From owner-freebsd-questions@freebsd.org Mon Dec 7 00:24:24 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CD79D759B for ; Mon, 7 Dec 2015 00:24:24 +0000 (UTC) (envelope-from schultz@ime.usp.br) Received: from iris.ime.usp.br (iris.ime.usp.br [143.107.45.5]) by mx1.freebsd.org (Postfix) with ESMTP id 89CD51DA8 for ; Mon, 7 Dec 2015 00:24:24 +0000 (UTC) (envelope-from schultz@ime.usp.br) Received: from hpmini (unknown [187.65.219.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: schultz@iris.ime.usp.br) by iris.ime.usp.br (Postfix) with ESMTPSA id B940E290038E; Sun, 6 Dec 2015 22:24:18 -0200 (BRST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ime.usp.br; s=mail; t=1449447862; bh=HdRUB8oPO0uep6/+p8V7EoUb+hI3LyhqnZqXVqTP9yk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ig4s7mBbash/3NfyOk+QnmuWib16XqlcovSYVuJDD5M2alS1Cbcv7H2ScPs3/WncT OkAiwXNZ+yWvjztHrubv3kYWjnkCHGEbHnkbOWoeFloFMBC/YStbYjQfjVZdPPDjB3 E7PtFXAJDq4NYTDiql5oXjct/b2rvKkX1doH3KXI= Date: Sun, 6 Dec 2015 22:25:59 -0200 From: =?utf-8?B?THXDrXM=?= Fernando Schultz Xavier da Silveira To: Terje Elde Cc: freebsd-questions@freebsd.org Subject: Re: OSS in jail Message-ID: <20151207002558.GA7494@hpmini> References: <20151206194401.GA3860@hpmini> <20151206194851.GA4044@hpmini> <20151206195709.GA4100@hpmini> <87C55BB9-84B2-43B0-BD7D-2E045753C83C@elde.net> <20151206214455.GA5435@hpmini> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20151206214455.GA5435@hpmini> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on iris.ime.usp.br X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Dec 2015 00:24:24 -0000 Hi, The mac_bsdextended man page directs the user to try the ugidfw utility to add mandatory access control rules. However, the manual page of this utility seems to indicate that the finest granularity of objects described by these rules is the filesystem level. Thus, it does not seem possible to change the access control policy of individual /dev nodes. On Sun, Dec 06, 2015 at 07:44:56PM -0200, Luís Fernando Schultz Xavier da Silveira wrote: > This is very promising. I will give it a shot. > Thanks very much. > > On Sun, Dec 06, 2015 at 09:19:24PM +0100, Terje Elde wrote: > > > > > On 06 Dec 2015, at 20:57, Luís Fernando Schultz Xavier da Silveira wrote: > > > > > > This is the precise problem. > > > I need either a stronger form of access control than unix permissions > > > or two separate devices for playback and recording. > > > Or maybe a separate OSS stack, in the spirit of VIMAGE. > > > These options seem unrealistic, but the use case does not seem > > > unreasonable, which is why I pose the question. > > > > Although I haven't tested it for devices, it's likely you can solve this by using MAC, and the "file system firewall"; mac_bsdextended > > > > Effectively you can define "firewall rules" for the file system, and thus block reads from the dsp. > > > > Might be a learning curve to get things right though. > > > > Terje > > > > > > > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"