On Tue, Jan 21, 2014 at 10:45:11PM +0900, KAMADA Ken'ichi wrote: > Hi, > > What is the intended behavior of sendto() with non-NULL destination > when the capability mode is enabled? > > If the capability mode is *not* enabled, it is checked against > CAP_CONNECT in kern_sendit() @ uipc_syscall.c. > This matches the explanation in the rights(4) manual page. > > However, if the capability mode is enabled, it is always > rejected in sendit(). Is this intended?
Yes, this is intended. In capabilty mode all access to namespaces is restricted including the IP address namespace. You must either connect your sockets before entereing capabilty mode or use casper to provide connected sockets. -- Brooks
pgpSXxsQvSlcQ.pgp
Description: PGP signature
