[GSOC] capsicum week10
loganaden at gmail.com
Tue Aug 27 00:43:24 PDT 2013
On Tue, Aug 27, 2013 at 11:32 AM, Joris Giovannangeli
<joris at giovannangeli.fr> wrote:
> this week I've finished the implementation of dntpd sandboxing. You can
> see the work in the dnptd branch
> I've split dntpd in two processes, one in capability mode, and the other
> is privileged. The privileged process contains the list of names of the
> ntp servers in an array. When the worker process wants to connect, it
> sends a request to the privileged process using an index in the array to
> identify the server. The privileged process opens an udp socket and
> "connect" to the server. It sends back the file descriptor to the worker
> process, with only CAP_SEND and CAP_RECV.
That's just awesome !
> I fixed some panic I found running dntpd on a vkernel.
> During the remaining tim eof the week, I didn't wrote much code. I spent
> a lot of time reading the libcapsicum and libcasper API from freeBSD
> (still in development) to understand the new plans for capsicum
> userspace applications. I wrote some test program and I started a port
> of the libs to dragonfly (not committed yet)
> Best regards,
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
More information about the Kernel