Date: Thu, 7 Jul 2011 21:02:18 -0700 From: Matt Olander <matt@ixsystems.com> To: Ilya Bakulin <webmaster@kibab.com> Cc: freebsd-hackers@freebsd.org, "Robert N. M. Watson" <robert.watson@cl.cam.ac.uk>, Jonathan Anderson <jonathan.anderson@cl.cam.ac.uk>, Ben Laurie <benl@google.com> Subject: Re: Capsicum project: Ideas needed Message-ID: <CAK6u07UyQJyz%2BvXmxK1VA5vQPzRdL=7efFNtVRWshHkifK%2BH%2Bw@mail.gmail.com> In-Reply-To: <4E167C94.70300@kibab.com> References: <4E167C94.70300@kibab.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 7, 2011 at 8:42 PM, Ilya Bakulin <webmaster@kibab.com> wrote: > Hi hackers, > As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base > system, I want to ask you, which applications in the base system should > receive sandboxing support. > So far, the following applications were sandboxed during initial > Capsicum research project: > =A0sshd: critical system service run by root; > =A0gzip: utility that operates with potentially buggy compression code > =A0tcpdump: contains complex packet-parsing code, run by root; > I have added sandboxing to syslogd, because this is also a critical > system service run by root. > I'm also going to add sandboxing to xz (compression algorithms) and ntpd > (critical system service run by root). > > The question is: which applications should also be processed? I think > that the most wanted candidates are SUID programs and/or popular network > daemons. > But looking at gzip example I also think about text-processing tools in > general. > > At the moment I prefer not to focus on applications that are used only > on desktop system -- primary usage of FreeBSD is ultra-reliable serving > platform, although iXSystems guys may correct me :-) Haha, we will not disagree with you (yet!). This is a great project and I appreciate your work on it. What about inetd? Is that possible or does each service it support need sandboxing, too? How about sendmail and bind? Cheers, -matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAK6u07UyQJyz%2BvXmxK1VA5vQPzRdL=7efFNtVRWshHkifK%2BH%2Bw>