[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Capsicum: practical capabilities for UNIX
On Sun, Sep 26, 2010 at 11:54:19PM +0200, Jean-Yves Migeon wrote:
> On 26.09.2010 19:38, Perry E. Metzger wrote:
> > On Sat, 25 Sep 2010 13:36:18 +0200 Jean-Yves Migeon
> > <jeanyves.migeon%free.fr@localhost> wrote:
> >> I, for one, welcome our new systrace overlords.
> >> oops :)
> > Systrace is a MAC-like system. It is NOT a capability architecture.
> Never said the opposite. Don't remove the part I was quoting just above :)
> On 24.09.2010 21:46, David Young wrote:
> >> For consistency, user confidence and convenience, I'd like to see a
> >> wrapper program or shell built-in, "capsicum [capabilities] [program
> >> [arguments ...]]", that creates a sandbox, grants it the mentioned
> >> <capabilities>, and starts in it the given <program> with the given
> >> <arguments>. Maybe that wouldn't be hard to do. Maybe there's a better
> >> way, too. Your thoughts?
> Doesn't it read like using "capsicum" as a "systrace" replacement?
The chief difference I see between a process limited by Capsicum and
a process limited by Systrace is that the Capsicum-limited process
has only the privileges that the parent process grants it, while the
Systrace-limited process has a system-call firewall applied. It's
easier with the Capsicum-limited process than with the Systrace-limited
process to reason about what the process can do, and to adjust the
process privileges, because it's easier to name and count capabilities
than to read, interpret, and re-write systrace rules.
David Young OJC Technologies
dyoung%ojctech.com@localhost Urbana, IL * (217) 278-3933
Main Index |
Thread Index |