Hello. Stephen Smalley wrote: > It doesn't do any good to return an error _after_ the new connection has > been set up or the data transfer has already happened. Userspace > already has what it needs and another thread can already begin using it > _before_ you take any action in those post hooks. Well. What I want to do is "per-domain iptables". For example, domain sshd_t can accept() connections from 10.0.0.0-10.255.255.255, while domain httpd_t can accept() connections from 192.168.0.0-192.168.255.255. TOMOYO Linux does it by
<kernel> /usr/sbin/sshd allow_network TCP accept 10.0.0.0-10.255.255.255 1024-65535 <kernel> /usr/sbin/httpd allow_network TCP accept 192.168.0.0-192.168.255.255 1024-65535 It is not the best way to abort connection after the connection has been accept()ed. But to check before accept(), I have to patch select() not to return "ready for accepting connection", otherwise 'select() returning "ready for accepting connection" but accept() returning "not allowed to accept from this address"' will cause meaningless CPU consumption. So, aborting accept()ed connection is second best for me. Thank you. - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
