Capsicum project: Ideas needed
matt at ixsystems.com
Fri Jul 8 04:25:30 UTC 2011
On Thu, Jul 7, 2011 at 8:42 PM, Ilya Bakulin <webmaster at kibab.com> wrote:
> Hi hackers,
> As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
> system, I want to ask you, which applications in the base system should
> receive sandboxing support.
> So far, the following applications were sandboxed during initial
> Capsicum research project:
> sshd: critical system service run by root;
> gzip: utility that operates with potentially buggy compression code
> tcpdump: contains complex packet-parsing code, run by root;
> I have added sandboxing to syslogd, because this is also a critical
> system service run by root.
> I'm also going to add sandboxing to xz (compression algorithms) and ntpd
> (critical system service run by root).
> The question is: which applications should also be processed? I think
> that the most wanted candidates are SUID programs and/or popular network
> But looking at gzip example I also think about text-processing tools in
> At the moment I prefer not to focus on applications that are used only
> on desktop system -- primary usage of FreeBSD is ultra-reliable serving
> platform, although iXSystems guys may correct me :-)
Haha, we will not disagree with you (yet!). This is a great project
and I appreciate your work on it.
What about inetd? Is that possible or does each service it support
need sandboxing, too? How about sendmail and bind?
More information about the freebsd-hackers