Date: Sat, 09 Jul 2011 15:54:01 +0100 From: Gabor Kovesdan <gabor@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: Re: Capsicum project: Ideas needed Message-ID: <4E186B89.8080003@FreeBSD.org> In-Reply-To: <iv6ss5$1h5$1@dough.gmane.org> References: <4E167C94.70300@kibab.com> <iv6ss5$1h5$1@dough.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Em 08-07-2011 13:23, Ivan Voras escreveu: > On 08/07/2011 05:42, Ilya Bakulin wrote: >> Hi hackers, >> As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base >> system, I want to ask you, which applications in the base system should >> receive sandboxing support. > > How about a small description what sandboxing can bring to applications? > > I'm browsing the documents at > http://www.cl.cam.ac.uk/research/security/capsicum/documentation.html > but it looks like it still mostly describes the generic framework > rather than what you can do with it. From it, it looks like you can > set limits on file handle operations (e.g. (lc_limitfd(STDOUT_FILENO, > CAP_FSTAT | CAP_SEEK | CAP_WRITE)), but what else? Yes, I've been reading the thread and I don't know either what are the deliverables of a Capsicum sandbox. Anyway, consider sendmail and BIND. I think these are important enough to get some more protection. Gabor
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E186B89.8080003>