Date: Sat, 16 Apr 2022 19:10:09 +0300 From: George Diaconu <pgn.george@gmail.com> To: freebsd-questions@freebsd.org Cc: Elena Mihailescu <maria.mihailescu@upb.ro>, =?UTF-8?B?yJhlbmRyZSBNaWhhaS1BbGlu?= <mihai.alin.sendre@gmail.com>, Darius MIHAI <darius.mihai@upb.ro> Subject: Linux capabilities to Capsicum Message-ID: <CAJ1Z2ub-v_tTME-toNgsuwVe4Dus3at0daMSC5S3CrhKQoDV3g@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--0000000000008fa81105dcc7c37d Content-Type: text/plain; charset="UTF-8" Hello, Together with my colleagues we are trying to port OpenStack to FreeBSD. As part of the process we need to modify a python package used by OpenStack called oslo_privsep. This package uses linux capabilities to give OpenStack services the least permissions they need. Now as part of porting to FreeBSD we want to replace the linux capabilities with Capsicum. We found a list of Capsicum capabilities at [1]. So far we found that the package uses at least the following 5 capabilities described in [2]: - CAP_DAC_OVERRIDE - CAP_DAC_READ_SEARCH - CAP_NET_ADMIN - CAP_SYS_PTRACE - CAP_SYS_ADMIN What would be the respective capabilities in Capsicum? Thank you, George [1] https://www.freebsd.org/cgi/man.cgi?query=rights&sektion=4&apropos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports [2] https://man7.org/linux/man-pages/man7/capabilities.7.html --0000000000008fa81105dcc7c37d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div style=3D"box-sizing:border-box;font-family:"Sego= e UI",system-ui,"Apple Color Emoji","Segoe UI Emoji&quo= t;,sans-serif;font-size:14px">Hello,<br><br></div><div style=3D"box-sizing:= border-box;font-family:"Segoe UI",system-ui,"Apple Color Emo= ji","Segoe UI Emoji",sans-serif;font-size:14px">Together wit= h my colleagues we are trying to port OpenStack to FreeBSD. As part of the = process we need to modify a python package used by OpenStack called oslo_pr= ivsep. This package uses linux capabilities to give OpenStack services the = least permissions they need.<br><br></div><div style=3D"box-sizing:border-b= ox;font-family:"Segoe UI",system-ui,"Apple Color Emoji"= ,"Segoe UI Emoji",sans-serif;font-size:14px">Now as part of porti= ng to FreeBSD we want to replace the linux capabilities with Capsicum. We f= ound a list of Capsicum capabilities at [1]. So far we found that the packa= ge uses at least the following 5 capabilities described in [2]:<br>- CAP_DA= C_OVERRIDE<br>- CAP_DAC_READ_SEARCH<br>- CAP_NET_ADMIN<br>- CAP_SYS_PTRACE<= br>- CAP_SYS_ADMIN=C2=A0<br><br>What would be the respective capabilities i= n Capsicum?<br><br>Thank you,<br>George<br><br>[1] <a href=3D"https://www.f= reebsd.org/cgi/man.cgi?query=3Drights&sektion=3D4&apropos=3D0&m= anpath=3DFreeBSD+13.0-RELEASE+and+Ports">https://www.freebsd.org/cgi/man.cg= i?query=3Drights&sektion=3D4&apropos=3D0&manpath=3DFreeBSD+13.0= -RELEASE+and+Ports</a><br>[2] <a href=3D"https://man7.org/linux/man-pages/m= an7/capabilities.7.html">https://man7.org/linux/man-pages/man7/capabilities= .7.html</a><br></div></div> --0000000000008fa81105dcc7c37d--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ1Z2ub-v_tTME-toNgsuwVe4Dus3at0daMSC5S3CrhKQoDV3g>