Re: RFC: Network privilege separation.

From: Oliver Hartkopp
Date: Thu Jan 08 2009 - 02:06:00 EST

Next message: Peter Zijlstra: "Re: [PATCH -v5][RFC]: mutex: implement adaptive spinning"
Previous message: Eric W. Biederman: "Re: [PATCH] Security: Implement and document RLIMIT_NETWORK. (fwd)"
In reply to: david: "Re: RFC: Network privilege separation."
Next in thread: Alan Cox: "Re: RFC: Network privilege separation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andi Kleen wrote:

On Wed, Jan 07, 2009 at 09:31:11PM -0500, Michael Stone wrote:

* so far as I know, netfilter is only commonly used to filter IP traffic. Can
I really use it to limit connections to abstract unix sockets?

No you can't. But is that really your requirement? Why limiting Unix
sockets and not e.g. named pipes? Unix sockets do not talk to the network.

I suppose I don't understand your requirements very well.

I think it would be very interesting for PF_CAN sockets also.
CAN has no IP at all and the suggested idea of 'self-limiting' a user process to use only the already open sockets could be a way to address the use-cases Michael stated in his RFC.

Regards,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Peter Zijlstra: "Re: [PATCH -v5][RFC]: mutex: implement adaptive spinning"
Previous message: Eric W. Biederman: "Re: [PATCH] Security: Implement and document RLIMIT_NETWORK. (fwd)"
In reply to: david: "Re: RFC: Network privilege separation."
Next in thread: Alan Cox: "Re: RFC: Network privilege separation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]