From owner-freebsd-hackers  Sun Sep 15  5:20:10 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0793737B4D8; Sun, 15 Sep 2002 05:20:08 -0700 (PDT)
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id ACA2C43E77; Sun, 15 Sep 2002 05:20:07 -0700 (PDT)
	(envelope-from julian@elischer.org)
Received: from InterJet.elischer.org ([12.232.206.8])
          by rwcrmhc51.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020915122007.VSSP16829.rwcrmhc51.attbi.com@InterJet.elischer.org>;
          Sun, 15 Sep 2002 12:20:07 +0000
Received: from localhost (localhost.elischer.org [127.0.0.1])
	by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id FAA88326;
	Sun, 15 Sep 2002 05:04:02 -0700 (PDT)
Date: Sun, 15 Sep 2002 05:04:01 -0700 (PDT)
From: Julian Elischer <julian@elischer.org>
To: Pawel Jakub Dawidek <nick@garage.freebsd.pl>
Cc: freebsd-hackers@freebsd.org, rwatson@freebsd.org
Subject: Re: Changing process informations.
In-Reply-To: <20020915114935.GU68652@garage.freebsd.pl>
Message-ID: <Pine.BSF.4.21.0209150458090.82711-100000@InterJet.elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG



On Sun, 15 Sep 2002, Pawel Jakub Dawidek wrote:

> On Sun, Sep 15, 2002 at 04:32:21AM -0700, Julian Elischer wrote:
> +> 
> +> Ah I think I found the name for the OpenBSD version..
> +> I think it's called systrace..
> 
> Nope. Systrace is working like old cerb version:
> 
> 	http://garage.freebsd.pl/cerb.tgz
> 
> It can downgrade permission, deny some actions, but it cannot add any
> priviliges. Cerb-ng is something diffrent, check example configs.
> 
> With cerb-ng You don't need any set-uid-root binaries or root demons
> and much more.


if this is being done on -current then it occurs to me that you may be
aboe to make use of:
1/ the MAC stuff rob watson is doing
2/ teh extended atribute stuff being done, where a 
program can store a lot of meta data with itself (like a MACOS data
fork) including possible the ruleset for itself.

Very cool..
do you have a writup of cerb-ng?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message