Capsicum project: Ideas needed
Gabor Kovesdan
gabor at FreeBSD.org
Sat Jul 9 15:13:02 UTC 2011
Em 08-07-2011 13:23, Ivan Voras escreveu:
> On 08/07/2011 05:42, Ilya Bakulin wrote:
>> Hi hackers,
>> As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
>> system, I want to ask you, which applications in the base system should
>> receive sandboxing support.
>
> How about a small description what sandboxing can bring to applications?
>
> I'm browsing the documents at
> http://www.cl.cam.ac.uk/research/security/capsicum/documentation.html
> but it looks like it still mostly describes the generic framework
> rather than what you can do with it. From it, it looks like you can
> set limits on file handle operations (e.g. (lc_limitfd(STDOUT_FILENO,
> CAP_FSTAT | CAP_SEEK | CAP_WRITE)), but what else?
Yes, I've been reading the thread and I don't know either what are the
deliverables of a Capsicum sandbox.
Anyway, consider sendmail and BIND. I think these are important enough
to get some more protection.
Gabor
More information about the freebsd-hackers
mailing list