linux-security-module April 2007 archive
Main Archive Page > Month Archives  > linux-security-module archives
linux-security-module: Re: [ANNOUNCE] UidBind LSM 0.2

Re: [ANNOUNCE] UidBind LSM 0.2

From: Tetsuo Handa <from-lsm_at_nospam>
Date: Wed Apr 25 2007 - 12:21:58 GMT
To: linux-security-module@vger.kernel.org


Hello.

Casey Schaufler wrote:
> Putting access control on ports rather than sockets is a novel
> approach. It is a lot simpler underneath and more consistant with
> the way other object name spaces are treated.
I prefer Novell's approach. It is easy like using iptables.

In TOMOYO Linux, I do in the following way. allow_network TCP bind 192.168.1.17 8081 if task.uid=1017 allow_network UDP bind 192.168.1.17 8081 if task.uid=1017 allow_network TCP bind 192.168.1.26 8081 if task.uid=1026 allow_network UDP bind 192.168.1.26 8081 if task.uid=1026

I wish LSM has post-accept() and post-recvmsg() hooks. Don't you think it's nice if administrator can limit client's IP addresses and ports (even if tcp-wrappers was bypassed due to buffer overflow) ?
-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html