09.01.2014, 21:21, "Victor Porton" <porton@xxxxxxxx>:
> I've realized that this would not work in the case of DNS round-robin load balancing, because the IP used by a sandboxed program may differ from the IP set by my application (which calls the sandbox).
>
> So now I propose the following alternative
>
> struct full_host_desc_t {
> struct sockaddr *ADDR, socklen_t LENGTH;
> };
// a little error: '.' instead of ';'
struct full_host_desc_t {
struct sockaddr *ADDR;
socklen_t LENGTH;
};
> int selinux_restrict_domains(struct full_host_desc_t *hosts, unsigned int num_hosts);
>
> Maybe there can be constructed a more efficient API.
>
> 09.01.2014, 21:02, "Victor Porton" <porton@xxxxxxxx>:
>
>> Sorry, it should restrict not only domain but also port and protocol.
>>
>> So I propose this new syscall to restrict an application by "same-origin" policy:
>>
>> int selinux_restrict_domain(struct sockaddr *ADDR, socklen_t LENGTH);
>>
>> I am not sure that it is the best API specification. Please comment.
>>
>> Note that probably all connections we need are TCP (not UDP), but we can support all protocols for completeness.
>>
>> 09.01.2014, 18:59, "Victor Porton" <porton@xxxxxxxx>:
>>> 09.01.2014, 18:39, "Victor Porton" <porton@xxxxxxxx>:
>>>> I remind that sandbox is implemented in Fedora using SELinux.
>>>>
>>>> It would be useful to restrict sandboxed application to connect only to one, programmatically specified Internet domain (just like Java and JavaScript security).
>>>>
>>>> It seems it is impossible with current SELinux.
>>>>
>>>> Could you add necessary features? Please!
>>> You could add a syscall like:
>>>
>>> int selinux_restrict_domain(const char *domain);
>>>
>>> (We could modify this interface to restrict to a finite list of domains instead of one domain, but personally I don't need this.)
>>>
>>> --
>>> Victor Porton - http://portonvictor.org
>> --
>> Victor Porton - http://portonvictor.org
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@xxxxxxxxxxxxx
>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>
> --
> Victor Porton - http://portonvictor.org
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--
Victor Porton - http://portonvictor.org
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
