FreeBSD libcasper: Introduce cap_net a network service for Casper.

Ben Woods

Fri Sep 04 09:45:41 2020

Hi Roy,

I remember you saying you didn’t end up using casper to help with
sandboxing dhcpcd with capsicum on FreeBSD, however I thought this new
cap_net(3) feature recently added to FreeBSD head (13-CURRENT) might be of
interest to you.

https://svnweb.freebsd.org/base?view=revision&revision=364276

DESCRIPTION
The functions
cap_bind,
cap_connect,
cap_gethostbyname ,
cap_gethostbyname2 ,
cap_gethostbyaddr
and
cap_getnameinfo

are respectively equivalent to
bind 2 ,
connect 2 ,
gethostbyname 3 ,
gethostbyname2 3 ,
gethostbyaddr 3
and
getnameinfo 3

except that the connection to the
system.net
service needs to be provided.

LIMITS
By default, the cap_net capability provides unrestricted access to the
network namespace.
Applications typically only require access to a small portion of the
network namespace:
cap_net_limit
interface can be used to restrict access to the network.
-- 

--
From: Benjamin Woods
woodsb02@xxxxxxxxx

Follow-Ups:
Re: FreeBSD libcasper: Introduce cap_net a network service for Casper.	Roy Marples

Archive administrator: postmaster@marples.name

dhcpcd-discuss

FreeBSD libcasper: Introduce cap_net a network service for Casper.

Ben Woods