Re: RFC: Network privilege separation.
From: Oliver Hartkopp
Date: Thu Jan 08 2009 - 02:06:00 EST
Andi Kleen wrote:
On Wed, Jan 07, 2009 at 09:31:11PM -0500, Michael Stone wrote:
* so far as I know, netfilter is only commonly used to filter IP traffic.
Can
I really use it to limit connections to abstract unix sockets?
No you can't. But is that really your requirement? Why limiting Unix
sockets and not e.g. named pipes? Unix sockets do not talk to the network.
I suppose I don't understand your requirements very well.
I think it would be very interesting for PF_CAN sockets also.
CAN has no IP at all and the suggested idea of 'self-limiting' a user
process to use only the already open sockets could be a way to address
the use-cases Michael stated in his RFC.
Regards,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/