Isolation LSM

From OLPC

Revision as of 16:05, 21 August 2008 by Mstone (Talk | contribs)
(diff) ← Older revision | Current revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Daniel Bernstein has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.

This patch defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.

Some review of this LSM took place and several improvements were suggested:

  • consider whether to enable localhost-IP connections for improved compatibility with portable software
  • consider whether to disable the abstract namespace of Unix sockets (or to enter a fresh namespace) since Unix DAC is not available to control access to such sockets
  • rewrite for recent kernels (which removed the modularity of the LSM framework)
  • consider non-syscall APIs.
Personal tools
  • Log in
  • Login with OpenID
About OLPC
About the laptop
About the tablet
Projects
OLPC wiki
Toolbox