On Wed, Dec 14, 2016 at 02:01:35PM +0000, David Laight wrote: > From: Richard Haines > > Sent: 14 December 2016 13:40 > > Add SELinux support for the SCTP protocol. The SELinux-sctp.txt document > > describes how the patch has been implemented with an example policy and > > tests using lkstcp-tools. > ... > > +SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be > > + associated after (optionally) calling bind(2) > > + if given the "bind_add" permission. > > Does restricting bindx make any sense at all? > The only addresses than can be specified are those of local interfaces. > If bindx isn't called then the default is to include the addresses of > all local interfaces. > So bindx only actually removes local addresses, it doesn't add them. You could bind the socket while on a priviledged process and then drop the priviledges, like daemons do for binding on lower ports. Then the application wouldn't be able to bind on another address that it's not expected to. Marcelo -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
