[Exherbo-dev] Proper network sandboxing
polatel at gmail.com
Tue Aug 25 23:25:55 BST 2009
Ciaran McCreesh yazmış:
> On Wed, 26 Aug 2009 01:09:20 +0300
> Ali Polatel <polatel at gmail.com> wrote:
> > To do this we have to take ports into account as well but that's easy.
> > What do you think?
> Can you let it connect only to ports that it itself is listening on? I
> can't think of any obvious reason tests should be allowed to talk to
> anything else.
In my opinion the easiest and cleanest way to implement this is network
whitelisting. Which may work like:
sydboxcmd net/deny # somewhere in ebuild.bash
sydboxcmd net/whitelist/127.0.0.1:80 # in for example src_test
which means we'll deny all network connections by default and let the
exheres author allow them as she/he wishes.
What do you think?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the Exherbo-dev