As the $subject says I want to make network sandboxing on by default as of sydbox version 0.4. The default network sandboxing mode will be "local" and "restrict_connect" will be true.
## What does this mean?
- Programs running under sydbox aren't allowed to make connections to
non-local addresses or bind to any address aka 0.0.0.0.
- Programs running under sydbox can only connect to ports that one of
their parents has bind()'ed to.
## What has changed to make you do this?
- Last time we tried network sandboxing, there were a few limitations of
sydbox. Most important one was when a child called bind with port
zero, sydbox failed to white list this address. Now sydbox looks up
the port from /proc/net/tcp{,6} after the subsequent listen call.
## How to fix a package that gives a network access violation?
- There are a few patches I've written for packages that try to bind to
0.0.0.0, you can have a look at them as an example¹.
I'm going over the tree and fixing packages that try to access network,
usually in src_test and I'll release sydbox-0.4 soonish.
If you want to help me (hehe why not) or want to test network sandboxing
feel free to install sydbox-scm and report back your experiences,
thoughts etc.
Thanks in advance.
¹: http://bit.ly/libwww-perl-sydbox
http://bit.ly/curl-sydbox
--
Regards,
Ali Polatel
pgpAxyv1X2ETV.pgp
Description: PGP signature
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
