Hello. Casey Schaufler wrote: > Putting access control on ports rather than sockets is a novel > approach. It is a lot simpler underneath and more consistant with > the way other object name spaces are treated. I prefer Novell's approach. It is easy like using iptables.
In TOMOYO Linux, I do in the following way. allow_network TCP bind 192.168.1.17 8081 if task.uid=1017 allow_network UDP bind 192.168.1.17 8081 if task.uid=1017 allow_network TCP bind 192.168.1.26 8081 if task.uid=1026 allow_network UDP bind 192.168.1.26 8081 if task.uid=1026 I wish LSM has post-accept() and post-recvmsg() hooks. Don't you think it's nice if administrator can limit client's IP addresses and ports (even if tcp-wrappers was bypassed due to buffer overflow) ? - To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
