On Sun, Sep 26, 2010 at 11:54:19PM +0200, Jean-Yves Migeon wrote: > On 26.09.2010 19:38, Perry E. Metzger wrote: > > On Sat, 25 Sep 2010 13:36:18 +0200 Jean-Yves Migeon > > <[email protected]> wrote: > >> I, for one, welcome our new systrace overlords. > >> > >> oops :) > > > > Systrace is a MAC-like system. It is NOT a capability architecture. > > Never said the opposite. Don't remove the part I was quoting just above :) > > On 24.09.2010 21:46, David Young wrote: > >> For consistency, user confidence and convenience, I'd like to see a > >> wrapper program or shell built-in, "capsicum [capabilities] [program > >> [arguments ...]]", that creates a sandbox, grants it the mentioned > >> <capabilities>, and starts in it the given <program> with the given > >> <arguments>. Maybe that wouldn't be hard to do. Maybe there's a better > >> way, too. Your thoughts? > > Doesn't it read like using "capsicum" as a "systrace" replacement?
The chief difference I see between a process limited by Capsicum and a process limited by Systrace is that the Capsicum-limited process has only the privileges that the parent process grants it, while the Systrace-limited process has a system-call firewall applied. It's easier with the Capsicum-limited process than with the Systrace-limited process to reason about what the process can do, and to adjust the process privileges, because it's easier to name and count capabilities than to read, interpret, and re-write systrace rules. Dave -- David Young OJC Technologies [email protected] Urbana, IL * (217) 278-3933
