2002-09-29 14:44:19

by Olaf Dietsche

[permalink] [raw]
Subject: Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2

James Morris <[email protected]> writes:

> On Fri, 27 Sep 2002, Greg KH wrote:
>> As for the ip_prot_sock hook in general, does it look ok to the other
>> developers?
> This hook is not necessary: any related access control decision can be
> made via the more generic and flexible socket_bind() hook (like SELinux).

AFAICS, it looks like you can make _additional_ checks only. You still
have to grant CAP_NET_BIND_SERVICE for binding to ports below PROT_SOCK.
So, this doesn't look like a viable solution for me.

Anyway, thanks for this pointer, I'll look into socket_bind().

Regards, Olaf.