Török Edwin <[email protected]> wrote:
> Fireflier aims at providing per application filtering. That is allowing to
> create rules like: allow apache to listen on port 80 (and only apache, nobody
> else).
I had a very simple idea for doing something like this:
Assign a special semantic to GID $n: Being in group $n allows you to listen
on port $n-$offset. $offset == -1 disables this feature (default).
E.g. You want apache to listen on 80 and 443: Set $offset to 60000 and put
apache into groups 60080 and 60443.
> I didn't include the patch inline, since it is quite long (1800+ lines ,
> ~100k). So I uploaded them here:
> http://edwintorok.googlepages.com/fireflier_kernel.html
(Text in parentheses written after completely reading the posting)
If I'd want it to work with iptables, I'd extend the socket struct to contain
the device:inode of the corresponding application (not changing it on exec)
and stat() the allowed applications on rule setups.
(I see you choose similar but more complicated approach, but:)
I'd deliberately allow access to these sockets if it's passed to other
applications since it's the intended behaviour. (BTW: Your approach isn't
going to be 100 % reliable, since it will allow other processes to illegaly
receive data if the socket is transfered after filtering, isn't it?)
Downside of both approaches:
You'll have to guarantee stable dev:inode pairs. NFS? umount/mount?
Workaround: suid helper setting/deleting the allowed-rule?
--
Ich danke GMX dafür, die Verwendung meiner Adressen mittels per SPF
verbreiteten Lügen zu sabotieren.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
