Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757735AbZLMDZP (ORCPT ); Sat, 12 Dec 2009 22:25:15 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1757596AbZLMDZO (ORCPT ); Sat, 12 Dec 2009 22:25:14 -0500 Received: from lists.laptop.org ([18.85.2.145]:41618 "HELO mail.laptop.org" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with SMTP id S1756000AbZLMDZN convert rfc822-to-8bit (ORCPT ); Sat, 12 Dec 2009 22:25:13 -0500 X-Greylist: delayed 449 seconds by postgrey-1.27 at vger.kernel.org; Sat, 12 Dec 2009 22:25:13 EST From: Michael Stone Cc: Michael Stone Subject: Network isolation with RLIMIT_NETWORK, cont'd. Date: Sat, 12 Dec 2009 22:19:37 -0500 Message-Id: <1260674379-4262-1-git-send-email-michael@laptop.org> X-Mailer: git-send-email 1.5.6.5 To: linux-kernel@vger.kernel.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1886 Lines: 50 Dear lkml, A few months ago [1], I asked for feedback on a new network isolation primitive named "RLIMIT_NETWORK" designed for use with Unix sandboxing utilities like Rainbow, Plash, and friends [2]. Thank you to all those CC'ed for your helpful early remarks. Here is an updated patchset with responses to the following criticisms: 1. ptrace() It was pointed out by Alan Cox, Andi Kleen, and others that processes which dropped their RLIMIT_NETWORK rlimit were still able to directly perform networking through a ptrace()'d victim. The new patchset adds an access check to __ptrace_may_access() to prevent this behavior. 2. unshare(CLONE_NEWNET) It was pointed out by James Morris that network namespaces could be used to implement behavior similar to the behavior this patchset is designed to implement. To address this criticism, I added support for network namespaces to my sandboxing utility (Rainbow). Unfortunately, I have discovered that network namespaces in their current form are not appropriate for my use cases because they prevent the namespace'd apps from connecting to the X server, even over plain old AF_UNIX sockets. The RLIMIT_NETWORK facility I propose contains a specific exception for AF_UNIX filesystem sockets since those sockets are already bound by regular Unix discretionary access control. 3. style I have made the patches more consistent with the kernel style guidelines. Further suggestions? Michael [1] http://kerneltrap.org/mailarchive/linux-netdev/2009/1/7/4624864 [2] http://sandboxing.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/