On Thu, Sep 17, 2009 at 01:30:00PM +0200, Arnd Bergmann wrote: > On Wednesday 16 September 2009, Michael S. Tsirkin wrote: > > > Also, I might not want to allow the user to open a > > > random random raw socket, but only one on a specific downstream > > > port of a macvlan interface, so I can filter out the data from > > > that respective MAC address in an external switch. > > > > I agree. Maybe we can fix that for raw sockets, want me to > > add it to the list? :) > > So far, I could not find any theoretical solution how to fix this,
What if socket had a LOCKBIND ioctl after which you can not bind it to any other device? Then someone with RAW capability can open the socket, bind to device and hand it to you. You can send packets but not switch to another device. > but if you think it can be done, it would be good to have it on the > list somewhere. > > Arnd <>< -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
