From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: 'Richard Haines' <richard_c_haines@btinternet.com>,
"selinux@tycho.nsa.gov" <selinux@tycho.nsa.gov>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: Re: [RFC PATCH 1/1] kernel: Add SELinux SCTP protocol support
Date: Fri, 16 Dec 2016 13:40:40 +0000 [thread overview]
Message-ID: <20161216134039.GD4731@localhost.localdomain> (raw)
In-Reply-To: <063D6719AE5E284EB5DD2968C1650D6DB023F752@AcuExch.aculab.com>
On Wed, Dec 14, 2016 at 02:01:35PM +0000, David Laight wrote:
> From: Richard Haines
> > Sent: 14 December 2016 13:40
> > Add SELinux support for the SCTP protocol. The SELinux-sctp.txt document
> > describes how the patch has been implemented with an example policy and
> > tests using lkstcp-tools.
> ...
> > +SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
> > + associated after (optionally) calling bind(2)
> > + if given the "bind_add" permission.
>
> Does restricting bindx make any sense at all?
> The only addresses than can be specified are those of local interfaces.
> If bindx isn't called then the default is to include the addresses of
> all local interfaces.
> So bindx only actually removes local addresses, it doesn't add them.
You could bind the socket while on a priviledged process and then drop
the priviledges, like daemons do for binding on lower ports. Then the
application wouldn't be able to bind on another address that it's not
expected to.
Marcelo
next prev parent reply other threads:[~2016-12-16 13:40 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-14 13:39 [RFC PATCH 1/1] kernel: Add SELinux SCTP protocol support Richard Haines
2016-12-14 14:01 ` David Laight
2016-12-16 13:40 ` Marcelo Ricardo Leitner [this message]
2016-12-21 12:26 ` Richard Haines
2016-12-14 17:02 ` Casey Schaufler
2016-12-16 13:31 ` Richard Haines
2016-12-14 18:34 ` Stephen Smalley
2017-01-23 13:19 ` Richard Haines
2017-01-23 18:58 ` marcelo.leitner
2016-12-21 16:09 ` Marcelo Ricardo Leitner
2017-02-06 14:30 ` Richard Haines
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161216134039.GD4731@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=David.Laight@ACULAB.COM \
--cc=linux-sctp@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=richard_c_haines@btinternet.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).