Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)

[Michael Stone]

Serge Hallyn wrote:
> Michael, I'm sorry, I should go back and search the thread for the
> answer, but don't have time right now - do you really need
> disablenetwork to be available to unprivileged users? 

Rainbow can only drop the networking privileges when we know at app launch time
(e.g. based on a manifest or from the human operator) that privileges can be
dropped. Unfortunately, most of the really interesting uses of disablenetwork
happen *after* rainbow has dropped privilege and handed control the app.
Therefore, having an API which can be used by at least some low-privilege
processes is important to me.

> is it ok to require CAP_SETPCAP (same thing required for dropping privs from
> bounding set)?  

Let me try to restate your idea:

  We can make disablenetwork safer by permitting its use only where explicitly
  permitted by some previously privileged ancestor. The securebits facility
  described in 

    http://lwn.net/Articles/280279/

  may be a good framework in which to implement this control.

Did I understand correctly? If so, then yes, this approach seems like it would
work for me.

Regards, and thanks very much for your help,

Michael
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/