Chris Wright wrote: >* Chris Evans (chrisat_private) wrote: >> I wonder if Linux can be persuaded to create >> "clone devices" [...] >> Then, mark the clone device as trusted, and firewall the cloned device >> such that it only sends on 22/tcp. > >I ran into some problems using the firewall code directly (in 2.2). First >and foremost...all inbound packet filtering happens on the bottom half. This >means you don't have relevant process context for making process based >decisions. Yup, but I believe Chris Evans' very clever suggestion can be made to work if you create a new device for each process to be restricted and give each one a separate IP address. Inbound packet filters can filter based on the device that the packet came in on, so this will let you do the filtering you want if you can have extra IP addresses. It is elegant and has good assurance properties. Two students prototyped this on FreeBSD in a systems security class I taught last fall, and it seems to work very nicely. _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 00:16:26 PDT