Re: Capsicum and sendto(2)
--bCsyhTFzCvuiizWE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 21, 2014 at 10:45:11PM +0900, KAMADA Ken'ichi wrote:
> Hi,
>=20
> What is the intended behavior of sendto() with non-NULL destination
> when the capability mode is enabled?
>=20
> If the capability mode is *not* enabled, it is checked against
> CAP_CONNECT in kern_sendit() @ uipc_syscall.c.
> This matches the explanation in the rights(4) manual page.
>=20
> However, if the capability mode is enabled, it is always
> rejected in sendit(). Is this intended?
Yes, this is intended. In capabilty mode all access to namespaces is=20
restricted including the IP address namespace. You must either connect
your sockets before entereing capabilty mode or use casper to provide
connected sockets.
-- Brooks
--bCsyhTFzCvuiizWE
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (FreeBSD)
iD8DBQFS3rq8XY6L6fI4GtQRApKfAKDlxqHfgGJL/CLL2q3mIJKHWJclCwCgx46d
X4F4WJLKyFnLt7AW2zpSfys=
=8J8r
-----END PGP SIGNATURE-----
--bCsyhTFzCvuiizWE--
討論串 (同標題文章)