On Tue, Jul 17, 2001 at 06:07:49PM -0700, Seth Arnold wrote: > On Tue, Jul 17, 2001 at 07:53:06PM -0400, jmjonesat_private wrote: > > > Many weeks ago, somebody suggested creating port structures in /proc/ > > that refected the specific ports being opened and their permissions. > > This is one way to handle this within the pre-existant paradigm that I > > like, but not enough to "bid on". > > The /proc system is entirely for interaction with user space, and such > interaction is probably best left to module authors. (Though if several > module authors suggest that such a mechanism is useful to them, we may > be able to put the network /proc stuff suggested into the general LSM > kernel.) I suspect that what he's referring to is the (old) "sockfs" patch. Quick google gives this: http://security-archive.merton.ox.ac.uk/archive-199805/0285.html IIRC it "fell" on the fact that there wasn't a way to assign permissions per-interface, like if you have a service that only gets to listen to a specific interface, and the general mindset of "well if it only solves 99% of the problem, let's not do it and wait (possibly indefinetly) for a 100% solution." Also i think there was an issue of how it would remember the permissions over reboots, but now that we have devfs(d) that should be less of an issue. /August. -- Bj|rn Augustsson DCE/DFS Sysadmin IT Systems & Services Chalmers tekniska h|gskola Chalmers University of Technology _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Jul 18 2001 - 06:13:31 PDT