Guest session network lockdown

Martin Pitt martin.pitt at ubuntu.com
Fri Aug 1 07:30:26 BST 2008


Steve Beattie [2008-07-31 11:44 -0700]:
> Unfortunately, ipt_owner (aka the 'owner' module) has been disabled
> since around 2.6.14 because it used/abused the then-existing
> task list lock. As of 2.6.24, the ipt_owner code looked like this:
> http://lxr.linux.no/linux+v2.6.24.7/net/ipv4/netfilter/ipt_owner.c and
> the module appears to have been dropped entirely in the 2.6.25 cycle.

Oh, thanks for pointing out. That pretty much resolves most of the
questions anyway, then.

> The version of AppArmor in Intrepid should support some limited networking
> restrictions, but only at the protocol family/type level, not iptables
> like filtering (which is a long-time desired feature).

Yeah, I noticed that. So far I allow TCP and UDP, but nothing else so
far (that's why I asked about ICMP for pings, etc.)

Thanks,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20080801/efd81c91/attachment.pgp 


More information about the ubuntu-devel mailing list