Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2

Previous message: Chris Wright: "Re: graft_tree/attach_mnt rfc"
In reply to: Olaf Dietsche: "Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2"
Next in thread: Olaf Dietsche: "Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2"
Next in thread: Olaf Dietsche: "Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2"
Next in thread: Chris Wright: "Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2"
Reply: Olaf Dietsche: "Re: [PATCH] accessfs v0.6 ported to 2.5.35-lsm1 - 1/2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

sdsat_private

On Sun, 29 Sep 2002, Olaf Dietsche wrote:

> AFAICS, it looks like you can make _additional_ checks only. You still
> have to grant CAP_NET_BIND_SERVICE for binding to ports below PROT_SOCK.
> So, this doesn't look like a viable solution for me.

You can grant CAP_NET_BIND_SERVICE to all processes via the capable()
hook, and then use the socket_bind() hook to control access
authoritatively to ports.  It is true that SELinux only uses socket_bind
restrictively (to impose an additional domain-based control on port
binding), but you should be able to use it authoritatively as described
above.

--
Stephen D. Smalley, NAI Labs
ssmalleyat_private

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module