Date: Sat, 16 Apr 2022 20:17:06 +0300 From: George Diaconu <pgn.george@gmail.com> To: freebsd-hackers@freebsd.org Cc: Elena Mihailescu <maria.mihailescu@upb.ro>, =?UTF-8?B?yJhlbmRyZSBNaWhhaS1BbGlu?= <mihai.alin.sendre@gmail.com>, Darius MIHAI <darius.mihai@upb.ro> Subject: Linux capabilities to Capsicum Message-ID: <CAJ1Z2ub99U%2B2TVFs5qse_s=b8_zhjat_zfytYSQ2me1u0mQsGg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
--000000000000fa09b405dcc8b224 Content-Type: text/plain; charset="UTF-8" Hello, Together with my colleagues we are trying to port OpenStack to FreeBSD. As part of the process we need to modify a python package used by OpenStack called oslo_privsep. This package uses linux capabilities to give OpenStack services the least permissions they need. Now as part of porting to FreeBSD we want to replace the linux capabilities with Capsicum. We found a list of Capsicum capabilities at [1]. So far we found that the package uses at least the following 5 capabilities described in [2]: - CAP_DAC_OVERRIDE - CAP_DAC_READ_SEARCH - CAP_NET_ADMIN - CAP_SYS_PTRACE - CAP_SYS_ADMIN What would be the respective capabilities in Capsicum? Thank you, George [1] https://www.freebsd.org/cgi/man.cgi?query=rights&sektion=4&apropos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports [2] https://man7.org/linux/man-pages/man7/capabilities.7.html --000000000000fa09b405dcc8b224 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr">Hello,<div><br></div><div>Together with my colleagues we a= re trying to port OpenStack to FreeBSD. As part of the process we need to m= odify a python package used by OpenStack called oslo_privsep. This package = uses linux capabilities to give OpenStack services the least permissions th= ey need.</div><div>Now as part of porting to FreeBSD we want to replace the= linux capabilities with Capsicum. We found a list of Capsicum capabilities= at [1]. So far we found that the package uses at least the following 5 cap= abilities described in [2]:</div><div>-=C2=A0CAP_DAC_OVERRIDE</div><div>-= =C2=A0CAP_DAC_READ_SEARCH</div><div>-=C2=A0CAP_NET_ADMIN</div><div>- CAP_SY= S_PTRACE</div><div>-=C2=A0CAP_SYS_ADMIN</div><div><br></div><div>What would= be the respective capabilities in Capsicum?</div><div><br></div><div>Thank= you,</div><div>George</div><div><br></div><div>[1]=C2=A0<a href=3D"https:/= /www.freebsd.org/cgi/man.cgi?query=3Drights&sektion=3D4&apropos=3D0= &manpath=3DFreeBSD+13.0-RELEASE+and+Ports" target=3D"_blank">https://ww= w.freebsd.org/cgi/man.cgi?query=3Drights&sektion=3D4&apropos=3D0&am= p;manpath=3DFreeBSD+13.0-RELEASE+and+Ports</a></div><div>[2]=C2=A0<a href= =3D"https://man7.org/linux/man-pages/man7/capabilities.7.html" target=3D"_b= lank">https://man7.org/linux/man-pages/man7/capabilities.7.html</a></div></= div> --000000000000fa09b405dcc8b224--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJ1Z2ub99U%2B2TVFs5qse_s=b8_zhjat_zfytYSQ2me1u0mQsGg>