Closed Freaky closed 5 years ago
I'm starting to work on this on FreeBSD11. I don't understand how it worked for you at all, however. Don't you need to explicitly allow for the file descriptors used in the inter-process communication? What tests did you run?
I'm starting to work on this on FreeBSD11.
Thanks :)
Don't you need to explicitly allow for the file descriptors used in the inter-process communication?
No. It'd probably be good to make their rights more restrictive, but there's no need to ask to make them less so.
What tests did you run?
I renewed some certificates, and watched it with ktrace to confirm it's entering the sandbox properly etc.
A proper test suite would be nice. Pebble looks interesting for this.
This places everything but netproc in capability mode on FreeBSD.
Lightly tested on FreeBSD 11.