Benefits

Control the objects used by one application

The Linux access control model is based on user identities and capacities.

But these do not allow to limit the universe of objects that an application can access.

  • e.g. an application can create a TCP connection to an IP address but not necessarily to any IP address.

Control the exposure of an application

An application can have multiple interfaces.

However, these interfaces may not need to be explored by all local or remote applications.

Last updated