[OLPC Security] P_NETWORK and system responsiveness

Michael Stone michael at laptop.org
Sat Dec 1 22:30:36 EST 2007


On Sat, Dec 01, 2007 at 06:45:12PM -0500, Albert Cahalan wrote:
> On Dec 1, 2007 5:33 PM, Michael Stone <michael at laptop.org> wrote:
> 
> > Since you seem to have deeper familiarity with the iptables stuff than I
> > do, would you be willing to contribute a patch on top of Marcus'
> > permissions work [1] that implements a basic on/off switch for IP-based
> > network access?
> 
> I'm happy to help, although my time is spread thin and
> that's a pile of python code. I could write a shell script
> for you. If you wish, you could translate from bash to python.
> Would that be much help?

That would be great. 

> I'm thinking that the script might take a UID number as the
> first argument. Maybe there would be two scripts, for turning
> on and turing off. It may be better to have the script take a
> list of UIDs to block, or a list of UIDs to allow, with all the
> old state getting replaced.

I'm amenable to completely resetting the firewall state each time we
want to change it. 

> I was suggesting just the opposite though. Step back
> and take a look at the situation we have. If a process
> misbehaves severely, the user will hit the power button.
> They will then NOT run that program again. This is OK.
> It's very simple. There are no limits or UI issues to
> bother with.
> 
> It is strongly desireable to let activities hog the CPU.
> This allows activities to do reliable low-latency audio,
> reliable experiment control, reliable radio modems, etc.
> Thus the restriction of SCHED_FIFO and SCHED_RR
> to root should be relaxed, as is done for many of the
> Linux distributions that are meant for musicians.

Ah, okay. Hmm. I don't currently know enough about the scheduler
subsystem to really evaluate the merit of your suggestion, but I will
certainly consider it as the need arises.

Anyway, thanks for your suggestions and for your assistance with the
first piece of the network isolation feature.

Michael


More information about the Security mailing list