Isolation LSM

From OLPC
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Daniel Bernstein has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.

This patch defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.

Some review of this LSM took place and several improvements were suggested:

  • consider whether to enable localhost-IP connections for improved compatibility with portable software
  • consider whether to disable the abstract namespace of Unix sockets (or to enter a fresh namespace) since Unix DAC is not available to control access to such sockets
  • rewrite for recent kernels (which removed the modularity of the LSM framework)
  • consider non-syscall APIs.
Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Isolation_LSM&oldid=153810"