LSM stacking/secondary modules / RFC: Socket MAC LSM

Paul Menage menage at google.com
Thu Jan 15 09:25:34 PST 2009


On Thu, Jan 15, 2009 at 5:57 AM, Stephan Peijnik <stephan at peijnik.at> wrote:
>
> So Paul, do you think the interface would be of any use to you?

Potentially, yes. My concern was that we not add another new
(incomplete) userspace API in cgroups for doing socket permissions -
hooking into iptables was one way to do it, but if sactl is going to
become the official way to do this, then hooking a cgroups filter into
that seems like a good alternative.

Paul


More information about the Containers mailing list