allowing programs to open ports
Florian Weimer
fweimer at redhat.com
Mon Dec 22 10:49:43 UTC 2014
On 12/21/2014 05:28 PM, Björn Persson wrote:
> Alternatively, cut out the packet filter and have GlibC ask the user
> whether the call to bind or connect shall be allowed to succeed (or
> automatically allow or deny the call if so configured). This has the
> advantage that the program is informed that it's not allowed to
> communicate.
glibc is the wrong place for this, and a patch in this direction has
absolutely zero chance of being accepted upstream. We also ship
applications which call system calls directly, not through glibc, so
patching glibc would not even work at a technical level.
However, a Linux Security Module such as SELinux could audit socket
creation, and provide the user with means to override the default
choices. However, this will be extremely controversial (even more so
than the open firewall) because it will remind people of “personal
firewalls” on Windows.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list