Date: Wed, 22 Jan 2014 20:47:13 +0900 From: KAMADA Ken'ichi <kamada@nanohz.org> To: freebsd-security@freebsd.org Subject: Re: Capsicum and sendto(2) Message-ID: <20140122204713WF%kamada@nanohz.org> In-Reply-To: <20140121182150.GB80341@lor.one-eyed-alien.net> References: <20140121224511WQ%kamada@nanohz.org> <20140121182150.GB80341@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At Tue, 21 Jan 2014 12:21:50 -0600, Brooks Davis wrote: > > On Tue, Jan 21, 2014 at 10:45:11PM +0900, KAMADA Ken'ichi wrote: > > > > What is the intended behavior of sendto() with non-NULL destination > > when the capability mode is enabled? > > > > If the capability mode is *not* enabled, it is checked against > > CAP_CONNECT in kern_sendit() @ uipc_syscall.c. > > This matches the explanation in the rights(4) manual page. > > > > However, if the capability mode is enabled, it is always > > rejected in sendit(). Is this intended? > > Yes, this is intended. In capabilty mode all access to namespaces is > restricted including the IP address namespace. You must either connect > your sockets before entereing capabilty mode or use casper to provide > connected sockets. Understood. The capability mode forbids access to the global name space. What I was trying to do was applying Capsicum to a packet translator, which inherently needs to send packets to many addresses. Maybe I need something analogous to opening a subdirectory in a filesystem name space, say, a new API to "open" an subnet before entering capability mode... Thanks, Ken
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140122204713WF%kamada>