>if only iptables would allow to filter by the executable path and other process parameters
The problem going down that route is that implementing this opens a huge can of worms. That stuff is easy to spoof, you have to account for thousands of edge cases. It's not for nothing that the answer to "can I know the full path of the binary that was used to spawn <process>?" is generally "it depends" or "it's complicated". And let's not even bring up what happens for interpreters for instance. Parameters are also often easy to spoof and manipulate, although in this case I suppose the kernel could just keep a protected copy of the original parameters for that purpose.
I completely get why you want that though, and it would be a great feature to have indeed, but I also completely understand why kernel devs don't want to touch that with a ten foot pole.
I think it's a great idea mosts apps will not want to spoof the firewall. So while it may not be secure, it would be very helpful for user controlled privacy.
Errr... the general answer to "can I know the full path of the binary that was used to spawn <process>?" is "sure, just `readlink /proc/<process>/exe`".
The problem going down that route is that implementing this opens a huge can of worms. That stuff is easy to spoof, you have to account for thousands of edge cases. It's not for nothing that the answer to "can I know the full path of the binary that was used to spawn <process>?" is generally "it depends" or "it's complicated". And let's not even bring up what happens for interpreters for instance. Parameters are also often easy to spoof and manipulate, although in this case I suppose the kernel could just keep a protected copy of the original parameters for that purpose.
I completely get why you want that though, and it would be a great feature to have indeed, but I also completely understand why kernel devs don't want to touch that with a ten foot pole.