看板 FB_hackers 關於我們 聯絡資訊
On Thu, 8 Nov 2007, Andrea Campi wrote: > On Wed, Nov 07, 2007 at 10:20:28PM -0500, dexterclarke@Safe-mail.net wrote: > >> I'm considering developing a policy/module for TrustedBSD loosely based on >> the systrace concept - A process loads a policy and then executes another >> program in a sandbox with fine grained control over what that program can >> do. > ... >> Please note that the 'policy' given on the command line is purely for the >> sake of example, no syntax or semantics have been decided upon. > > Can't comment on the implementation or wider issues, but if you pursue this, > please have a look at how MacOS Leopard does it (Seatbelt). Would be nice to > converge on both syntax (a Schema dialect) and tools names / command line > args--or if converging is not possible, at least know where and why and make > a conscious decision. FYI, Seatbelt is based on the Mac OS X port of the TrustedBSD MAC Framework, which while it has some significant changes (some now present in the 8-CURRENT branch of FreeBSD), may well be a good starting point. Last I checked, the source for Seatbelt wasn't yet available, but there was hope it would be available in the near future. A port of the policy to FreeBSD sounds like it would be very interesting to do, and might provide a nice starting point rather than having to write up a policy from scratch. Robert N M Watson Computer Laboratory University of Cambridge _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"