[Devel] [RFC][PATCH] IP address restricting cgroup subsystem
Benny Amorsen
benny+usenet at amorsen.dk
Sat Jan 10 16:25:05 PST 2009
Paul Menage <menage-hpIqsD4AKlfQT0dZR+AlfA at public.gmane.org> writes:
> Oh, and don't forget being able to control remote addresses/ports too.
> E.g. you might not care what local port/address something binds to (or
> there may only be one local address anyway) but you might want to
> restrict a cgroup from e.g. connecting outside your data center, etc.
> (Something that I'm interested in).
If it's going to be that advanced, it will end up either like iptables
or like routing tables.
It is a bit much to expect normal applications to use either, but
iptables is especially complicated. I am a little bit tempted by
something resembling routing/rule tables, but it would obviously have
to be a bit more limited. E.g. gateway addresses should not be stored
there at all.
There is also the classic question: What happens if you invoke a
setuid or setgid executable with restrictions in effect? It is hard to
guarantee that this isn't exploitable in any way.
/Benny
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list