[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091218094955.32938765@nehalam>
Date: Fri, 18 Dec 2009 09:49:55 -0800
From: Stephen Hemminger <shemminger@...tta.com>
To: Michael Stone <michael@...top.org>
Cc: Mark Seaborn <mrs@...hic-beasts.com>, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, linux-security-module@...r.kernel.org,
Andi Kleen <andi@...stfloor.org>, David Lang <david@...g.hm>,
Oliver Hartkopp <socketcan@...tkopp.net>,
Alan Cox <alan@...rguk.ukuu.org.uk>,
Herbert Xu <herbert@...dor.apana.org.au>,
Valdis Kletnieks <Valdis.Kletnieks@...edu>,
Bryan Donlan <bdonlan@...il.com>,
Evgeniy Polyakov <zbr@...emap.net>,
"C. Scott Ananian" <cscott@...ott.net>,
James Morris <jmorris@...ei.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Bernie Innocenti <bernie@...ewiz.org>,
Randy Dunlap <randy.dunlap@...cle.com>,
Américo Wang <xiyou.wangcong@...il.com>,
Michael Stone <michael@...top.org>
Subject: Re: [PATCH] Security: Add prctl(PR_{GET,SET}_NETWORK) interface.
On Thu, 17 Dec 2009 22:00:57 -0500
Michael Stone <michael@...top.org> wrote:
> 5. Linux today has pretty good support for controlling the creation of
> channels involving the filesystem and involving shared daemons. It has
> mediocre support for access control involving sysv-ipc mechanisms. It has
> terrible support for access control involving non-local principals like
> "the collection of people and programs receiving packets sent to
> destination 18.0.0.1:80 from source 192.168.0.3:34661".
The policy control for this is done today on linux via the firewalling infrastructure.
It is not clear to me that moving over to the security infrastructure is an overall
gain from the security or user interface perspective.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists