So my final proposal:
struct full_sockaddr_t {
struct sockaddr *ADDR;
socklen_t LENGTH;
};
// Syscall
int selinux_restrict_domains(struct full_sockaddr_t *socks, unsigned int num_socks);
This call would restrict the sockets accessed by a process (and its childs) to the specified array of socket addresses.
For security reasons it should be impossible to add more hosts to this list. (We may allow to further restrict.)
Please implement it in Linux kernel.
--
Victor Porton - http://portonvictor.org
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
