Isolation LSM: Difference between revisions
Jump to navigation
Jump to search
m (New page: [http://cr.yp.to/djb.html Daniel Bernstein] has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create,...) |
mNo edit summary |
||
(3 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[http://cr.yp.to/djb.html Daniel Bernstein] has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets. |
[http://cr.yp.to/djb.html Daniel Bernstein] has [http://cr.yp.to/unix/disablenetwork.html observed] that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets. |
||
[http://dev.laptop.org/git?p=users/mstone/olpc-2.6;a=commit;h=c05cc7eadcee3d9450c1eb6a41ef9c932f9aad53 This patch] defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'. |
[http://dev.laptop.org/git?p=users/mstone/olpc-2.6;a=commit;h=c05cc7eadcee3d9450c1eb6a41ef9c932f9aad53 This patch] defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'. |
||
Some [http://lists.laptop.org/pipermail/security/2008-April/000390.html review] of this LSM took place and several improvements were suggested: |
|||
* consider whether to enable localhost-IP connections for improved compatibility with portable software |
|||
* consider whether to disable the abstract namespace of Unix sockets (or to enter a fresh namespace) since Unix DAC is not available to control access to such sockets |
|||
* rewrite for recent kernels (which removed the modularity of the LSM framework) |
|||
* consider non-syscall APIs. |
|||
[[Category:Security]] |
Latest revision as of 16:05, 21 August 2008
Daniel Bernstein has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.
This patch defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.
Some review of this LSM took place and several improvements were suggested:
- consider whether to enable localhost-IP connections for improved compatibility with portable software
- consider whether to disable the abstract namespace of Unix sockets (or to enter a fresh namespace) since Unix DAC is not available to control access to such sockets
- rewrite for recent kernels (which removed the modularity of the LSM framework)
- consider non-syscall APIs.