K 10
svn:author
V 7
trociny
K 8
svn:date
V 27
2011-07-03T16:54:27.490835Z
K 7
svn:log
V 1666
MFC r219847, r221898, r221899, r222224, r223584, r223585:

r219847 (pjd):

When dropping privileges prefer capsicum over chroot+setgid+setuid.
We can use capsicum for secondary worker processes and hastctl.
When working as primary we drop privileges using chroot+setgid+setuid
still as we need to send ioctl(2)s to ggate device, for which capsicum
doesn't allow (yet).

r221898 (pjd):

When using capsicum to sanbox, still use other methods first, just in case
one of them have some problems.

r221899 (pjd):

Currently we are unable to use capsicum for the primary worker process,
because we need to do ioctl(2)s, which are not permitted in the capability
mode. What we do now is to chroot(2) to /var/empty, which restricts access
to file system name space and we drop privileges to hast user and hast
group.

This still allows to access to other name spaces, like list of processes,
network and sysvipc.

To address that, use jail(2) instead of chroot(2). Using jail(2) will restrict
access to process table, network (we use ip-less jails) and sysvipc (if
security.jail.sysvipc_allowed is turned off). This provides much better
separation.

r222224 (pjd):

To handle BIO_FLUSH and BIO_DELETE requests in secondary worker we need
to use ioctl(2). This is why we can't use capsicum for now to sandbox
secondary. Capsicum is still used to sandbox hastctl.

r223584 (pjd):

Log a warning if we cannot sandbox using capsicum, but only under debug level 1.
It would be too noisy to log it as a proper warning as CAPABILITIES are not
compiled into GENERIC by default.

r223585 (pjd):

Compile capsicum support only if HAVE_CAPSICUM is defined.

Approved by:	pjd (mentor)

END