Capsicum project: Ideas needed
Robert N. M. Watson
robert.watson at cl.cam.ac.uk
Fri Jul 8 12:08:02 UTC 2011
On 8 Jul 2011, at 05:02, Matt Olander wrote:
> What about inetd? Is that possible or does each service it support
> need sandboxing, too? How about sendmail and bind?
I'm less concerned about the core connection juggling content of inetd than the external services it launches -- however, inetd has a number of built-in services that do interpret and manipulate untrustworthy data (even if only in basic ways), and directly sandboxing them with Capsicum would be very useful.
I'd also like to see some focus on network command line tools -- especially things like dig, ping, finger, host, etc, which tend to not need access to things after some threshold moment, and/or can motivate compartmentalisation work on libraries such as the resolver. At this point we should go for easy wins with 100% correctness.
(Getting a version of the resolver working with sandboxed Capsicum stuff seems like a priority: it's a known issue with our sandboxed tcpdump, so modifying lwresd or similar so it can work with UNIX domain sockets, and teaching the resolver code to use them, would be excellent.)
More information about the freebsd-hackers