> Filesystem Access Domain subsystem allows restriction of accessible
> filesystem parts for both individual users and programs. Now you can
> restrict user activities to only its home, mailbox etc. Filesystem Access
> Domains works on device, dir and individual file granularity.
>
> IP Labeling lists enable restriction on allowed network connections on per
> program basis. From now on, you may configure your policy so that no one
> except your favorite MTA can connect to remote port 25
How do you handle ptrace()? Per-program security seems -- quite
strange to me. Either you completely disallow ptrace(), or I can not
seee how per-program security can be usefull...
Pavel
-- Worst form of spam? Adding advertisment signatures ala sourceforge.net. What goes next? Inserting advertisment *into* email? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/