| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <200901071852.32078.rdenis@simphalempin.com> Date: Wed, 7 Jan 2009 18:52:27 +0200 From: Rémi Denis-Courmont <rdenis@...phalempin.com> To: Evgeniy Polyakov <zbr@...emap.net> Cc: Michael Stone <michael@...top.org>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: Re: [PATCH] Security: Implement and document RLIMIT_NETWORK. Le mercredi 7 janvier 2009 13:47:03 Evgeniy Polyakov, vous avez écrit : > The same goal can be achieved with 'owner' iptables match module btw. Err no. iptables is _not_ suitable for userland applications dropping their _own_ privileges. For privileged processes, it's clumsy at best, as iptables does not quite work if more than one applications uses it. That's typically your firewall configuration wizard or some custom admin-made script. As for UNprivileged processes, iptables is not allowed. As I understand it, Michael is trying to build something similar to SECCOMP, only way less restrictive and way more usable by real-life userland programs. -- Rémi Denis-Courmont http://www.remlab.net/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists