[Devel] Re: LSM stacking/secondary modules / RFC: Socket MAC LSM
Paul Menage
menage at google.com
Thu Jan 15 09:29:09 PST 2009
On Thu, Jan 15, 2009 at 7:35 AM, Grzegorz Nosek <root at localdomain.pl> wrote:
>
> I guess the net result would comprise two parts:
> - iptable_control, possibly based on Paul's code (hook
> socket/connect/bind/accept calls into iptables)
> - ipt_cgroup, matching the cgroup the requesting process is a member
> of (I'd also need a target to remap the source address but it would
> probably a minor thing to do)
>
Right.
> One thing I'm not quite sure about is matching the cgroups. Should I
> attempt to match the cgroup path? Or some per-cgroup cookie stored in a
> virtual file? Both don't seem too pretty, need help :/
Use an approach similar to the net_cls cgroup subsystem in
net/sched/cls_cgroup.c. (Or possibly just expose and reuse the same
id).
Paul
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list