Capsicum project: Ideas needed
Ilya Bakulin
webmaster at kibab.com
Fri Jul 8 03:42:22 UTC 2011
Hi hackers,
As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
system, I want to ask you, which applications in the base system should
receive sandboxing support.
So far, the following applications were sandboxed during initial
Capsicum research project:
sshd: critical system service run by root;
gzip: utility that operates with potentially buggy compression code
tcpdump: contains complex packet-parsing code, run by root;
I have added sandboxing to syslogd, because this is also a critical
system service run by root.
I'm also going to add sandboxing to xz (compression algorithms) and ntpd
(critical system service run by root).
The question is: which applications should also be processed? I think
that the most wanted candidates are SUID programs and/or popular network
daemons.
But looking at gzip example I also think about text-processing tools in
general.
At the moment I prefer not to focus on applications that are used only
on desktop system -- primary usage of FreeBSD is ultra-reliable serving
platform, although iXSystems guys may correct me :-)
--
Regards,
Ilya Bakulin
http://kibab.com
xmpp://kibab612@jabber.ru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20110708/8feba4e9/signature.pgp
More information about the freebsd-hackers
mailing list