[Exherbo-dev] Proper network sandboxing

Bryan Østergaard bryan.ostergaard at gmail.com
Tue Aug 25 23:13:16 BST 2009


On Tue, Aug 25, 2009 at 6:57 PM, Ali Polatel<polatel at gmail.com> wrote:
> In an attempt to implement proper network sandboxing for sydbox, I've
> added sydbox the ability to deny only non-local connections. This is
> very basic right now, we check the sockaddr argument of connect(2) and
> bind(2) calls and use the net_localhost()¹ function to find out if it's
> local. This function needs some work, currently it only allows 127.0.0.1
> and ::1 through. As always patches are welcome.
>
<snip>
> Questions:
> 1. Do we want to check for system calls other than connect(2) and
>   bind(2)?
Don't think so.

> 2. Do we need some kind of network whitelisting? Like whitelisting
>   certain IP addresses. I'm not really sure if this is useful.
Don't think so.

> 3. Currently we only support ipv4 and ipv6 sockets. Do we need support
>   for other types of sockets, if so why?
It might be interesting to block NETLINK sockets as well although I'm
not convinced there's any real value to that.

Regards,
Bryan Østergaard



More information about the Exherbo-dev mailing list