Hi!
> >>> I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
> >>> /O_RDWR. You could do it by running the file descriptor's seccomp-bpf
> >>> program once per iocb with synthesized syscall numbers and argument
> >>> vectors.
> >>
> >>
> >> Right, but generating the
Hi!
I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
/O_RDWR. You could do it by running the file descriptor's seccomp-bpf
program once per iocb with synthesized syscall numbers and argument
vectors.
Right, but generating the equivalent seccomp input
On Mon, Jul 7, 2014 at 3:33 PM, Alexei Starovoitov
wrote:
> On Mon, Jul 7, 2014 at 5:20 AM, Paolo Bonzini wrote:
>> Il 07/07/2014 12:29, David Drysdale ha scritto:
>>
I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
/O_RDWR. You could do it by running the file
On Mon, Jul 7, 2014 at 3:33 PM, Alexei Starovoitov
alexei.starovoi...@gmail.com wrote:
On Mon, Jul 7, 2014 at 5:20 AM, Paolo Bonzini pbonz...@redhat.com wrote:
Il 07/07/2014 12:29, David Drysdale ha scritto:
I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
/O_RDWR.
On Mon, Jul 7, 2014 at 5:20 AM, Paolo Bonzini wrote:
> Il 07/07/2014 12:29, David Drysdale ha scritto:
>
>>> I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
>>> /O_RDWR. You could do it by running the file descriptor's seccomp-bpf
>>> program once per iocb with
On Mon, Jul 7, 2014 at 1:20 PM, Paolo Bonzini wrote:
> Il 07/07/2014 12:29, David Drysdale ha scritto:
>> Capsicum capabilities are associated with the file descriptor (a la
>> F_GETFD), not the open file itself -- different FDs with different
>> associated rights can map to the same underlying
Il 07/07/2014 12:29, David Drysdale ha scritto:
I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
/O_RDWR. You could do it by running the file descriptor's seccomp-bpf
program once per iocb with synthesized syscall numbers and argument
vectors.
Right, but generating
On Fri, Jul 4, 2014 at 8:03 AM, Paolo Bonzini wrote:
>
> Il 03/07/2014 20:39, David Drysdale ha scritto:
>> On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
>>> Given Linux's previous experience with BPF filters, what do you
>>> think about attaching specific BPF programs to file
On Fri, Jul 4, 2014 at 8:03 AM, Paolo Bonzini pbonz...@redhat.com wrote:
Il 03/07/2014 20:39, David Drysdale ha scritto:
On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
Given Linux's previous experience with BPF filters, what do you
think about attaching specific BPF programs
Il 07/07/2014 12:29, David Drysdale ha scritto:
I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
/O_RDWR. You could do it by running the file descriptor's seccomp-bpf
program once per iocb with synthesized syscall numbers and argument
vectors.
Right, but generating
On Mon, Jul 7, 2014 at 1:20 PM, Paolo Bonzini pbonz...@redhat.com wrote:
Il 07/07/2014 12:29, David Drysdale ha scritto:
Capsicum capabilities are associated with the file descriptor (a la
F_GETFD), not the open file itself -- different FDs with different
associated rights can map to the same
On Mon, Jul 7, 2014 at 5:20 AM, Paolo Bonzini pbonz...@redhat.com wrote:
Il 07/07/2014 12:29, David Drysdale ha scritto:
I think that's more easily done by opening the file as O_RDONLY/O_WRONLY
/O_RDWR. You could do it by running the file descriptor's seccomp-bpf
program once per iocb with
Il 03/07/2014 20:39, David Drysdale ha scritto:
> On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
>> Given Linux's previous experience with BPF filters, what do you
>> think about attaching specific BPF programs to file descriptors?
>> Then whenever a syscall is run that affects a
Il 03/07/2014 20:39, David Drysdale ha scritto:
On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
Given Linux's previous experience with BPF filters, what do you
think about attaching specific BPF programs to file descriptors?
Then whenever a syscall is run that affects a file
On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
> Il 30/06/2014 12:28, David Drysdale ha scritto:
> >Hi all,
> >
> >The last couple of versions of FreeBSD (9.x/10.x) have included the
> >Capsicum security framework [1], which allows security-aware
> >applications to sandbox
On Thu, Jul 3, 2014 at 1:12 PM, Paolo Bonzini wrote:
> Il 30/06/2014 12:28, David Drysdale ha scritto:
>>
>> Hi all,
>>
>> The last couple of versions of FreeBSD (9.x/10.x) have included the
>> Capsicum security framework [1], which allows security-aware
>> applications to sandbox themselves in a
Il 30/06/2014 12:28, David Drysdale ha scritto:
Hi all,
The last couple of versions of FreeBSD (9.x/10.x) have included the
Capsicum security framework [1], which allows security-aware
applications to sandbox themselves in a very fine-grained way. For
example, OpenSSH now (>= 6.5) uses
Il 30/06/2014 12:28, David Drysdale ha scritto:
Hi all,
The last couple of versions of FreeBSD (9.x/10.x) have included the
Capsicum security framework [1], which allows security-aware
applications to sandbox themselves in a very fine-grained way. For
example, OpenSSH now (= 6.5) uses Capsicum
On Thu, Jul 3, 2014 at 1:12 PM, Paolo Bonzini pbonz...@redhat.com wrote:
Il 30/06/2014 12:28, David Drysdale ha scritto:
Hi all,
The last couple of versions of FreeBSD (9.x/10.x) have included the
Capsicum security framework [1], which allows security-aware
applications to sandbox
On Thu, Jul 03, 2014 at 11:12:33AM +0200, Paolo Bonzini wrote:
Il 30/06/2014 12:28, David Drysdale ha scritto:
Hi all,
The last couple of versions of FreeBSD (9.x/10.x) have included the
Capsicum security framework [1], which allows security-aware
applications to sandbox themselves in a
Hi all,
The last couple of versions of FreeBSD (9.x/10.x) have included the
Capsicum security framework [1], which allows security-aware
applications to sandbox themselves in a very fine-grained way. For
example, OpenSSH now (>= 6.5) uses Capsicum in its FreeBSD version to
restrict sshd's
Hi all,
The last couple of versions of FreeBSD (9.x/10.x) have included the
Capsicum security framework [1], which allows security-aware
applications to sandbox themselves in a very fine-grained way. For
example, OpenSSH now (= 6.5) uses Capsicum in its FreeBSD version to
restrict sshd's
22 matches
Mail list logo
