Am 22.12.2014 um 11:49 schrieb Florian Weimer:
On 12/21/2014 05:28 PM, Björn Persson wrote:

Alternatively, cut out the packet filter and have GlibC ask the user
whether the call to bind or connect shall be allowed to succeed (or
automatically allow or deny the call if so configured). This has the
advantage that the program is informed that it's not allowed to
communicate.

glibc is the wrong place for this, and a patch in this direction has
absolutely zero chance of being accepted upstream.  We also ship
applications which call system calls directly, not through glibc, so
patching glibc would not even work at a technical level.

However, a Linux Security Module such as SELinux could audit socket
creation, and provide the user with means to override the default
choices.  However, this will be extremely controversial (even more so
than the open firewall) because it will remind people of “personal
firewalls” on Windows.

and exactly the behavior of "personal firewalls" on Windows is needed when somebody insinuates users can't handle a static firewall configuration at all and a few broken applications with random ports don't get fixed by intention

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to