From: Victor Porton <porton@narod.ru>
To: William Roberts <bill.c.roberts@gmail.com>
Cc: "selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>
Subject: Re: Restrict to a fixed Internet domain in a sandbox
Date: Thu, 09 Jan 2014 19:19:42 +0200 [thread overview]
Message-ID: <43611389287982@web25g.yandex.ru> (raw)
In-Reply-To: <CAFftDdp_crpiVmPZhwkDyRQqX4NhKOuxeP4=_P2KShXVv_aJtQ@mail.gmail.com>
09.01.2014, 19:03, "William Roberts" <bill.c.roberts@gmail.com>:
> Could you just do this with normal iptables rules? Optionally using
> labeled networking to label packets coming in.
It could be done with iptables, but:
1. My application would need root access to manipulate netfilter. It is not acceptable.
2. Even if my application has permissions enough to manipulate iptables, rules automatically created by it would interfere with customary way system administrators manually edit iptables script. It is very bad (and possibly may even impose a security treat).
I am about a quite particular application I am going to write, and I now am writing its algorithm specification. Not to turn my application into spam mail bomber or something similar, I really need to restrict to a fixed domain as a security measure. It is important. It is done in JavaScript and Java, obviously SELinux should not be behind JavaScript and Java in security.
> On Thu, Jan 9, 2014 at 8:59 AM, Victor Porton <porton@narod.ru> wrote:
>
>> 09.01.2014, 18:39, "Victor Porton" <porton@narod.ru>:
>>> I remind that sandbox is implemented in Fedora using SELinux.
>>>
>>> It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security).
>>>
>>> It seems it is impossible with current SELinux.
>>>
>>> Could you add necessary features? Please!
>> You could add a syscall like:
>>
>> int selinux_restrict_domain(const char *domain);
>>
>> (We could modify this interface to restrict to a finite list of domains instead of one domain, but personally I don't need this.)
--
Victor Porton - http://portonvictor.org
next prev parent reply other threads:[~2014-01-09 17:19 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-09 16:37 Restrict to a fixed Internet domain in a sandbox Victor Porton
2014-01-09 16:59 ` Victor Porton
2014-01-09 17:03 ` William Roberts
2014-01-09 17:19 ` Victor Porton [this message]
2014-01-09 17:34 ` William Roberts
2014-01-09 18:28 ` Victor Porton
2014-01-09 18:59 ` Victor Porton
2014-01-09 19:18 ` Victor Porton
2014-01-09 19:22 ` Victor Porton
2014-01-09 19:25 ` Stephen Smalley
2014-01-09 19:31 ` Victor Porton
2014-01-09 19:34 ` Stephen Smalley
2014-01-09 19:44 ` Victor Porton
2014-01-09 19:58 ` Victor Porton
2014-01-09 20:06 ` Stephen Smalley
2014-01-09 20:14 ` Victor Porton
2014-01-09 20:21 ` Stephen Smalley
2014-01-10 18:41 ` Victor Porton
2014-01-10 18:47 ` Stephen Smalley
2014-01-10 18:53 ` Victor Porton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43611389287982@web25g.yandex.ru \
--to=porton@narod.ru \
--cc=bill.c.roberts@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.