tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Capsicum: practical capabilities for UNIX



On Oct 26, 2010, at 5:44 48AM, Jukka Ruohonen wrote:

> On Mon, Oct 25, 2010 at 07:28:56PM -0500, David Young wrote:
>> The chief difference I see between a process limited by Capsicum and
>> a process limited by Systrace is that the Capsicum-limited process
>> has only the privileges that the parent process grants it, while the
>> Systrace-limited process has a system-call firewall applied.  It's
>> easier with the Capsicum-limited process than with the Systrace-limited
>> process to reason about what the process can do, and to adjust the
>> process privileges, because it's easier to name and count capabilities
>> than to read, interpret, and re-write systrace rules.
> 
> Does this mean that every program that wants to use Capsicum needs to be
> patched to use Capsicum?

Yes.

> This is the main problem I have with MACs and
> related frameworks; to gain full advantage from these, you need the
> resources of Red Hat. Are we going to patch third-party software to use
> Capsicum? Who knows what should be allowed or disallowed in a monster like
> Firefox? Apache? X.org? Bind? Who would be maintaining these patches?



                --Steve Bellovin, http://www.cs.columbia.edu/~smb







Home | Main Index | Thread Index | Old Index