From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface.
Date: Sat, 19 Dec 2009 12:02:05 +0000 (UTC) [thread overview]
Message-ID: <hgifbt$mme$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 20091218094955.32938765@nehalam
Stephen Hemminger wrote:
>Michael Stone <michael@laptop.org> wrote:
>> 5. Linux today has pretty good support for controlling the creation of
>> channels involving the filesystem and involving shared daemons. It has
>> mediocre support for access control involving sysv-ipc
>mechanisms. It has
>> terrible support for access control involving non-local principals like
>> "the collection of people and programs receiving packets sent to
>> destination 18.0.0.1:80 from source 192.168.0.3:34661".
>
>The policy control for this is done today on linux via the firewalling
>infrastructure.
I don't know of any reasonable way to introduce firewall rules
that apply only to a specific process; nor do I know of any way
for a user-level (non-root) process to specify and apply such
rules. So it doesn't sound to me like the firewalling infrastructure
meets the requirements for which this patch was introduced. Or did
I miss something?
next prev parent reply other threads:[~2009-12-19 12:02 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-13 3:19 Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13 3:26 ` [PATCH] Security: Implement RLIMIT_NETWORK Michael Stone
2009-12-13 3:30 ` [PATCH] Security: Document RLIMIT_NETWORK Michael Stone
2009-12-13 3:44 ` Network isolation with RLIMIT_NETWORK, cont'd Michael Stone
2009-12-13 5:09 ` setrlimit(RLIMIT_NETWORK) vs. prctl(???) Michael Stone
2009-12-13 5:20 ` Ulrich Drepper
2009-12-15 5:33 ` Michael Stone
2009-12-16 15:30 ` Michael Stone
2009-12-16 15:32 ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Michael Stone
2009-12-16 15:59 ` Andi Kleen
2009-12-17 1:25 ` Michael Stone
2009-12-17 8:52 ` Andi Kleen
[not found] ` <fb69ef3c0912170906t291a37c4r6c4758ddc7dd300b@mail.gmail.com>
2009-12-17 17:14 ` Andi Kleen
2009-12-17 22:58 ` Mark Seaborn
2009-12-18 3:00 ` Michael Stone
2009-12-18 3:00 ` Michael Stone
2009-12-18 3:29 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v2) Michael Stone
2009-12-18 4:43 ` Valdis.Kletnieks
2009-12-18 15:46 ` Alan Cox
2009-12-18 16:33 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-18 17:20 ` Alan Cox
2009-12-18 17:47 ` Eric W. Biederman
2009-12-24 6:13 ` Michael Stone
2009-12-24 12:37 ` Eric W. Biederman
2009-12-24 1:42 ` [PATCH 0/3] Discarding networking privilege via LSM Michael Stone
2009-12-24 1:44 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v3) Michael Stone
2009-12-24 4:38 ` Samir Bellabes
2009-12-24 5:44 ` Michael Stone
2009-12-24 5:51 ` Tetsuo Handa
2009-12-24 1:45 ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v3) Michael Stone
2009-12-24 1:45 ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v3) Michael Stone
2009-12-25 17:09 ` [PATCH 1/3] Security: Add prctl(PR_{GET,SET}_NETWORK) Pavel Machek
2009-12-18 3:31 ` [PATCH 2/3] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v2) Michael Stone
2009-12-18 3:57 ` Eric W. Biederman
2009-12-18 3:32 ` [PATCH 3/3] Security: Document prctl(PR_{GET,SET}_NETWORK). (v2) Michael Stone
2009-12-18 17:49 ` [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface Stephen Hemminger
2009-12-19 12:02 ` David Wagner [this message]
2009-12-19 12:29 ` Alan Cox
2009-12-20 17:53 ` Mark Seaborn
2009-12-17 9:25 ` Américo Wang
2009-12-17 16:28 ` Michael Stone
2009-12-17 16:28 ` Michael Stone
2009-12-17 17:23 ` Randy Dunlap
2009-12-17 17:25 ` Randy Dunlap
2009-12-16 15:32 ` [PATCH] Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics Michael Stone
2009-12-17 19:18 ` Eric W. Biederman
2009-12-16 15:32 ` [PATCH] Security: Document prctl(PR_{GET,SET}_NETWORK) Michael Stone
2009-12-13 8:32 ` Network isolation with RLIMIT_NETWORK, cont'd Rémi Denis-Courmont
2009-12-13 13:44 ` Michael Stone
2009-12-13 13:44 ` Michael Stone
2009-12-13 10:05 ` Eric W. Biederman
2009-12-13 14:21 ` Michael Stone
2009-12-17 17:31 ` Mark Seaborn
2009-12-17 18:24 ` Bryan Donlan
2009-12-17 19:35 ` Bernie Innocenti
2009-12-17 19:53 ` Bryan Donlan
2009-12-17 19:23 ` Bernie Innocenti
2009-12-17 17:52 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='hgifbt$mme$1@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-news@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.