Em 08-07-2011 13:23, Ivan Voras escreveu:
On 08/07/2011 05:42, Ilya Bakulin wrote:
Hi hackers,
As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base
system, I want to ask you, which applications in the base system should
receive sandboxing support.
How about a small description what sandboxing can bring to applications?
I'm browsing the documents at
http://www.cl.cam.ac.uk/research/security/capsicum/documentation.html
but it looks like it still mostly describes the generic framework
rather than what you can do with it. From it, it looks like you can
set limits on file handle operations (e.g. (lc_limitfd(STDOUT_FILENO,
CAP_FSTAT | CAP_SEEK | CAP_WRITE)), but what else?
Yes, I've been reading the thread and I don't know either what are the
deliverables of a Capsicum sandbox.
Anyway, consider sendmail and BIND. I think these are important enough
to get some more protection.
Gabor
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
