Date: Fri, 08 Jul 2011 14:23:33 +0200 From: Ivan Voras <ivoras@freebsd.org> To: freebsd-hackers@freebsd.org Subject: Re: Capsicum project: Ideas needed Message-ID: <iv6ss5$1h5$1@dough.gmane.org> In-Reply-To: <4E167C94.70300@kibab.com> References: <4E167C94.70300@kibab.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/07/2011 05:42, Ilya Bakulin wrote: > Hi hackers, > As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base > system, I want to ask you, which applications in the base system should > receive sandboxing support. How about a small description what sandboxing can bring to applications? I'm browsing the documents at http://www.cl.cam.ac.uk/research/security/capsicum/documentation.html but it looks like it still mostly describes the generic framework rather than what you can do with it. From it, it looks like you can set limits on file handle operations (e.g. (lc_limitfd(STDOUT_FILENO, CAP_FSTAT | CAP_SEEK | CAP_WRITE)), but what else?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?iv6ss5$1h5$1>