[Exherbo-dev] Proper network sandboxing

Ali Polatel polatel at gmail.com
Tue Aug 25 23:25:55 BST 2009

Ciaran McCreesh yazmış:
> On Wed, 26 Aug 2009 01:09:20 +0300
> Ali Polatel <polatel at gmail.com> wrote:
> > To do this we have to take ports into account as well but that's easy.
> > What do you think?
> Can you let it connect only to ports that it itself is listening on? I
> can't think of any obvious reason tests should be allowed to talk to
> anything else.

In my opinion the easiest and cleanest way to implement this is network
whitelisting. Which may work like:

sydboxcmd net/deny # somewhere in ebuild.bash
sydboxcmd net/whitelist/ # in for example src_test

which means we'll deny all network connections by default and let the
exheres author allow them as she/he wishes.

What do you think?

Ali Polatel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.exherbo.org/pipermail/exherbo-dev/attachments/20090826/57bb6abe/attachment.pgp>

More information about the Exherbo-dev mailing list