To: linux-kernel@vger.kernel.org
Path: not-for-mail
From: daw@cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.linux-kernel
Subject: Re: [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface.
Date: Sat, 19 Dec 2009 12:02:05 +0000 (UTC)
Organization: University of California, Berkeley
Message-ID: <hgifbt$mme$1@taverner.cs.berkeley.edu>
References: <20091218030056.GC3047@heat> <20091218094955.32938765@nehalam>
Reply-To: daw-news@taverner.cs.berkeley.edu (David Wagner)
NNTP-Posting-Host: taverner.cs.berkeley.edu
NNTP-Posting-Date: Sat, 19 Dec 2009 12:02:05 +0000 (UTC)
Originator: daw@taverner.cs.berkeley.edu (David Wagner)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1212
Lines: 19

Stephen Hemminger  wrote:
>Michael Stone <michael@laptop.org> wrote:
>>    5. Linux today has pretty good support for controlling the creation of
>>       channels involving the filesystem and involving shared daemons. It has
>>       mediocre support for access control involving sysv-ipc
>mechanisms. It has
>>       terrible support for access control involving non-local principals like
>>       "the collection of people and programs receiving packets sent to
>>       destination 18.0.0.1:80 from source 192.168.0.3:34661".
>
>The policy control for this is done today on linux via the firewalling
>infrastructure.

I don't know of any reasonable way to introduce firewall rules
that apply only to a specific process; nor do I know of any way
for a user-level (non-root) process to specify and apply such
rules.  So it doesn't sound to me like the firewalling infrastructure
meets the requirements for which this patch was introduced.  Or did
I miss something?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/