[Exherbo-dev] Proper network sandboxing

Ali Polatel polatel at gmail.com
Tue Aug 25 23:25:55 BST 2009


Ciaran McCreesh yazmış:
> On Wed, 26 Aug 2009 01:09:20 +0300
> Ali Polatel <polatel at gmail.com> wrote:
> > To do this we have to take ports into account as well but that's easy.
> > What do you think?
> 
> Can you let it connect only to ports that it itself is listening on? I
> can't think of any obvious reason tests should be allowed to talk to
> anything else.
> 

In my opinion the easiest and cleanest way to implement this is network
whitelisting. Which may work like:

sydboxcmd net/deny # somewhere in ebuild.bash
sydboxcmd net/whitelist/127.0.0.1:80 # in for example src_test

which means we'll deny all network connections by default and let the
exheres author allow them as she/he wishes.

What do you think?

-- 
Regards,
Ali Polatel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20090826/57bb6abe/attachment.pgp>


More information about the Exherbo-dev mailing list