Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 6 Dec 2015 22:25:59 -0200
From:      =?utf-8?B?THXDrXM=?= Fernando Schultz Xavier da Silveira <schultz@ime.usp.br>
To:        Terje Elde <terje@elde.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: OSS in jail
Message-ID:  <20151207002558.GA7494@hpmini>
In-Reply-To: <20151206214455.GA5435@hpmini>
References:  <20151206194401.GA3860@hpmini> <CAA2O=b_isQOHepigMgDyDGtOidpbYkLOmvEayCbETfLEbUsDKA@mail.gmail.com> <20151206194851.GA4044@hpmini> <CAA2O=b_o=Jfmg=ny6JDvgeznR_HVpBr+BO0anPFDfsUBp_RBKQ@mail.gmail.com> <20151206195709.GA4100@hpmini> <87C55BB9-84B2-43B0-BD7D-2E045753C83C@elde.net> <20151206214455.GA5435@hpmini>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Hi,

The mac_bsdextended man page directs the user to try the ugidfw
utility to add mandatory access control rules. However, the manual
page of this utility seems to indicate that the finest granularity of
objects described by these rules is the filesystem level.
Thus, it does not seem possible to change the access control policy of
individual /dev nodes.

On Sun, Dec 06, 2015 at 07:44:56PM -0200, Luís Fernando Schultz Xavier da Silveira wrote:
> This is very promising. I will give it a shot.
> Thanks very much.
> 
> On Sun, Dec 06, 2015 at 09:19:24PM +0100, Terje Elde wrote:
> > 
> > > On 06 Dec 2015, at 20:57, Luís Fernando Schultz Xavier da Silveira <schultz@ime.usp.br> wrote:
> > > 
> > > This is the precise problem.
> > > I need either a stronger form of access control than unix permissions
> > > or two separate devices for playback and recording.
> > > Or maybe a separate OSS stack, in the spirit of VIMAGE.
> > > These options seem unrealistic, but the use case does not seem
> > > unreasonable, which is why I pose the question.
> > 
> > Although I haven't tested it for devices, it's likely you can solve this by using MAC, and the "file system firewall"; mac_bsdextended
> > 
> > Effectively you can define "firewall rules" for the file system, and thus block reads from the dsp.
> > 
> > Might be a learning curve to get things right though. 
> > 
> > Terje
> > 
> > 
> > 
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20151207002558.GA7494>