Guest session network lockdown
Steve Beattie
sbeattie at ubuntu.com
Thu Jul 31 19:44:39 BST 2008
On Thu, Jul 31, 2008 at 02:34:10PM +0200, Martin Pitt wrote:
> The spec also mentions restricting network access to the guest user.
> Standard TCP/UDP to the internet should of course be allowed in order
> to be useful, but it would be nice to e. g disallow the usage of VPNs.
> This can be implemented with some iptables rules and the 'owner'
> module.
Unfortunately, ipt_owner (aka the 'owner' module) has been disabled
since around 2.6.14 because it used/abused the then-existing
task list lock. As of 2.6.24, the ipt_owner code looked like this:
http://lxr.linux.no/linux+v2.6.24.7/net/ipv4/netfilter/ipt_owner.c and
the module appears to have been dropped entirely in the 2.6.25 cycle.
The version of AppArmor in Intrepid should support some limited networking
restrictions, but only at the protocol family/type level, not iptables
like filtering (which is a long-time desired feature).
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20080731/80d6d00a/attachment.pgp
More information about the ubuntu-devel
mailing list