LSM stacking/secondary modules / RFC: Socket MAC LSM

Paul Menage menage at google.com
Thu Jan 15 09:29:09 PST 2009


On Thu, Jan 15, 2009 at 7:35 AM, Grzegorz Nosek <root at localdomain.pl> wrote:
>
> I guess the net result would comprise two parts:
>  - iptable_control, possibly based on Paul's code (hook
>   socket/connect/bind/accept calls into iptables)
>  - ipt_cgroup, matching the cgroup the requesting process is a member
>   of (I'd also need a target to remap the source address but it would
>   probably a minor thing to do)
>

Right.

> One thing I'm not quite sure about is matching the cgroups. Should I
> attempt to match the cgroup path? Or some per-cgroup cookie stored in a
> virtual file? Both don't seem too pretty, need help :/

Use an approach similar to the net_cls cgroup subsystem in
net/sched/cls_cgroup.c. (Or possibly just expose and reuse the same
id).

Paul


More information about the Containers mailing list