Casper Dik wrote:
> This project proposes one new "basic" privilege.
>
> NET_ACCESS
> Allows a process to open a network connection.
>
> The purpose of this privilege is the ability to create a process
> confined to the current system.
>
> The NET_ACCESS basic privilege is required for opening any IP endpoint
> (socket(), t_open()) except those which already require a different
> privilege, e.g., raw sockets.
I don't understand the motivation for excluding the raw sockets and/or
icmp sockets from checking NET_ACCESS. It seems simpler from a user
perspective if removing NET_ACCESS has the effect of making the user no
longer be able to open any TCP, UDP, SCTP, or RAW sockets.
Thus I think it makes sense removing the above exception.
Do we know if there is any impact to getaddrinfo() and friends? I
believe the library code opens a UDP socket to issue SIOC ioctls (done
as part of verifying whether IPv4 and/or IPv6 is configured on the
system). Perhaps that isn't an architectural issue, but we need to make
sure there aren't any confusing failures or error messages when
NET_ACCESS has been removed from the privilege set.
Erik
