On 03/01/2016 11:43 PM, Vincent Bernat wrote: > ❦ 1 mars 2016 21:26 +0100, "Michael Kerrisk (man-pages)" <mtk.manpages@xxxxxxxxx> : > >>> The typical use case is still about privileges since a fully privileged >>> process could just create a similar socket without the filter. It makes >>> little sense to create a socket, add a filter and lock it if you keep >>> your privileges. >> >> Thanks. That, plus a reread of the commit message was the info I needed. >> The point here is that we're talking about raw sockets, right? I >> reworded that paragraph to: >> >> The typical use case is for a privileged process to set >> up a raw socket (an operation that requires the >> CAP_NET_RAW capability), apply a restrictive filter, set >> the SO_LOCK_FILTER option, and then either drop its >> privileges or pass the socket file descriptor to an >> unprivileged process via a UNIX domain socket. > > Perfect for me. Good. Thanks for checking it, Vincent. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/ -- To unsubscribe from this list: send the line "unsubscribe linux-man" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
