Am 22.12.2014 um 11:49 schrieb Florian Weimer:
On 12/21/2014 05:28 PM, Björn Persson wrote:Alternatively, cut out the packet filter and have GlibC ask the user whether the call to bind or connect shall be allowed to succeed (or automatically allow or deny the call if so configured). This has the advantage that the program is informed that it's not allowed to communicate.glibc is the wrong place for this, and a patch in this direction has absolutely zero chance of being accepted upstream. We also ship applications which call system calls directly, not through glibc, so patching glibc would not even work at a technical level. However, a Linux Security Module such as SELinux could audit socket creation, and provide the user with means to override the default choices. However, this will be extremely controversial (even more so than the open firewall) because it will remind people of “personal firewalls” on Windows.
and exactly the behavior of "personal firewalls" on Windows is needed when somebody insinuates users can't handle a static firewall configuration at all and a few broken applications with random ports don't get fixed by intention
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
