Just so you know. Syscall means the interface between userspace and
the kernel changing modes. What your describing doesn't really need a
syscall.
Solutions to your problem exist via iptables and SELinux network
labeling rules. Obviously, you will need to research or possible do
some additional work in this
area to solve your problem.
You also might want to look into using namespaces. Bu unsharing the
networking namespace, you can provide a virtual network stack to each
process, and
use veth devices to connect to a real device. Then you can use
iptables rules in that namespace without impacting the rest of your
system.
You might want to look at LXC as well.
On Thu, Jan 9, 2014 at 11:38 AM, Victor Porton <porton@xxxxxxxx> wrote:
> So my final proposal:
>
> struct full_sockaddr_t {
> struct sockaddr *ADDR;
> socklen_t LENGTH;
> };
>
> // Syscall
> int selinux_restrict_domains(struct full_sockaddr_t *socks, unsigned int num_socks);
>
> This call would restrict the sockets accessed by a process (and its childs) to the specified array of socket addresses.
>
> For security reasons it should be impossible to add more hosts to this list. (We may allow to further restrict.)
>
> Please implement it in Linux kernel.
>
> --
> Victor Porton - http://portonvictor.org
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
--
Respectfully,
William C Roberts
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
