> Creating a > session with some tag might be an easier sell than having the customer > force apps onto a new process/uid/gid/etc. This is where my proposal for > the CreateSession to pass an optional tag/uid so sessions can be created by > proxy. This would actually be no different than the concept Android is > using for the download manager--as I understand it from the qtaguid > discussion.
I think the only issue supporting a true arbitrary tag is that there is no way (that I'm aware of) in iptables to bind a given packet with an arbitrary tag other than by knowing the UID, GID, or SELinux context of the socket/connection the packet is coming/going to. The "mark" field serves as the place where this arbitrary "tag" that can be assigned to a packet. The tough part is figuring out which packets receive which "mark". As I understand it, the UID, GID, or SELinux context provide the mechanism to discriminate between packets and assign the correct tag. If you don't rely on either the UID, GID, or SELinux context then there must be an out-of-band mechanism between the application and Connman which provides Connman with the information necessary to mark the correct packet in it's iptable rules. This might be similar to how qtaguid works but it's not clear to me if the application (or underlying network library) provides this information to the underlying network stack. _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
