From owner-freebsd-security@FreeBSD.ORG  Thu Nov  9 08:40:35 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E81FD16A412
	for <freebsd-security@freebsd.org>;
	Thu,  9 Nov 2006 08:40:35 +0000 (UTC)
	(envelope-from patpro@patpro.net)
Received: from smtp.univ-lyon2.fr (smtp.univ-lyon2.fr [159.84.143.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3562D43D49
	for <freebsd-security@freebsd.org>;
	Thu,  9 Nov 2006 08:40:35 +0000 (GMT)
	(envelope-from patpro@patpro.net)
Received: from localhost (localhost [127.0.0.1])
	by smtp.univ-lyon2.fr (Postfix) with ESMTP
	id EC706EC1954; Thu,  9 Nov 2006 09:40:33 +0100 (CET)
X-Virus-Scanned: amavisd-new at univ-lyon2.fr
Received: from smtp.univ-lyon2.fr ([127.0.0.1])
	by localhost (smtp.univ-lyon2.fr [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id BZLDNBkRuVG5; Thu,  9 Nov 2006 09:40:32 +0100 (CET)
Received: from [159.84.148.59] (patpro.univ-lyon2.fr [159.84.148.59])
	by smtp.univ-lyon2.fr (Postfix) with ESMTP
	id EA4FEEC194C; Thu,  9 Nov 2006 09:40:32 +0100 (CET)
In-Reply-To: <8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com>
References: <8e96a0b90611080439n558022edj79febf458494ef6e@mail.gmail.com>
	<8e96a0b90611080441t2b486637ya10acd5a1dd77690@mail.gmail.com>
	<44irhq6ngd.fsf@be-well.ilk.org>
	<20061108142306.GA64711@owl.midgard.homeip.net>
	<8e96a0b90611082359jbc85b37kad6109a0aa87598@mail.gmail.com>
	<Pine.NEB.4.64.0611090005540.15626@luke.xen.prgmr.com>
	<8e96a0b90611090017x5375ed18jf3748c685ce8d2a6@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-Id: <37D5C0BC-8103-4117-9FDC-35A074FAAEA4@patpro.net>
Content-Transfer-Encoding: 7bit
From: Patrick Proniewski <patpro@patpro.net>
Date: Thu, 9 Nov 2006 09:40:53 +0100
To: "mal content" <artifact.one@googlemail.com>
X-Mailer: Apple Mail (2.752.2)
Cc: freebsd-security@freebsd.org
Subject: Re: Sandboxing
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Nov 2006 08:40:36 -0000

On 9 nov. 06, at 09:17, mal content wrote:

>> man jail(8)
>
> A full jail is quite extreme, don't you think? Besides, it'd be  
> tricky to allow
> a jailed program to write to ~/.mozilla and /tmp.

a full jail is for beginners ;)
You can jail a program with only minimum /dev/ and libs, like it was  
done with named before FreeBSD choose to chroot by default.
Depending on what you want to jail, it can be more or less  
complicated. May be MAC and ACL is the way to go for you, I don't know.

patpro