On Tue, Oct 26, 2010 at 06:44:48AM +0300, Jukka Ruohonen wrote: > On Mon, Oct 25, 2010 at 07:28:56PM -0500, David Young wrote: > > The chief difference I see between a process limited by Capsicum and > > a process limited by Systrace is that the Capsicum-limited process > > has only the privileges that the parent process grants it, while the > > Systrace-limited process has a system-call firewall applied. It's > > easier with the Capsicum-limited process than with the Systrace-limited > > process to reason about what the process can do, and to adjust the > > process privileges, because it's easier to name and count capabilities > > than to read, interpret, and re-write systrace rules. > > Does this mean that every program that wants to use Capsicum needs to be > patched to use Capsicum?
No. Dave -- David Young OJC Technologies [email protected] Urbana, IL * (217) 278-3933
