Re: disablenetwork (v5) patches

From: Kyle Moffett
Date: Sun Jan 17 2010 - 01:08:58 EST

Next message: Ingo Molnar: "Re: [GIT PULL] perf event scheduling updates"
Previous message: Ingo Molnar: "Re: x86: clean up rwsem type system"
Next in thread: Kyle Moffett: "Re: disablenetwork (v5) patches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jan 15, 2010 at 03:10, Michael Stone <michael@xxxxxxxxxx> wrote:
> As promised, here are patches implementing and documenting a CAP_SETPCAP-gated
> "enable" bit along with a couple of other tweaks discussed earlier in the
> thread. For ease of development and review, the following four patches
> extend the disablenetwork (v4) patch series rather than replacing it.

To be honest, I'm still not convinced that this is the right way to
approach your problem. I think you would be much better off with
something analogous to the stripped-down SELinux policy I sent in an
earlier email (150 lines, give or take). By using the appropriate
SELinux hooks you can obtain the *exact* same enforcement, but without
adding any code to the kernel.

I have some time this week to split out my SELinux policy build
machinery; I will pull out a standalone set of files to build the
policy and do some extra testing on one of my bog-standard Debian
boxes and then send it all out again.

Cheers,
Kyle Moffett
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [GIT PULL] perf event scheduling updates"
Previous message: Ingo Molnar: "Re: x86: clean up rwsem type system"
Next in thread: Kyle Moffett: "Re: disablenetwork (v5) patches"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]