Some links: http://superuser.com/questions/463649/linux-routing-and-hma http://lwn.net/Articles/531114/ http://serverfault.com/questions/218707/iptables-rules-to-allow-http-traffic-to-one-domain-only http://www.linux.com/learn/tutorials/421152-using-selinux-and-iptables-together On Thu, Jan 9, 2014 at 1:12 PM, William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > Just so you know. Syscall means the interface between userspace and > the kernel changing modes. What your describing doesn't really need a > syscall. > > Solutions to your problem exist via iptables and SELinux network > labeling rules. Obviously, you will need to research or possible do > some additional work in this > area to solve your problem. > > You also might want to look into using namespaces. Bu unsharing the > networking namespace, you can provide a virtual network stack to each > process, and > use veth devices to connect to a real device. Then you can use > iptables rules in that namespace without impacting the rest of your > system. > > You might want to look at LXC as well. > > > On Thu, Jan 9, 2014 at 11:38 AM, Victor Porton <porton@xxxxxxxx> wrote: >> So my final proposal: >> >> struct full_sockaddr_t { >> struct sockaddr *ADDR; >> socklen_t LENGTH; >> }; >> >> // Syscall >> int selinux_restrict_domains(struct full_sockaddr_t *socks, unsigned int num_socks); >> >> This call would restrict the sockets accessed by a process (and its childs) to the specified array of socket addresses. >> >> For security reasons it should be impossible to add more hosts to this list. (We may allow to further restrict.) >> >> Please implement it in Linux kernel. >> >> -- >> Victor Porton - http://portonvictor.org >> _______________________________________________ >> Selinux mailing list >> Selinux@xxxxxxxxxxxxx >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. > > > > -- > Respectfully, > > William C Roberts -- Respectfully, William C Roberts _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
