Isolation LSM

From OLPC

Revision as of 11:58, 21 August 2008 by Mstone (talk | contribs) (New page: [http://cr.yp.to/djb.html Daniel Bernstein] has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create,...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Daniel Bernstein has observed that security-conscious unprivileged userland processes may benefit from the ability to irrevocably remove their ability to create, bind, connect to, or send messages to non-AF_UNIX sockets.

This patch defines a 'long sys_disablenetwork(void)' syscall and implements it in an LSM in order to avoid modifying the definition of 'struct task_struct'.

Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Isolation_LSM&oldid=153805"