role_allow_ip 127.0.0.6 ?

Submit your RBAC policies or suggest policy improvements

role_allow_ip 127.0.0.6 ?

Postby countermode » Sat Apr 12, 2014 7:26 pm

Hello,

in learning mode I frequently find role definitions with role attribute like
role_allow_ip 127.0.0.6

when in fact I have logged in via IPv6. Is this the way how a policy can express this (until proper IPv6 addressing is introduced)?


Regards
countermode
 
Posts: 27
Joined: Mon Sep 16, 2013 6:59 pm

Re: role_allow_ip 127.0.0.6 ?

Postby christian. » Thu Nov 06, 2014 4:28 pm

Hey there,

had the same question, and found my answer with a bit of kernel code surfing.

It doesn't matter if you connect locally [::1] or remotely, the source IPv4 is always "127.0.0.6" if you actually connect via IPv6.

Though this is not the doing of Grsecurity. You can see the definition of the constant LOOPBACK4_IPV6 in the kernel tree and that it is set as the IPv4 source address when a IPv6 connection are established (for example in "/usr/src/linux/net/ipv6/tcp_ipv6.c")

So to answer your question: Probably the way to go until IPv6 is supported, since that constant is in the kernel source code for a long time now -- at least 9 years ...

Bye, Christian
christian.
 
Posts: 4
Joined: Sun Dec 02, 2012 10:41 am


Return to RBAC policy development

cron