[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201002052021.CIC81776.QVSMJOLtFOFFHO@I-love.SAKURA.ne.jp>
Date: Fri, 5 Feb 2010 20:21:28 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: amwang@...hat.com
Cc: linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, opurdila@...acom.com,
eric.dumazet@...il.com, linux-rdma@...r.kernel.org,
netdev@...r.kernel.org, nhorman@...driver.com,
linux-sctp@...r.kernel.org, davem@...emloft.net
Subject: Re: [RFC Patch v2] net: reserve ports for applications using fixedport numbers
Cong Wang wrote:
> Oh, IIUC, TOMOYO is something like SELinux?
Yes. It is a policy based mandatory access control implementation which is
applied to not only non root users but also root user. If MAC is enabled,
root user cannot freely modify via sysctl() or /proc/sys interface.
> So, it is somewhat weird to let users to use TOMOYO to reserve
> the ports with MAC.
To add reserved port
echo deny_autobind 0-1023 | ccs-loadpolicy -e
echo deny_autobind 3128 | ccs-loadpolicy -e
echo deny_autobind 8080 | ccs-loadpolicy -e
and to delete reserved port
echo delete deny_autobind 0-1023 | ccs-loadpolicy -e
echo delete deny_autobind 3128 | ccs-loadpolicy -e
echo delete deny_autobind 8080 | ccs-loadpolicy -e
That's all. Quite easy.
> For normal users /proc interface seems more friendly.
I think /proc/sys/net/ipv4/ip_local_reserved_ports interface wants
"struct list_head" for handling multiple sets of min/max pairs. I'm using
http://tomoyo.sourceforge.jp/cgi-bin/lxr/source/security/ccsecurity/autobind.c#L29
for that purpose.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists