Date: Sun, 25 Oct 2020 12:39:26 +0400 From: Gleb Popov <arrowd@freebsd.org> To: freebsd-hackers <freebsd-hackers@freebsd.org> Subject: Mapping Linux capabilities(7) to our Capsicum rights(4) Message-ID: <CALH631mtv0yFUVwKEwgHPg7_TP9WLdAuQMv=-e1YY3OvR86xsQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello hackers!
I'm porting a software that employs Linux capabilities to constrain the
running process. The code looks like
if (!haveCapability(CAP_SYS_CHROOT)
|| !haveCapability(CAP_MKNOD)
|| !haveCapability(CAP_FOWNER))
{
errorOut();
}
dropCapability(CAP_SYS_CHROOT);
dropCapability(CAP_MKNOD);
dropCapability(CAP_FOWNER);
The CAP_MKNOD looks much like our CAP_MKNODAT. The CAP_FOWNER looks more
complex, but it seems it is implemented at higher granularity in Capsicum.
Finally, I haven't found anything for CAP_SYS_CHROOT.
I'll continue digging this up, but any hints would be appreciated.
Thanks in advance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALH631mtv0yFUVwKEwgHPg7_TP9WLdAuQMv=-e1YY3OvR86xsQ>