Re: FreeBSD libcasper: Introduce cap_net a network service for Casper.
Roy Marples
Sun Sep 06 02:53:32 2020
Hi Ben
On 04/09/2020 09:45, Ben Woods wrote:
Hi Roy,
I remember you saying you didn’t end up using casper to help with sandboxing
dhcpcd with capsicum on FreeBSD, however I thought this new cap_net(3) feature
recently added to FreeBSD head (13-CURRENT) might be of interest to you.
https://svnweb.freebsd.org/base?view=revision&revision=364276
DESCRIPTION
The functions
cap_bind,
cap_connect,
cap_gethostbyname ,
cap_gethostbyname2 ,
cap_gethostbyaddr
and
cap_getnameinfo
are respectively equivalent to
bind 2 ,
connect 2 ,
gethostbyname 3 ,
gethostbyname2 3 ,
gethostbyaddr 3
and
getnameinfo 3
except that the connection to the
system.net <http://system.net>
service needs to be provided.
LIMITS
By default, the cap_net capability provides unrestricted access to the network
namespace.
Applications typically only require access to a small portion of the network
namespace:
cap_net_limit
interface can be used to restrict access to the network.
Only cap_bind is of any interest - dhcpcd doesn't use any of the other functions.
But dhcpcd binds *before* dropping privs.
Whilst a pure capsicum sandbox might take advantage of the new functionaltiy, it
would hinder the POSIX resource limited sandbox dhcpcd now sports.
Roy
Archive administrator: postmaster@marples.name