I've realized that this would not work in the case of DNS round-robin load balancing, because the IP used by a sandboxed program may differ from the IP set by my application (which calls the sandbox). So now I propose the following alternative struct full_host_desc_t { struct sockaddr *ADDR, socklen_t LENGTH; }; int selinux_restrict_domains(struct full_host_desc_t *hosts, unsigned int num_hosts); Maybe there can be constructed a more efficient API. 09.01.2014, 21:02, "Victor Porton" <porton@xxxxxxxx>: > Sorry, it should restrict not only domain but also port and protocol. > > So I propose this new syscall to restrict an application by "same-origin" policy: > > int selinux_restrict_domain(struct sockaddr *ADDR, socklen_t LENGTH); > > I am not sure that it is the best API specification. Please comment. > > Note that probably all connections we need are TCP (not UDP), but we can support all protocols for completeness. > > 09.01.2014, 18:59, "Victor Porton" <porton@xxxxxxxx>: > >> 09.01.2014, 18:39, "Victor Porton" <porton@xxxxxxxx>: >>> I remind that sandbox is implemented in Fedora using SELinux. >>> >>> It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security). >>> >>> It seems it is impossible with current SELinux. >>> >>> Could you add necessary features? Please! >> You could add a syscall like: >> >> int selinux_restrict_domain(const char *domain); >> >> (We could modify this interface to restrict to a finite list of domains instead of one domain, but personally I don't need this.) >> >> -- >> Victor Porton - http://portonvictor.org > > -- > Victor Porton - http://portonvictor.org > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Victor Porton - http://portonvictor.org _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.