From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Stone Subject: Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4) Date: Sun, 10 Jan 2010 18:08:39 -0500 Message-ID: <20100110230839.GB3825@heat> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Bryan Donlan , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , "Eric W. Biederman" , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?iso-8859-1?Q?Am=E9rico?= Wang , Tetsuo Handa , Samir Bellabes , Casey Schaufler , "Serge E. Hallyn" , Pavel Machek , To: Kyle Moffett Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-security-module-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Paraphrasing Kyle: > Suppose there exist PAM modules which lazily fork background processes. Now > assume that one of those PAM modules is hooked from /etc/pam.d/su, that the > module fails closed when the network is unavailable, and that Mallory wins > the race to start the daemon. Boom. I'm not disagreeing that there are configurations of programs, written for kernels without disablenetwork, which cease to be correct on kernels that provide it. However, all this says to me is that people who need to use those configurations probably shouldn't use disablenetwork. (Or that we haven't found exactly the right semantics for disablenetwork yet.) Let's keep working on it. Michael