Isolation LSM

From OLPC
Revision as of 16:01, 21 August 2008 by Mstone (talk | contribs)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Daniel Bernstein has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.

This patch defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Isolation_LSM&oldid=153808"