On Mon, Jun 13, 2016 at 9:44 AM, Florian Ermisch < florian.ermisch_at_alumni.tu-berlin.de> wrote: > > > Am 11. Juni 2016 18:31:25 MESZ, schrieb Alan Somers <asomers_at_freebsd.org>: > > On Sat, Jun 11, 2016 at 5:32 AM, Domagoj Stolfa > > <domagoj.stolfa_at_gmail.com> wrote: > > > Yes, it would maybe make sense to do so. I am not too familiar with > > > capsicum(4), but glancing over it, it might be possible. If > > anything, it > > > would allow for code reuse from the OpenBSD ports and increased > > portability > > > in the future. Maybe the people who have worked with capsicum(4) or > > have > > > developed it could give some more insight on this. > > > > > > > I don't see how it would be possible. Capsicum is all about file > > descriptors. When you call cap_enter(), you give up the ability to > > access global namespaces. For example, you can no longer open files > > (except using openat(2) for files in a subdirectory of a directory > > which is already opened). OTOH, pledge is all about sycalls. When > > you pledge, you give up the ability to use certain syscalls, > > regardless of what file descriptors they might involve. So for > > example, a program that uses pledge(2) to prohibit networking syscalls > > can't simply replace pledge(2) with cap_enter(2), because it may need > > to open files after pledging. > > > > -Alan > > Thanks for the clarification, Alan. > So pledge(2) would, if implemented in > FreeBSD, complement capsicum. > They would only overlap around file > descriptors, where capsicum could > enforce a processes pledge like to only > ever write to one file which is its logfile. > > Florian > It indeed does seem like they could complement each other. One could pledge the entire program and use capsicum(4) to limit certain file descriptors even further, but not the rest of the program, such as a TCP socket. This does seem like increased simplicity in limiting the whole program using pledge(2) and the additional benefit that capsicum(4) offers in terms of file descriptors. The question remains though, how would they interact with each other? A single pledge(2) call, as Alan said could limit the operation of capsicum(4). DomagojReceived on Mon Jun 13 2016 - 08:40:20 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:05 UTC