❦ 1 mars 2016 21:26 +0100, "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> : >> The typical use case is still about privileges since a fully privileged >> process could just create a similar socket without the filter. It makes >> little sense to create a socket, add a filter and lock it if you keep >> your privileges. > > Thanks. That, plus a reread of the commit message was the info I needed. > The point here is that we're talking about raw sockets, right? I > reworded that paragraph to: > > The typical use case is for a privileged process to set > up a raw socket (an operation that requires the > CAP_NET_RAW capability), apply a restrictive filter, set > the SO_LOCK_FILTER option, and then either drop its > privileges or pass the socket file descriptor to an > unprivileged process via a UNIX domain socket. Perfect for me. -- The better part of valor is discretion. -- William Shakespeare, "Henry IV" -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
