Date: Mon, 11 Jul 2011 16:08:01 +0400 From: "Ilya Bakulin" <webmaster@kibab.com> To: "Doug Barton" <dougb@FreeBSD.org> Cc: freebsd-hackers@freebsd.org Subject: Re: Capsicum project: Ideas needed Message-ID: <f4fefa42cac889f8e8726cededf32c14.squirrel@zugang.kibab.com> In-Reply-To: <4E18D88B.4060805@FreeBSD.org> References: <4E167C94.70300@kibab.com> <iv6ss5$1h5$1@dough.gmane.org> <4E186B89.8080003@FreeBSD.org> <4E18D88B.4060805@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
chroot constraints only filesystem namespace, but doesn't prevent process from sending/receiving data via network, or from accessing other global namespaces such as PID namespace, SHM namespace, and from executing any system calls. In contract to chroot, Capsicum framework significantly increases application security by restricting access to all mentioned namespaces. More information about Capsicum, its design and goals is available here: http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf On Sun, July 10, 2011 2:39 am, Doug Barton wrote: > On 07/09/2011 07:54, Gabor Kovesdan wrote: >> Anyway, consider sendmail and BIND. I think these are important enough >> to get some more protection. > > What additional protection could capsicum offer beyond chroot'ing? > (That's not a snark, I don't quite understand all the moving parts here.) > > > Doug > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" > > !DSPAM:4e18d8b510435369347983! > > > -- Regards, Ilya Bakulin http://kibab.com xmpp://kibab612@jabber.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f4fefa42cac889f8e8726cededf32c14.squirrel>