On Sat, Jun 03, 2006 at 11:53:32PM +0200, Nicolai Johannes wrote: > Interesting idea, I still not understand some things: > > 1. What should happen with loopbacked network access (should it be > considered like Unix domain sockets)?
Distinguishing between loop back and non-loopback when the addresses are not obviously loopback addresses may be difficult. Or maybe not, since the distinction need only be made at bind()/connect()/accept() times and then the routing table could be queired for this. But I suspect there's a can of worms here. > 2. What about socketpair (is it considered as PRIV_IPC_INITIATE)? Like pipe(2) it's no big deal. Without bind(), fattach() these are useless except for communicating with progeny (child processes). > 3. Apropos IPC: What is about mapped files? Exactly. I've not thought about SysV/POSIX IPC at all, or mmap(2), for that matter. Message queues and semaphores are sufficiently like pipes, Unix domain sockets and doors that I can see how to handle them. But shared memory is more difficult, particularly mmap(2). Consider a basic privilege whose absence in E causes mmap(2) requests to fail if MAP_PRIVATE is not requested when PROT_EXEC is requested: this does not prevent other processes from writing to the mmap()ed file and communicating with the reader this way. OTOH, as long as you can still open regular files (and directories) you're still in business and can still do IPC, even if you're denied all other forms of IPC. Which brings us to: Why have basic privileges for controlling access to IPC? And why have them if they won't control regular file system activity also? Nico -- _______________________________________________ networking-discuss mailing list [email protected]
