Capsicum project: Ideas needed
Ilya Bakulin
webmaster at kibab.com
Mon Jul 11 12:08:06 UTC 2011
chroot constraints only filesystem namespace, but doesn't prevent process
from sending/receiving data via network, or from accessing other global
namespaces such as PID namespace, SHM namespace, and from executing any
system calls.
In contract to chroot, Capsicum framework significantly increases
application security by restricting access to all mentioned namespaces.
More information about Capsicum, its design and goals is available here:
http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf
On Sun, July 10, 2011 2:39 am, Doug Barton wrote:
> On 07/09/2011 07:54, Gabor Kovesdan wrote:
>> Anyway, consider sendmail and BIND. I think these are important enough
>> to get some more protection.
>
> What additional protection could capsicum offer beyond chroot'ing?
> (That's not a snark, I don't quite understand all the moving parts here.)
>
>
> Doug
>
> --
>
> Nothin' ever doesn't change, but nothin' changes much.
> -- OK Go
>
> Breadth of IT experience, and depth of knowledge in the DNS.
> Yours for the right price. :) http://SupersetSolutions.com/
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
> !DSPAM:4e18d8b510435369347983!
>
>
>
--
Regards,
Ilya Bakulin
http://kibab.com
xmpp://kibab612@jabber.ru
More information about the freebsd-hackers
mailing list