To provide better control over which users (and thus hopefully applications) can do what with ipfilter, it is therefore desirable to be able to turn on or off each ioctl.
For example, an application running as a transparent proxy only needs access to one or two specific ioctls, but at present, allowing it to run would also give it the ability to flush all the NAT tables, etc. There's no confinement of ability.
Thus it would seem useful to be able to include something like this in ipf.conf:
add_perm allow uid(101), gid(0), dev(ipnat), op(lookup);
add_perm deny uid(101) , gid(*), dev(*), op(*);
Additionally, doing a "flush all" (ipf -Fa) would be expected to remove all of these. To only flush peremissions, we need perhaps "ipf -Fp".
Of course, the above could prohibited this with:
add_perm deny uid(*), gid(*), dev(ipf) , op(flush);
So what would you need to add to the end of ipf.conf to prevent the rules from being removed or ipfilter disabled?
# prevent "ipf -s" from working
add_perm deny uid(*), gid(*), dev(ipf), op(swap_active);
# prevent "ipf -E" or "ipf -D" from working
add_perm deny uid(*), gid(*), dev(ipf), op(enable);
# prevent rules being added with "ipf -f"
add_perm deny uid(*), gid(*), dev(ipf), op(rule_add);
# prevent rules being removed with "ipf -rf"
add_perm deny uid(*), gid(*), dev(ipf), op(rule_remove);
# prevent all of these ACLs from being changed:
add_perm deny uid(*), gid(*), dev(ipf), op(permission);
