Capsicum project: Ideas needed
Doug Barton
dougb at FreeBSD.org
Tue Jul 12 00:44:15 UTC 2011
On 07/11/2011 05:08, Ilya Bakulin wrote:
> chroot constraints only filesystem namespace, but doesn't prevent process
> from sending/receiving data via network,
... which is kind of important for DNS software. :)
> or from accessing other global
> namespaces such as PID namespace, SHM namespace, and from executing any
> system calls.
Fair enough, although I'd love to see an actual threat analysis before I
concluded that BIND should be close to the top of the list.
Thanks for the response,
Doug
--
Nothin' ever doesn't change, but nothin' changes much.
-- OK Go
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the freebsd-hackers
mailing list