From: Cong Wang <amwang@redhat.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, opurdila@ixiacom.com,
eric.dumazet@gmail.com, linux-rdma@vger.kernel.org,
netdev@vger.kernel.org, nhorman@tuxdriver.com,
linux-sctp@vger.kernel.org, davem@davemloft.net
Subject: Re: [RFC Patch v2] net: reserve ports for applications using fixedport numbers
Date: Mon, 08 Feb 2010 11:15:59 +0800 [thread overview]
Message-ID: <4B6F81EF.4070103@redhat.com> (raw)
In-Reply-To: <201002052021.CIC81776.QVSMJOLtFOFFHO@I-love.SAKURA.ne.jp>
Tetsuo Handa wrote:
> Cong Wang wrote:
>> Oh, IIUC, TOMOYO is something like SELinux?
>
> Yes. It is a policy based mandatory access control implementation which is
> applied to not only non root users but also root user. If MAC is enabled,
> root user cannot freely modify via sysctl() or /proc/sys interface.
>
>> So, it is somewhat weird to let users to use TOMOYO to reserve
>> the ports with MAC.
>
> To add reserved port
>
> echo deny_autobind 0-1023 | ccs-loadpolicy -e
> echo deny_autobind 3128 | ccs-loadpolicy -e
> echo deny_autobind 8080 | ccs-loadpolicy -e
>
> and to delete reserved port
>
> echo delete deny_autobind 0-1023 | ccs-loadpolicy -e
> echo delete deny_autobind 3128 | ccs-loadpolicy -e
> echo delete deny_autobind 8080 | ccs-loadpolicy -e
>
> That's all. Quite easy.
Hmm, but you are solving a non-security problem with a security
tool, doesn't this look weird? ;-)
>
>> For normal users /proc interface seems more friendly.
>
> I think /proc/sys/net/ipv4/ip_local_reserved_ports interface wants
> "struct list_head" for handling multiple sets of min/max pairs. I'm using
> http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/autobind.c#L29
> for that purpose.
Yes, but I didn't plan to add multiple range support for
ip_local_reserved_ports, like ip_local_port_range.
Having that will be better but needs more efforts.
Thanks.
WARNING: multiple messages have this Message-ID (diff)
From: Cong Wang <amwang@redhat.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, opurdila@ixiacom.com,
eric.dumazet@gmail.com, linux-rdma@vger.kernel.org,
netdev@vger.kernel.org, nhorman@tuxdriver.com,
linux-sctp@vger.kernel.org, davem@davemloft.net
Subject: Re: [RFC Patch v2] net: reserve ports for applications using fixedport
Date: Mon, 08 Feb 2010 03:15:59 +0000 [thread overview]
Message-ID: <4B6F81EF.4070103@redhat.com> (raw)
In-Reply-To: <201002052021.CIC81776.QVSMJOLtFOFFHO@I-love.SAKURA.ne.jp>
Tetsuo Handa wrote:
> Cong Wang wrote:
>> Oh, IIUC, TOMOYO is something like SELinux?
>
> Yes. It is a policy based mandatory access control implementation which is
> applied to not only non root users but also root user. If MAC is enabled,
> root user cannot freely modify via sysctl() or /proc/sys interface.
>
>> So, it is somewhat weird to let users to use TOMOYO to reserve
>> the ports with MAC.
>
> To add reserved port
>
> echo deny_autobind 0-1023 | ccs-loadpolicy -e
> echo deny_autobind 3128 | ccs-loadpolicy -e
> echo deny_autobind 8080 | ccs-loadpolicy -e
>
> and to delete reserved port
>
> echo delete deny_autobind 0-1023 | ccs-loadpolicy -e
> echo delete deny_autobind 3128 | ccs-loadpolicy -e
> echo delete deny_autobind 8080 | ccs-loadpolicy -e
>
> That's all. Quite easy.
Hmm, but you are solving a non-security problem with a security
tool, doesn't this look weird? ;-)
>
>> For normal users /proc interface seems more friendly.
>
> I think /proc/sys/net/ipv4/ip_local_reserved_ports interface wants
> "struct list_head" for handling multiple sets of min/max pairs. I'm using
> http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/autobind.c#L29
> for that purpose.
Yes, but I didn't plan to add multiple range support for
ip_local_reserved_ports, like ip_local_port_range.
Having that will be better but needs more efforts.
Thanks.
next prev parent reply other threads:[~2010-02-08 3:15 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-04 10:12 [RFC Patch v2] net: reserve ports for applications using fixed port numbers Amerigo Wang
2010-02-04 10:12 ` Amerigo Wang
[not found] ` <20100204101533.4619.34599.sendpatchset-bi+AKbBUZKY6gyzm1THtWbp2dZbC/Bob@public.gmane.org>
2010-02-04 10:59 ` Tetsuo Handa
2010-02-04 10:59 ` Tetsuo Handa
2010-02-04 10:59 ` Tetsuo Handa
2010-02-05 4:41 ` Cong Wang
2010-02-05 4:41 ` [RFC Patch v2] net: reserve ports for applications using fixed Cong Wang
2010-02-05 11:21 ` [RFC Patch v2] net: reserve ports for applications using fixedport numbers Tetsuo Handa
2010-02-05 11:21 ` Tetsuo Handa
2010-02-08 3:15 ` Cong Wang [this message]
2010-02-08 3:15 ` [RFC Patch v2] net: reserve ports for applications using fixedport Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B6F81EF.4070103@redhat.com \
--to=amwang@redhat.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=opurdila@ixiacom.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.