diff options
author | pjd <pjd@FreeBSD.org> | 2011-05-14 17:02:03 +0000 |
---|---|---|
committer | pjd <pjd@FreeBSD.org> | 2011-05-14 17:02:03 +0000 |
commit | eccd4beb3103b0b32ea5cd6fbbde55a9c716bd8a (patch) | |
tree | 4582135bbbedab14d50df3c3ec3b7ec8b4f47185 /sbin/hastd/subr.h | |
parent | 7da3a41fe756ba53dacecfb469b71cc1fd6469bc (diff) | |
download | FreeBSD-src-eccd4beb3103b0b32ea5cd6fbbde55a9c716bd8a.zip FreeBSD-src-eccd4beb3103b0b32ea5cd6fbbde55a9c716bd8a.tar.gz |
Currently we are unable to use capsicum for the primary worker process,
because we need to do ioctl(2)s, which are not permitted in the capability
mode. What we do now is to chroot(2) to /var/empty, which restricts access
to file system name space and we drop privileges to hast user and hast
group.
This still allows to access to other name spaces, like list of processes,
network and sysvipc.
To address that, use jail(2) instead of chroot(2). Using jail(2) will restrict
access to process table, network (we use ip-less jails) and sysvipc (if
security.jail.sysvipc_allowed is turned off). This provides much better
separation.
MFC after: 1 week
Diffstat (limited to 'sbin/hastd/subr.h')
-rw-r--r-- | sbin/hastd/subr.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sbin/hastd/subr.h b/sbin/hastd/subr.h index c04a242..e76930a 100644 --- a/sbin/hastd/subr.h +++ b/sbin/hastd/subr.h @@ -51,6 +51,6 @@ int snprlcat(char *str, size_t size, const char *fmt, ...); int provinfo(struct hast_resource *res, bool dowrite); const char *role2str(int role); -int drop_privs(bool usecapsicum); +int drop_privs(struct hast_resource *res); #endif /* !_SUBR_H_ */ |