From owner-freebsd-hackers@FreeBSD.ORG Mon Jul 11 12:08:06 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 53231106566B; Mon, 11 Jul 2011 12:08:06 +0000 (UTC) (envelope-from webmaster@kibab.com) Received: from mx0.deglitch.com (cl-414.sto-01.se.sixxs.net [IPv6:2001:16d8:ff00:19d::2]) by mx1.freebsd.org (Postfix) with ESMTP id 0488E8FC12; Mon, 11 Jul 2011 12:08:06 +0000 (UTC) Received: from zugang.kibab.com (unknown [78.110.54.255]) by mx0.deglitch.com (Postfix) with ESMTPA id 435EB8FC2E; Mon, 11 Jul 2011 16:08:00 +0400 (MSD) Received: from 139.149.1.231 (SquirrelMail authenticated user kibab) by zugang.kibab.com with HTTP; Mon, 11 Jul 2011 16:08:01 +0400 Message-ID: In-Reply-To: <4E18D88B.4060805@FreeBSD.org> References: <4E167C94.70300@kibab.com> <4E186B89.8080003@FreeBSD.org> <4E18D88B.4060805@FreeBSD.org> Date: Mon, 11 Jul 2011 16:08:01 +0400 From: "Ilya Bakulin" To: "Doug Barton" User-Agent: SquirrelMail/1.4.21 MIME-Version: 1.0 Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-hackers@freebsd.org Subject: Re: Capsicum project: Ideas needed X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 12:08:06 -0000 chroot constraints only filesystem namespace, but doesn't prevent process from sending/receiving data via network, or from accessing other global namespaces such as PID namespace, SHM namespace, and from executing any system calls. In contract to chroot, Capsicum framework significantly increases application security by restricting access to all mentioned namespaces. More information about Capsicum, its design and goals is available here: http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf On Sun, July 10, 2011 2:39 am, Doug Barton wrote: > On 07/09/2011 07:54, Gabor Kovesdan wrote: >> Anyway, consider sendmail and BIND. I think these are important enough >> to get some more protection. > > What additional protection could capsicum offer beyond chroot'ing? > (That's not a snark, I don't quite understand all the moving parts here.) > > > Doug > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > !DSPAM:4e18d8b510435369347983! > > > -- Regards, Ilya Bakulin http://kibab.com xmpp://kibab612@jabber.ru