Needed by write(1), others. I don't see a good reason to disallow readonly
access.
Details
Details
Diff Detail
Diff Detail
- Repository
- rS FreeBSD src repository - subversion
- Lint
Lint Passed - Unit
No Test Coverage - Build Status
Buildable 5259 Build 5423: CI src build Jenkins Build 5422: arc lint + arc unit
Event Timeline
Comment Actions
Well... I don't know about this. One of the ideas of Capsicum is that it's (in theory) strong enough to run things that you completely don't trust, that are entirely isolated from global system state. At least, that's what I'm aiming at for CloudABI.
Question: can't we cache this info in userspace before calling cap_enter()?
Comment Actions
I don't know how much hostname matters.
Question: can't we cache this info in userspace before calling cap_enter()?
We can do a lot of things ahead of entering cap mode, but that decreases how useful it is — both in the amount of code that runs outside of it, and in how much rewriting existing programs need to run in capability mode. :-)
Comment Actions
(Review 8000! Only 192 until a big round-number milestone!)
Me neither, so I'm hereby delegating this to rwatson@/emaste@ ;-)
Comment Actions
I'm fine with exposing the hostname here -- the goal of Capsicum has always been to be pragmatic about getting software running where it doesn't violate isolation properties. You could argue that this is an information leak and/or might cause problems for deterministic replay-style applications of Capsicum -- but I'd rather we had more code working in a sandboxing. :-)
Comment Actions
I agree. If we wanted to be serious about information leakage, we'd have had to block lots of other fairly mundane sysctls too. That would be neat in a purist sense, but Capsicum's selling point has always been that we aren't a purist capability system.
Comment Actions
@rwatson , @jonathan : @allanjude wonders abut the other sysctls in this block in D8015. I think domainname is probably fine. I don't know what hostuuid is, though.