chroot constraints only filesystem namespace, but doesn't prevent process from sending/receiving data via network, or from accessing other global namespaces such as PID namespace, SHM namespace, and from executing any system calls. In contract to chroot, Capsicum framework significantly increases application security by restricting access to all mentioned namespaces. More information about Capsicum, its design and goals is available here: http://www.cl.cam.ac.uk/research/security/capsicum/papers/2010usenix-security-capsicum-website.pdf
On Sun, July 10, 2011 2:39 am, Doug Barton wrote: > On 07/09/2011 07:54, Gabor Kovesdan wrote: >> Anyway, consider sendmail and BIND. I think these are important enough >> to get some more protection. > > What additional protection could capsicum offer beyond chroot'ing? > (That's not a snark, I don't quite understand all the moving parts here.) > > > Doug > > -- > > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go > > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org" > > !DSPAM:4e18d8b510435369347983! > > > -- Regards, Ilya Bakulin http://kibab.com xmpp://kibab...@jabber.ru _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
