From nobody Sat Apr 16 17:17:06 2022 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 17C25EAE159 for ; Sat, 16 Apr 2022 17:17:20 +0000 (UTC) (envelope-from pgn.george@gmail.com) Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KgfyQ6dJcz4c26 for ; Sat, 16 Apr 2022 17:17:18 +0000 (UTC) (envelope-from pgn.george@gmail.com) Received: by mail-pg1-x529.google.com with SMTP id k62so5504181pgd.2 for ; Sat, 16 Apr 2022 10:17:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to:cc; bh=fmxi2q/7oUarsiodRXjtlTLqEd9OZZKG4NJG/eQlwac=; b=qAVesoWaUs+8vsM+ybMpUcdVCSNtC95HZt9YwwOaDwQyaTweoxS0qM3XvU5HikvoMV hPuyRyRe5adW6uHBm+KtLQt8yGzRIWOY+SJgW4YDhY+IfK9tjxQA/TVKQlsHLjULaOF9 eDfEiGXzMQwWJp27g7lHjeP59GN4yMCOysv38sW0Ras2O/e5GEmEBcs+SC9qWDOEPm3M AaAUsdGlFcnvIuTkan/NTtRCTGVY/FHw6pNAk9SZKkq62MMtT2xz+V54sclQiHEJc8ox ssxCnn+ybvLUo88JtxNgUn0rxc1pm/oGfSKqVRhJz2KsHwn9WiOuCMP2XZhVOAuMIKms E5jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=fmxi2q/7oUarsiodRXjtlTLqEd9OZZKG4NJG/eQlwac=; b=rHWEFQspp+kvB3hinfF01nnYSbPatts0m6rCwQdLpVEkvfvmLV09V29pHEvFWpbuk0 oTYudwPwNQb3ZlS8ijlUj6Mc5RR2Wl9UYyaWoHopd4ah/6EINJZrzhMVU1iAkwmgsH5P jJvHMvB6pX8ySS61B9xKHAHfB7/ndbLAf4c/Ul0Z5Du4KCRCkmKV/+ZGZwdD9WcHWNPw Ikn9aFpy3cOUQoJNUZcVN5GB/GTMaVHnkuWsFIoArs/8uhbyaU4gn1L9EvTqK6CkCRF/ YTBCgKBgMF+9swUCmMF6iGTZc7PT2OKpdQoDk6rro/BPvArKsKy+MP1KnDGK83uJE8uy QITA== X-Gm-Message-State: AOAM530Q0ebjQcFAwknlQ4ylgdtzDeDuerxAaEupQr561AuYjborOptG zlTTP0928prTJ2FXRzmglOHC39Ut83fTr4V9e6kGnSTrlxVYo9QrcpA= X-Google-Smtp-Source: ABdhPJx0gX2rLl+WRICIfnnzD5e6D+6FbOM/4RxR/axp+91I+9kYDUiJlZzrRwZG3f6oBZ7ED2meCN0KnUsD/5AypkQ= X-Received: by 2002:a63:b0a:0:b0:39d:4d2d:a38c with SMTP id 10-20020a630b0a000000b0039d4d2da38cmr3630961pgl.394.1650129437852; Sat, 16 Apr 2022 10:17:17 -0700 (PDT) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 From: George Diaconu Date: Sat, 16 Apr 2022 20:17:06 +0300 Message-ID: Subject: Linux capabilities to Capsicum To: freebsd-hackers@freebsd.org Cc: Elena Mihailescu , =?UTF-8?B?yJhlbmRyZSBNaWhhaS1BbGlu?= , Darius MIHAI Content-Type: multipart/alternative; boundary="000000000000fa09b405dcc8b224" X-Rspamd-Queue-Id: 4KgfyQ6dJcz4c26 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=qAVesoWa; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of pgngeorge@gmail.com designates 2607:f8b0:4864:20::529 as permitted sender) smtp.mailfrom=pgngeorge@gmail.com X-Spamd-Result: default: False [-2.46 / 15.00]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.964]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; NEURAL_HAM_LONG(-1.00)[-1.000]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::529:from]; MLMMJ_DEST(0.00)[freebsd-hackers]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; SUSPICIOUS_RECIPS(1.50)[]; FREEMAIL_CC(0.00)[upb.ro,gmail.com] X-ThisMailContainsUnwantedMimeParts: N --000000000000fa09b405dcc8b224 Content-Type: text/plain; charset="UTF-8" Hello, Together with my colleagues we are trying to port OpenStack to FreeBSD. As part of the process we need to modify a python package used by OpenStack called oslo_privsep. This package uses linux capabilities to give OpenStack services the least permissions they need. Now as part of porting to FreeBSD we want to replace the linux capabilities with Capsicum. We found a list of Capsicum capabilities at [1]. So far we found that the package uses at least the following 5 capabilities described in [2]: - CAP_DAC_OVERRIDE - CAP_DAC_READ_SEARCH - CAP_NET_ADMIN - CAP_SYS_PTRACE - CAP_SYS_ADMIN What would be the respective capabilities in Capsicum? Thank you, George [1] https://www.freebsd.org/cgi/man.cgi?query=rights&sektion=4&apropos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports [2] https://man7.org/linux/man-pages/man7/capabilities.7.html --000000000000fa09b405dcc8b224 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

Together with my colleagues we a= re trying to port OpenStack to FreeBSD. As part of the process we need to m= odify a python package used by OpenStack called oslo_privsep. This package = uses linux capabilities to give OpenStack services the least permissions th= ey need.
Now as part of porting to FreeBSD we want to replace the= linux capabilities with Capsicum. We found a list of Capsicum capabilities= at [1]. So far we found that the package uses at least the following 5 cap= abilities described in [2]:
-=C2=A0CAP_DAC_OVERRIDE
-= =C2=A0CAP_DAC_READ_SEARCH
-=C2=A0CAP_NET_ADMIN
- CAP_SY= S_PTRACE
-=C2=A0CAP_SYS_ADMIN

What would= be the respective capabilities in Capsicum?

Thank= you,
George

--000000000000fa09b405dcc8b224--