On Friday 05 February 2010 08:01:43 you wrote: > >> If you can accept his version, I want to use his version (with an > >> interface for updating above "reserved_ports" by not only root user's > >> sysctl() but also MAC's policy configuration). > > > > I think that simply using an interface to update the reserved_ports from > > MAC policy configuration module wouldn't work, as root will be able to > > modify the policy via sysctl. > > > > I think that we might need to: > > > > a) have a reserved_port updater > > > > b) put a LSM hook into that > > > > c) use the reserved_port updater from sysctl > > Ideally, you'd provide an interface for port allocator to use, so > doing port reservation will be easier. > If I understand the TOMOYO requirements correctly, we need a way to restrict a user action based on some security policy (in this case the ability to clear reserved ports). Traditionally that has been done with LSM hooks, so I think that approach is preferable. -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
