|
|
|
|
|
|
by koprulusector
1132 days ago
|
|
|
This part is so cool: >Please note that network namespaces, actually Linux namespaces in general, have no influence on existing file handles. Therefore, if your application possesses a file handle to a socket from another network namespace, it can use it in the new network namespace smoothly. >This is a useful feature as it allows creating network servers that can serve a listening socket but are disconnected from the outside world. If an attacker manages to overtake the application, they are unable to create a new socket. Here you can find a sample application that outlines the idea. |
|
|
[0]: https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/