> > Attached is a proposed patch to allow LSM's to hide the existance of
> > network interfaces. This appears to require more than one pair of
> > hooks. The netdev_* hooks are generic network device hooks. The inet_*
> > hooks are for internet devices. The latter know about device aliases,
> > such as eth0:0.
>
> What security purpose does it serve to hide the existence of a network
> interface?
These are mainly for usability. Without these, if I set up several
jails or vserver machines with either their own network card or ip
alias, they have no good way of telling what their ip address is. This
way, the only addresses they see are ones which are in fact valid.
> I don't think this patch has much chance of upstream acceptance.
>
> Can BSD jail work without these hooks?
It can, however it requires reassigning inet_{dgram,stream}_ops.ioctl to
my own versions, which read, parse, and filter the original ioctl()
output to filter out the unwanted information.
--
=======================================================
Serge Hallyn
Security Software Engineer, IBM Linux Technology Center
serue@private
This archive was generated by hypermail 2.1.3 : Mon Aug 16 2004 - 12:15:24 PDT