On Tue, Nov 26, 2019 at 04:13:13PM -0800, Maciej Żenczykowski wrote: > From: Maciej Żenczykowski <maze@xxxxxxxxxx> > > and associated inet_is_local_unbindable_port() helper function: > use it to make explicitly binding to an unbindable port return > -EPERM 'Operation not permitted'. > > Autobind doesn't honour this new sysctl since: > (a) you can simply set both if that's the behaviour you desire > (b) there could be a use for preventing explicit while allowing auto > (c) it's faster in the relatively critical path of doing port selection > during connect() to only check one bitmap instead of both ... > If we *know* that certain ports are simply unusable, then it's better > nothing even gets the opportunity to try to use them. This way we at > least get a quick failure, instead of some sort of timeout (or possibly > even corruption of the data stream of the non-kernel based use case). This is doable with SELinux today, no?
