Hi hackers, As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base system, I want to ask you, which applications in the base system should receive sandboxing support. So far, the following applications were sandboxed during initial Capsicum research project: sshd: critical system service run by root; gzip: utility that operates with potentially buggy compression code tcpdump: contains complex packet-parsing code, run by root; I have added sandboxing to syslogd, because this is also a critical system service run by root. I'm also going to add sandboxing to xz (compression algorithms) and ntpd (critical system service run by root).
The question is: which applications should also be processed? I think that the most wanted candidates are SUID programs and/or popular network daemons. But looking at gzip example I also think about text-processing tools in general. At the moment I prefer not to focus on applications that are used only on desktop system -- primary usage of FreeBSD is ultra-reliable serving platform, although iXSystems guys may correct me :-) -- Regards, Ilya Bakulin http://kibab.com xmpp://kibab...@jabber.ru
signature.asc
Description: OpenPGP digital signature