restrict calls to dns_servers from agent-uid

h0x0er · varunsh-coder · commit 7edc21b80b1d · 2026-02-28T08:02:40.000-08:00
diff --git a/.gitignore b/.gitignore
@@ -19,4 +19,7 @@ coverage.txt
 .vscode/
 
 vendor
-private-src
+private-src
+
+dist
+local
diff --git a/firewall.go b/firewall.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"os"
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/pkg/errors"
@@ -77,6 +78,24 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net
 		}
 	}
 
+	// Agent uses HTTPs to resolve domain names
+	// Only apply UID filtering for OUTPUT chain
+	if chain == outputChain {
+		agentUID := fmt.Sprintf("%d", os.Getuid())
+		for _, dnsServer := range dnsServers {
+			err = ipt.Append(filterTable, chain, direction, netInterface,
+				"-m", "owner", "--uid-owner", agentUID,
+				protocol, tcp,
+				destination, dnsServer,
+				destinationPort, "443",
+				target, accept)
+
+			if err != nil {
+				return errors.Wrapf(err, "failed to add rule for DNS server %s", dnsServer)
+			}
+		}
+	}
+
 	for _, endpoint := range endpoints {
 		err = ipt.Append(filterTable, chain, direction, netInterface, protocol, tcp,
 			destination, endpoint.ipAddress,
@@ -87,16 +106,6 @@ func addBlockRules(firewall *Firewall, endpoints []ipAddressEndpoint, chain, net
 		}
 	}
 
-	// Agent uses HTTPs to resolve domain names
-	for _, dnsServer := range dnsServers {
-		err = ipt.Append(filterTable, chain, direction, netInterface, protocol, tcp,
-			destination, dnsServer, target, accept)
-
-		if err != nil {
-			return errors.Wrapf(err, "failed to add rule for DNS server %s", dnsServer)
-		}
-	}
-
 	// Allow AzureIPAddress
 	err = ipt.Append(filterTable, chain, direction, netInterface, protocol, tcp,
 		destination, AzureIPAddress, target, accept)
