svn commit: r285910 - in head: lib/libc/sys sys/kern sys/sys
Ed Schouten
ed at nuxi.nl
Sun Aug 9 13:08:08 UTC 2015
Hi Alexander,
2015-08-09 14:55 GMT+02:00 Alexander Kabaev <kabaev at gmail.com>:
> On Sun, 9 Aug 2015 09:37:13 +0200
> It most definitely does work, this is what I have done to get my
> network scripts work again. I wonder if there are other means of
> restricting raw sockets that can be used to achieve the result
> authors of rtsold had hoped or?
Yes, there sure are. We could for example call cap_rights_limit() on
the socket and whitelist the exacty set of actions that the program
needs.
That said, it wouldn't make a difference in the end. It looks like
rtsol/rtsold don't seem to drop any privileges or switch credentials
after startup, assuming I haven't overlooked anything. Even if we were
to restrict the raw socket, the process could always open a new one
later on.
I think it would make sense for now to just commit the patch that I
proposed. Will push it into the tree tomorrow.
Thanks,
--
Ed Schouten <ed at nuxi.nl>
Nuxi, 's-Hertogenbosch, the Netherlands
KvK/VAT number: 62051717
More information about the svn-src-all
mailing list