From: Maciej Żenczykowski <zenczykowski@xxxxxxxxx> Date: Wed, 27 Nov 2019 12:50:39 -0800 > On Wed, Nov 27, 2019 at 5:14 AM Marcelo Ricardo Leitner > <marcelo.leitner@xxxxxxxxx> wrote: >> >> On Tue, Nov 26, 2019 at 04:13:13PM -0800, Maciej Żenczykowski wrote: >> > From: Maciej Żenczykowski <maze@xxxxxxxxxx> >> > >> > and associated inet_is_local_unbindable_port() helper function: >> > use it to make explicitly binding to an unbindable port return >> > -EPERM 'Operation not permitted'. >> > >> > Autobind doesn't honour this new sysctl since: >> > (a) you can simply set both if that's the behaviour you desire >> > (b) there could be a use for preventing explicit while allowing auto >> > (c) it's faster in the relatively critical path of doing port selection >> > during connect() to only check one bitmap instead of both >> ... >> > If we *know* that certain ports are simply unusable, then it's better >> > nothing even gets the opportunity to try to use them. This way we at >> > least get a quick failure, instead of some sort of timeout (or possibly >> > even corruption of the data stream of the non-kernel based use case). >> >> This is doable with SELinux today, no? > > Perhaps, but SELinux isn't used by many distros, including the servers > where I have nics that steal some ports. It's also much much > more difficult, requiring a policy, compilers, etc... and it gets even > more complex if you need to dynamically modify the set of ports, > which requires extra tools and runtime permissions. I can see both sides of this argument, but anyways this is a new features and thus net-next material. It's nice to keep this discussion going, of course, but if this trends in the positive you still need to resubmit this when net-next opens back up. Thanks.
