On 3/12/14 11:15 PM, Loganaden Velvindron wrote: > I've read about the file vulnerability, and capsicumization also > came to mind. However, there was also a discussion when i was > playing with capsicum and openssh, about the limits of capsicum. > Capsicum doesn't prevent DoS, and we still need rlimit on FreeBSD > in addition to capsicum.
Yep, I consider it as an incremental improvement, not a complete solution. > I would suggest that you come up with a regression plan to test > the demons in base and the most popular one in ports. In this > case, unbound was not capsicumised, but the changes made to the > kernel affected unbound. I plan to build a src/regress/sys/kern/capsicum as I implement various functionality, but as for other services and such, I'm not sure how best to go about formally testing that. For larger "integration-test" stuff I generally just throw all my experimental code on all my production boxes and watch what happens. The more people who use those services the better because if something is broken I'll find out earlier and I can fix it. That's also the impression I got of how the pre-release testing cycle seems to work here. > Also, please look into FreeBSD's regression test suite for capsicum. I'm aware of: http://svnweb.freebsd.org/base/head/tools/regression/security/cap_test/ http://svnweb.freebsd.org/base/head/tools/regression/capsicum/ https://github.com/google/capsicum-test is there something else? > Good testing coverage is also very important Agreed. > There's going to be a lot of follow-up to do. I would suggest > that you contact the maintainers and see who is interested in getting > capsicum into their demon. The response may be varied. I was going to wait until it's at a usable state before I solicit effort from others, otherwise it's just pointless discussion, but yes, that's the plan. In the mean time, I'll just shut up and hack. > The patches will probably be peer reviewed by many people, as > capsicum touches different areas of the kernel. This process will > take time. Naturally. I'd expect nothing less! :)
