Mapping Linux capabilities(7) to our Capsicum rights(4)
Gleb Popov
arrowd at freebsd.org
Sun Oct 25 08:39:55 UTC 2020
Hello hackers!
I'm porting a software that employs Linux capabilities to constrain the
running process. The code looks like
if (!haveCapability(CAP_SYS_CHROOT)
|| !haveCapability(CAP_MKNOD)
|| !haveCapability(CAP_FOWNER))
{
errorOut();
}
dropCapability(CAP_SYS_CHROOT);
dropCapability(CAP_MKNOD);
dropCapability(CAP_FOWNER);
The CAP_MKNOD looks much like our CAP_MKNODAT. The CAP_FOWNER looks more
complex, but it seems it is implemented at higher granularity in Capsicum.
Finally, I haven't found anything for CAP_SYS_CHROOT.
I'll continue digging this up, but any hints would be appreciated.
Thanks in advance.
More information about the freebsd-hackers
mailing list