On Wed, Nov 27, 2019 at 5:14 AM Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> wrote: > > On Tue, Nov 26, 2019 at 04:13:13PM -0800, Maciej Żenczykowski wrote: > > From: Maciej Żenczykowski <maze@xxxxxxxxxx> > > > > and associated inet_is_local_unbindable_port() helper function: > > use it to make explicitly binding to an unbindable port return > > -EPERM 'Operation not permitted'. > > > > Autobind doesn't honour this new sysctl since: > > (a) you can simply set both if that's the behaviour you desire > > (b) there could be a use for preventing explicit while allowing auto > > (c) it's faster in the relatively critical path of doing port selection > > during connect() to only check one bitmap instead of both > ... > > If we *know* that certain ports are simply unusable, then it's better > > nothing even gets the opportunity to try to use them. This way we at > > least get a quick failure, instead of some sort of timeout (or possibly > > even corruption of the data stream of the non-kernel based use case). > > This is doable with SELinux today, no? Perhaps, but SELinux isn't used by many distros, including the servers where I have nics that steal some ports. It's also much much more difficult, requiring a policy, compilers, etc... and it gets even more complex if you need to dynamically modify the set of ports, which requires extra tools and runtime permissions.
