Date: Fri, 16 Nov 2007 16:28:56 +0000 (GMT) From: Robert Watson <rwatson@FreeBSD.org> To: Andrea Campi <andrea+freebsd_hackers@webcom.it> Cc: dexterclarke@Safe-mail.net, freebsd-hackers@freebsd.org, trustedbsd-discuss@freebsd.org Subject: Re: A TrustedBSD "voluntary sandbox" policy. Message-ID: <20071116162716.D10677@fledge.watson.org> In-Reply-To: <20071108140627.GI82877@webcom.it> References: <N1-_PYrd0nIeB@Safe-mail.net> <20071108140627.GI82877@webcom.it>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Nov 2007, Andrea Campi wrote: > On Wed, Nov 07, 2007 at 10:20:28PM -0500, dexterclarke@Safe-mail.net wrote: > >> I'm considering developing a policy/module for TrustedBSD loosely based on >> the systrace concept - A process loads a policy and then executes another >> program in a sandbox with fine grained control over what that program can >> do. > ... >> Please note that the 'policy' given on the command line is purely for the >> sake of example, no syntax or semantics have been decided upon. > > Can't comment on the implementation or wider issues, but if you pursue this, > please have a look at how MacOS Leopard does it (Seatbelt). Would be nice to > converge on both syntax (a Schema dialect) and tools names / command line > args--or if converging is not possible, at least know where and why and make > a conscious decision. FYI, Seatbelt is based on the Mac OS X port of the TrustedBSD MAC Framework, which while it has some significant changes (some now present in the 8-CURRENT branch of FreeBSD), may well be a good starting point. Last I checked, the source for Seatbelt wasn't yet available, but there was hope it would be available in the near future. A port of the policy to FreeBSD sounds like it would be very interesting to do, and might provide a nice starting point rather than having to write up a policy from scratch. Robert N M Watson Computer Laboratory University of Cambridge
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071116162716.D10677>