Guest session network lockdown
martin.pitt at ubuntu.com
Fri Aug 1 07:30:26 BST 2008
Steve Beattie [2008-07-31 11:44 -0700]:
> Unfortunately, ipt_owner (aka the 'owner' module) has been disabled
> since around 2.6.14 because it used/abused the then-existing
> task list lock. As of 2.6.24, the ipt_owner code looked like this:
> http://lxr.linux.no/linux+v18.104.22.168/net/ipv4/netfilter/ipt_owner.c and
> the module appears to have been dropped entirely in the 2.6.25 cycle.
Oh, thanks for pointing out. That pretty much resolves most of the
questions anyway, then.
> The version of AppArmor in Intrepid should support some limited networking
> restrictions, but only at the protocol family/type level, not iptables
> like filtering (which is a long-time desired feature).
Yeah, I noticed that. So far I allow TCP and UDP, but nothing else so
far (that's why I asked about ICMP for pings, etc.)
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20080801/efd81c91/attachment.pgp
More information about the ubuntu-devel