On Thu, Jul 7, 2011 at 8:42 PM, Ilya Bakulin <webmas...@kibab.com> wrote: > Hi hackers, > As a part of ongoing effort to enhance usage of Capsicum in FreeBSD base > system, I want to ask you, which applications in the base system should > receive sandboxing support. > So far, the following applications were sandboxed during initial > Capsicum research project: > sshd: critical system service run by root; > gzip: utility that operates with potentially buggy compression code > tcpdump: contains complex packet-parsing code, run by root; > I have added sandboxing to syslogd, because this is also a critical > system service run by root. > I'm also going to add sandboxing to xz (compression algorithms) and ntpd > (critical system service run by root). > > The question is: which applications should also be processed? I think > that the most wanted candidates are SUID programs and/or popular network > daemons. > But looking at gzip example I also think about text-processing tools in > general. > > At the moment I prefer not to focus on applications that are used only > on desktop system -- primary usage of FreeBSD is ultra-reliable serving > platform, although iXSystems guys may correct me :-)
Haha, we will not disagree with you (yet!). This is a great project and I appreciate your work on it. What about inetd? Is that possible or does each service it support need sandboxing, too? How about sendmail and bind? Cheers, -matt _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscr...@freebsd.org"
