10.01.2014, 21:39, "Joshua Brindle" <brindle@xxxxxxxxxxxxxxxxx>: > Victor Porton wrote: > >> I propose to create a new NetFilter table dedicated to rules created programmatically (not by explicit admin's iptables command). >> >> Otherwise an admin could be tempted to say `iptables -F security` which would probably break rules created for example by sandboxing software (which may follow same-origin policy to restrict one particular program to certain domain and port only). Note that in this case `iptables -F security` is a security risk (sandbox breaking)? >> >> New table could be possibly be called: >> >> - temp >> - temporary >> - auto >> - automatic >> - volatile >> - daemon >> - system >> - sys >> >> In iptables docs it should be said that this table should not be manipulated manually. > > Is it possible that the solution to your sandboxing problem is seccomp > filter? > > http://outflux.net/teach-seccomp/ > > You'd filter out any syscall that can make outbound connections and then > only pass already opened sockets to the sandboxed threads? > > seccomp filter was actually created for sandboxing, so that user > applications could voluntarily shed the ability to call certain syscalls > before handling untrusted data. seccomp would not work for me, because I need network enabled sandboxes. Moreover we should be able to filter out certain subnets such as 127.0.0.0/255.0.0.0 (and others), This cleanly can't be done with seccomp. -- Victor Porton - http://portonvictor.org _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
