Capsicum project: Ideas needed

Doug Barton dougb at FreeBSD.org
Tue Jul 12 00:44:15 UTC 2011


On 07/11/2011 05:08, Ilya Bakulin wrote:
> chroot constraints only filesystem namespace, but doesn't prevent process
> from sending/receiving data via network,

... which is kind of important for DNS software. :)

> or from accessing other global
> namespaces such as PID namespace, SHM namespace, and from executing any
> system calls.

Fair enough, although I'd love to see an actual threat analysis before I
concluded that BIND should be close to the top of the list.


Thanks for the response,

Doug

-- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/



More information about the freebsd-hackers mailing list