OSS in jail

[Luís Fernando Schultz Xavier da Silveira]

Hi,

The mac_bsdextended man page directs the user to try the ugidfw
utility to add mandatory access control rules. However, the manual
page of this utility seems to indicate that the finest granularity of
objects described by these rules is the filesystem level.
Thus, it does not seem possible to change the access control policy of
individual /dev nodes.

On Sun, Dec 06, 2015 at 07:44:56PM -0200, Luís Fernando Schultz Xavier da Silveira wrote:
> This is very promising. I will give it a shot.
> Thanks very much.
> 
> On Sun, Dec 06, 2015 at 09:19:24PM +0100, Terje Elde wrote:
> > 
> > > On 06 Dec 2015, at 20:57, Luís Fernando Schultz Xavier da Silveira <schultz at ime.usp.br> wrote:
> > > 
> > > This is the precise problem.
> > > I need either a stronger form of access control than unix permissions
> > > or two separate devices for playback and recording.
> > > Or maybe a separate OSS stack, in the spirit of VIMAGE.
> > > These options seem unrealistic, but the use case does not seem
> > > unreasonable, which is why I pose the question.
> > 
> > Although I haven't tested it for devices, it's likely you can solve this by using MAC, and the "file system firewall"; mac_bsdextended
> > 
> > Effectively you can define "firewall rules" for the file system, and thus block reads from the dsp.
> > 
> > Might be a learning curve to get things right though. 
> > 
> > Terje
> > 
> > 
> > 
> > _______________________________________________
> > freebsd-questions at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"