On Mon, Oct 25, 2010 at 07:28:56PM -0500, David Young wrote: > The chief difference I see between a process limited by Capsicum and > a process limited by Systrace is that the Capsicum-limited process > has only the privileges that the parent process grants it, while the > Systrace-limited process has a system-call firewall applied. It's > easier with the Capsicum-limited process than with the Systrace-limited > process to reason about what the process can do, and to adjust the > process privileges, because it's easier to name and count capabilities > than to read, interpret, and re-write systrace rules.
Does this mean that every program that wants to use Capsicum needs to be patched to use Capsicum? This is the main problem I have with MACs and related frameworks; to gain full advantage from these, you need the resources of Red Hat. Are we going to patch third-party software to use Capsicum? Who knows what should be allowed or disallowed in a monster like Firefox? Apache? X.org? Bind? Who would be maintaining these patches? - Jukka.
