UidBind LSM

This simple module allows call to bind() function only to uid/gid defined in a configfs tree.


Admin joe has loaded the uidbind module, then User sam (with uid 1017) tries bind() on port 8081:

	sam@hell:~$ nc -l -p 8081
	Can't grab with bind : Operation not permitted
Now, Admin joe goes to /config/uidbind and...

	root@hell:/config/uidbind: mkdir 8081
	root@hell:/config/uidbind: cat 8081/uid
	root@hell:/config/uidbind: echo 1017 >8081/uid
	root@hell:/config/uidbind: cat 8081/uid

...then User sam retries binding:
		sam@hell:~$ nc -l -p 8081
...now it works and sam is happy

Admin joe has 2 ipv4 addresses configured on his server ( and and he wants to assign port 8082 to 2 different users:
tom (uid 1017) and rob (uid 1026)
		root@hell:/config/uidbind: mkdir 8082
		root@hell:/config/uidbind: mkdir 8082/
		root@hell:/config/uidbind: mkdir 8082/
		root@hell:/config/uidbind: echo 1017 > 8082/
		root@hell:/config/uidbind: echo 1026 > 8082/

...now tom can bind port 8082 on address and rob on address

But Admin joe is paranoid and knows that rob needs only port 8082 on udp:
		root@hell:/config/uidbind: echo 0 > 8082/	
		root@hell:/config/uidbind: echo 1026 > 8082/	

Admin joe now wants to allow bind() on port 8083 to all members of group "binders" (gid 1717):
		root@hell:/config/uidbind: mkdir 8083
		root@hell:/config/uidbind: echo 1717 >8083/gid

...but User dom (uid 1030) needs to bind() on all udp ports still unconfigured by Admin joe:
		root@hell:/config/uidbind: mkdir all
		root@hell:/config/uidbind: echo 1030 >all/udp_uid

Admin joe now wants that only python scripts owned by User dom can bind() on port 8017:
		root@hell:/config/uidbind: mkdir 8017
		root@hell:/config/uidbind: echo 1030 >8017/uid
		root@hell:/config/uidbind: echo python >8017/comm

You can download uidbind module from here:

patch against vanilla 2.6.21: uidbind-lsm-0.4.patch

You need (obviously) the LSM framework and a system with configfs enabled:
	root@hell: modprobe configfs
	root@hell: mount -t configfs none /config