On Wed, Sep 25, 2002 at 08:52:04PM -0400, Joe Reed wrote:
  | 
  | > *however*, we now have systrace in the tree, and that allows much more
  | > granular control over what system calls may be called.  I have been
  | > meaning to test the following concept for a while:
  | >     *	define IPNOPRIVPORTS in my kernel
  | >     *	set a systrace policy to allow certain uids or gids to bind to
  | >		a specific port (e.g, "uid=named to tcp/udp port 53"
  | >     *	set a default systrace policy; prevent uid!=0 from binding
  | >		port < 1024
  | 
  | i have thought of this too, however this follows the paradigm of "having an 
  | insecure system, then using rules to lock it down."  my patch follows the 
  | paradigm of "have a locked down system, and only open what you want."  both 
  | are effective, when done right.  but personally, i'd rather start with 
  | default security.

In general, if systrace can do what we want as a general solution,
it's what we'll use (versus adding yet more custom hackery to the kernel).