Linux capabilities to Capsicum
- Reply: David Chisnall : "Re: Linux capabilities to Capsicum"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 16 Apr 2022 17:17:06 UTC
Hello, Together with my colleagues we are trying to port OpenStack to FreeBSD. As part of the process we need to modify a python package used by OpenStack called oslo_privsep. This package uses linux capabilities to give OpenStack services the least permissions they need. Now as part of porting to FreeBSD we want to replace the linux capabilities with Capsicum. We found a list of Capsicum capabilities at [1]. So far we found that the package uses at least the following 5 capabilities described in [2]: - CAP_DAC_OVERRIDE - CAP_DAC_READ_SEARCH - CAP_NET_ADMIN - CAP_SYS_PTRACE - CAP_SYS_ADMIN What would be the respective capabilities in Capsicum? Thank you, George [1] https://www.freebsd.org/cgi/man.cgi?query=rights&sektion=4&apropos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports [2] https://man7.org/linux/man-pages/man7/capabilities.7.html