Re: [ANNOUNCE] UidBind LSM 0.2

From: Tetsuo Handa <from-lsm_at_nospam>
Date: Wed Apr 25 2007 - 12:21:58 GMT
To: linux-security-module@vger.kernel.org

Hello.

Casey Schaufler wrote:
> Putting access control on ports rather than sockets is a novel
> approach. It is a lot simpler underneath and more consistant with
> the way other object name spaces are treated.
I prefer Novell's approach. It is easy like using iptables.

In TOMOYO Linux, I do in the following way. allow_network TCP bind 192.168.1.17 8081 if task.uid=1017 allow_network UDP bind 192.168.1.17 8081 if task.uid=1017 allow_network TCP bind 192.168.1.26 8081 if task.uid=1026 allow_network UDP bind 192.168.1.26 8081 if task.uid=1026

I wish LSM has post-accept() and post-recvmsg() hooks. Don't you think it's nice if administrator can limit client's IP addresses and ports (even if tcp-wrappers was bypassed due to buffer overflow) ?
-
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

This message: [ Message body ]
Next message: Cliffe: "New to LSM list. A few questions."
Previous message: KaiGai Kohei: "Re: A tiny bug in libcap-1.10 ?"
Next in thread: Casey Schaufler: "Re: [ANNOUNCE] UidBind LSM 0.2"
Reply: Casey Schaufler: "Re: [ANNOUNCE] UidBind LSM 0.2"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]