On Tue, Aug 23, 2016 at 1:49 AM, Parav Pandit <pandit.parav@xxxxxxxxx> wrote: > Hi Anoop, > > Regardless of usecase, I think this functionality is best handled as > LSM functionality instead of cgroup. > I'm not so sure about that. Cgroup APIs are useful and this is just an extension to it. > Tasks which are proposed in this patch are related to access control checks. > LSM already has required hooks for socket operations such as bind(), > listen() as few small examples. > > Refer to security_socket_listen() which invokes LSM specific hooks. > This is invoked in source/net/socket.c as part of listen() system call. > LSM hook callback can check whether a given a process can listen to > requested UDP port or not. > This has administrative overhead that is not addressed. The underlying cgroup infrastructure takes care of it in this (current) implementation. > Parav > > [...] -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
