Add tame(2) to file(1) and drop the old systrace(4) sandbox. tame(2) is - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	nicm <nicm@openbsd.org>	2015-10-04 07:25:59 +0000
committer	nicm <nicm@openbsd.org>	2015-10-04 07:25:59 +0000
commit	80736d2221ea3485cd8b10db0555f80fff19bd72 (patch)
tree	20a290c2588cbd3e2bbbc540e874d3e42824f560 /lib
parent	recv() and send() aren't overriden by libpthread (vs recvfrom() and sendto()!) (diff)
download	wireguard-openbsd-80736d2221ea3485cd8b10db0555f80fff19bd72.tar.xz wireguard-openbsd-80736d2221ea3485cd8b10db0555f80fff19bd72.zip

Add tame(2) to file(1) and drop the old systrace(4) sandbox. tame(2) is

only applied to the child process, which requires the parent to not pass directory file descriptors (tame("cmsg") does not allow it). Because file(1) is already privsep, the permissions in the child can be quickly restricted: first to "stdio cmsg getpw proc" then after the privdrop to "stdio cmsg".

Diffstat (limited to 'lib')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: