Quoting Pavel Machek (pavel@xxxxxx):
> > Quoting Michael Stone (michael@xxxxxxxxxx):
> > > Serge Hallyn wrote:
> > > >Michael, I'm sorry, I should go back and search the thread for the
> > > >answer, but don't have time right now - do you really need
> > > >disablenetwork to be available to unprivileged users?
> > > > > > Rainbow can only drop the networking privileges when we know at app launch time
> > > (e.g. based on a manifest or from the human operator) that privileges can be
> > > dropped. Unfortunately, most of the really interesting uses of disablenetwork
> > > happen *after* rainbow has dropped privilege and handed control the app.
> > > Therefore, having an API which can be used by at least some low-privilege
> > > processes is important to me.
> > > > > > >is it ok to require CAP_SETPCAP (same thing required for dropping privs from
> > > >bounding set)?
> > > > > > Let me try to restate your idea:
> > > > > > We can make disablenetwork safer by permitting its use only where explicitly
> > > permitted by some previously privileged ancestor. The securebits facility
> > > described in
> > > > > > http://lwn.net/Articles/280279/
> > > > > > may be a good framework in which to implement this control.
> > > > > > Did I understand correctly? If so, then yes, this approach seems like it would
> > > work for me.
> > > > That is a little more than I was saying this time though I think I
> > suggested it earlier.
> > > > But really I don't think anyone would care to separate a system into
> > some processes allowed to do unprivileged disablenetwork and other
> > processes not allowed to, so a (root-owned mode 644) sysctl seems just
> > as useful.
> > Global solution like that is always wrong. (And we have better
> solution available.)
All right, so Michael suggested securebits, I personally feel prctl would
be more appropriate.