capsicum and netmap ?
Brooks Davis
brooks at freebsd.org
Mon Sep 29 17:27:15 UTC 2014
On Mon, Sep 29, 2014 at 05:30:43PM +0200, Luigi Rizzo wrote:
>
> Hi,
> while trying the netmap-enabled libpcap library with tcpdump, i
> noticed it fails to return data on a kernel with capsicum (the
> string "capability mode sandbox enabled" made me suspicious, and
> removing the cap_*() calls from tcpdump.c seems to make things
> work again).
>
> Would anyone be able to point me what should be done in the netmap
> kernel module to make it work with capsicum ?
>
> I am sure the cambridge folks are very interested in this :)
Without knowing what modifications have been made to libpcap, it's hard
to say what you need to change, but the short version is that once
cap_enter is called, you must not attempt to open any file handles as
that's won't work. I can't think of any other likely cause. Are all
the returns of all open(), socket(), etc calls checked?
In practice that means that either opening files must come earlier, or
a singling mechanism needs to be added to tcpdump and libpcap to tell
tcpdump not to enter capability mode when using netmap.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140929/517c353a/attachment.sig>
More information about the freebsd-current
mailing list