Guest session network lockdown

Martin Pitt martin.pitt at
Fri Aug 1 07:30:26 BST 2008

Steve Beattie [2008-07-31 11:44 -0700]:
> Unfortunately, ipt_owner (aka the 'owner' module) has been disabled
> since around 2.6.14 because it used/abused the then-existing
> task list lock. As of 2.6.24, the ipt_owner code looked like this:
> and
> the module appears to have been dropped entirely in the 2.6.25 cycle.

Oh, thanks for pointing out. That pretty much resolves most of the
questions anyway, then.

> The version of AppArmor in Intrepid should support some limited networking
> restrictions, but only at the protocol family/type level, not iptables
> like filtering (which is a long-time desired feature).

Yeah, I noticed that. So far I allow TCP and UDP, but nothing else so
far (that's why I asked about ICMP for pings, etc.)


Martin Pitt                        |
Ubuntu Developer (  | Debian Developer  (
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : 

More information about the ubuntu-devel mailing list