| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LSU.2.00.0901210932520.19773@fbirervta.pbzchgretzou.qr> Date: Wed, 21 Jan 2009 09:35:58 +0100 (CET) From: Jan Engelhardt <jengelh@...ozas.de> To: Peter Dolding <oiaohm@...il.com> cc: rmeijer@...all.nl, Casey Schaufler <casey@...aufler-ca.com>, Samir Bellabes <sam@...ack.fr>, imipak@...oo.com, linux-security-module <linux-security-module@...r.kernel.org>, Stephan Peijnik <stephan@...jnik.at>, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org Subject: Re: RFC: Mandatory Access Control for sockets aka "personal firewalls" On Wednesday 2009-01-21 09:15, Peter Dolding wrote: > >I really don't see the need for special here other than improving iptables. > >LSM module is over kill. This leads to double processing of packet requests. > >netfilter already can operate as either MAC or DAC all depending on >the rules passed into it and the outside LSM applied. But it cannot be used for personal firewalls at this time. Incoming packets have no process context because they are processed before that is determined, and similarly, outgoing packets have already left most of the process context behind them. Additionally, Netfilter cannot reject bind() calls *at all*. That is the reason this is done as an LSM in the first place. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists