Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 15 May 2012 10:58:29 +0100
From: Ben Laurie <benl@...gle.com>
To: oss-security@...ts.openwall.com
Subject: Re: Using FreeBSD Capsicum for program and library sandboxing

On 15 May 2012 02:52, Solar Designer <solar@...nwall.com> wrote:
> Hi,
>
> A couple of days ago, Ben Laurie posted to the Secure Coding list about
> using FreeBSD's experimental Capsicum support in the kernel to sandbox
> bzip2 and libtiff ("wrapping it such that the calling application is
> unaware it is wrapped") - as two initial examples, I presume.  I found
> this very interesting.

Thanks.

If you want to see the libtiff work, it's here:
https://github.com/benlaurie/libtiff

So far, I've wrapped enough (transparently!) to make a couple of
trivial applications work. These are slightly cut-down versions of a
couple of apps provided with libtiff. They're cut down because they
add custom tags, which means registering callbacks, and I haven't
designed how to wrap that yet :-)

Before I do, I want to move onto a more "real" application. Not sure
what I should choose, though, so suggestions are welcome...

All new code is the wrapped/ subdirectory - so far I have not had to
make any changes to libtiff, which is nice, but I do not rule it out.

This one includes a rudimentary RPC compiler.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.