| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Jan 2009 08:38:32 +0100 From: Grzegorz Nosek <root@...aldomain.pl> To: Li Zefan <lizf@...fujitsu.com> Cc: containers@...ts.osdl.org, netdev@...r.kernel.org Subject: Re: [RFC][PATCH] IP address restricting cgroup subsystem On śro, sty 07, 2009 at 02:01:10 +0800, Li Zefan wrote: > CC: netdev@...r.kernel.org > > I'll review the cgroup part if this patch is regarded as useful. > > Grzegorz Nosek wrote: > > This is a very simple cgroup subsystem to restrict IP addresses used > > by member processes. Currently it is limited to IPv4 only but IPv6 (or > > other protocols) should be easy to implement. > > > > IP addresses are write-once (via /cgroup/.../ipaddr.ipv4 in dotted-quad > > Why they should be write-once ? No real (technical) reason. Making it read-write would be fine with me. I wanted to make the restriction a one-way road but I guess I can police that in userspace (simply don't write anything to the file twice). However, I think that the restriction should be inherited, so that if CG1 is bound to e.g. 10.0.0.1, CG1/CG2 must be bound to the same address. But what would I do then with descendant cgroups? Leave them as is (breaking the inheritance)? Find them all and change their bound address behind their back (do we have an API for that?)? I guess I have the same problem right now, anyway (only once instead of multiple times), so I'd really appreciate your input on this. Best regards, Grzegorz Nosek -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists