Capsicum and sendto(2)
KAMADA Ken'ichi
kamada at nanohz.org
Tue Jan 21 13:46:35 UTC 2014
Hi,
What is the intended behavior of sendto() with non-NULL destination
when the capability mode is enabled?
If the capability mode is *not* enabled, it is checked against
CAP_CONNECT in kern_sendit() @ uipc_syscall.c.
This matches the explanation in the rights(4) manual page.
However, if the capability mode is enabled, it is always
rejected in sendit(). Is this intended?
Best regards,
Ken
More information about the freebsd-security
mailing list