Re: 2001_05_09 patch against 2.4.4

From: David Wagner (dawat_private)
Date: Thu May 17 2001 - 00:13:40 PDT

  • Next message: jmjonesat_private: "Re: 2001_05_09 patch against 2.4.4"

    Chris Wright  wrote:
    >* Chris Evans (chrisat_private) wrote:
    >> I wonder if Linux can be persuaded to create
    >> "clone devices" [...]
    >> Then, mark the clone device as trusted, and firewall the cloned device
    >> such that it only sends on 22/tcp.
    >I ran into some problems using the firewall code directly (in 2.2).  First
    >and foremost...all inbound packet filtering happens on the bottom half.  This
    >means you don't have relevant process context for making process based
    Yup, but I believe Chris Evans' very clever suggestion can be made
    to work if you create a new device for each process to be restricted
    and give each one a separate IP address.  Inbound packet filters can
    filter based on the device that the packet came in on, so this will
    let you do the filtering you want if you can have extra IP addresses.
    It is elegant and has good assurance properties.
    Two students prototyped this on FreeBSD in a systems security class
    I taught last fall, and it seems to work very nicely.
    linux-security-module mailing list

    This archive was generated by hypermail 2b30 : Thu May 17 2001 - 00:16:26 PDT