow rule for Firefox is what would suppress the prompt. You probably don't want to have a prompt for every Firefox connection though, so you'd need to come up with some kind of ruleset (or get very annoyed :D).
reply
upvoteby Joel_Mckay10 hours ago|
prev|
[-]
The SELinux MAC policy should restrict which files and ports each process may access. In general, most modern distro have this feature, but normal users do not go through the rules training and default enable flag setup. =3
reply