>On Tue, 2009-12-22 at 06:26 -0800, Casper Dik wrote: >> This project proposes one new "basic" privilege. >> >> NET_ACCESS >> Allows a process to open a network connection. >> >> The purpose of this privilege is the ability to create a process >> confined to the current system. > >Semantic nit: This mechanism accomplishes that and more. For example, >without this privilege, a process also cannot open a PF_INET* socket to >communicate locally using the loopback address. I assume that this is >an acceptable situation for the intended consumer, otherwise one would >need some more complex mechanism (perhaps involving the proposed socket >filter framework PSARC 2009/590).
True; however, we have sufficient local transport available and we also have nscd; no need for ordinary applications to directly call the NIS/LDAP/ DNS server. Casper
