Isolation LSM

From OLPC
Revision as of 16:01, 21 August 2008 by Mstone (talk | contribs)
Jump to navigation Jump to search

Daniel Bernstein has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.

This patch defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Isolation_LSM&oldid=153808"