Just a thought… Wouldn’t it be nice if capsicum in #FreeBSD could be used in... - FreeBSD

rvstaveren, 25 days ago Dutch

Just a thought… Wouldn’t it be nice if capsicum in #FreeBSD could be used in such way that you didn’t need to alter binaries, but from e.g. daemon(8) which would jail your binaries with the restricted capabilities

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

Image

Image alternative text

mpts, 25 days ago

@rvstaveren There you go:

https://papers.freebsd.org/2020/bsdcan/stone-oblivious_sandboxing_capsicum_ebpf/

It is called oblivious sandboxing AFAIK.

Ryan Stone has worked on it at one point. I don't remember the details though.

#FreeBSD #FOSS #security #osdev #infosec

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

feld, 24 days ago

@mpts @rvstaveren if you just want to use jails for all services you can modify rc.subr to add a new jailing feature where it just shares the same root filesystem but all the services you specify are in a jail with some lowered capabilities and it behaves like a cgroup in that fashion

I wish some people took this seriously and pushed it as a core feature because it would rule

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

rvstaveren, 24 days ago

@feld @mpts yes definitely! The reason I mentioned capsicum was that the jailing could even go deeper than that and keep processes unprivileged right from the start

reply

report

activity

copy /kbin url

copy original url

open original url

Loading...

Add comment