I am running 13-stable from a couple of weeks ago, without Capsicum
(neither CAPABILITY_MODE nor CAPABILITIES are specified in my kernel).
Despite this, I am getting Capsicum-related errors. As an example:
openat(AT_FDCWD, "/")
will return ENOTCAPABLE.
Rummaging around the sources, it seems that there's a non-trivial
amount of code in kern/vfs_lookup.c that's capable of returning
capability-related errors but isn't protected by CAPABILITY_MODE.
This seems undesirable since it means that FreeBSD is defaulting to
being locked down but unless I build it with Capsicum, there's no
way to change the processes capabilities.
--
Peter Jeremy
signature.asc
Description: PGP signature