#
2b3f93ea |
| 13-Oct-2023 |
Matthew Dillon <dillon@apollo.backplane.com> |
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restricti
kernel - Add per-process capability-based restrictions
* This new system allows userland to set capability restrictions which turns off numerous kernel features and root accesses. These restrictions are inherited by sub-processes recursively. Once set, restrictions cannot be removed.
Basic restrictions that mimic an unadorned jail can be enabled without creating a jail, but generally speaking real security also requires creating a chrooted filesystem topology, and a jail is still needed to really segregate processes from each other. If you do so, however, you can (for example) disable mount/umount and most global root-only features.
* Add new system calls and a manual page for syscap_get(2) and syscap_set(2)
* Add sys/caps.h
* Add the "setcaps" userland utility and manual page.
* Remove priv.9 and the priv_check infrastructure, replacing it with a newly designed caps infrastructure.
* The intention is to add path restriction lists and similar features to improve jailess security in the near future, and to optimize the priv_check code.
show more ...
|
Revision tags: v6.4.0, v6.4.0rc1, v6.5.0, v6.2.2, v6.2.1, v6.2.0, v6.3.0, v6.0.1, v6.0.0, v6.0.0rc1, v6.1.0 |
|
#
df052c2a |
| 02-Apr-2021 |
Sascha Wildner <saw@online.de> |
Fix typo in various licenses: merchantibility -> merchantability
|
Revision tags: v5.8.3, v5.8.2, v5.8.1 |
|
#
f354e0e6 |
| 28-Mar-2020 |
Sascha Wildner <saw@online.de> |
kernel: Remove <sys/mutex.h> from all files that don't need it.
98% of these were remains from porting from FreeBSD which could have been removed after converting to lockmgr(), etc.
While here, do
kernel: Remove <sys/mutex.h> from all files that don't need it.
98% of these were remains from porting from FreeBSD which could have been removed after converting to lockmgr(), etc.
While here, do the same for <sys/mutex2.h>.
show more ...
|
Revision tags: v5.8.0, v5.9.0, v5.8.0rc1, v5.6.3, v5.6.2, v5.6.1, v5.6.0, v5.6.0rc1, v5.7.0, v5.4.3, v5.4.2, v5.4.1, v5.4.0, v5.5.0, v5.4.0rc1, v5.2.2, v5.2.1, v5.2.0, v5.3.0, v5.2.0rc, v5.0.2, v5.0.1, v5.0.0, v5.0.0rc2, v5.1.0, v5.0.0rc1, v4.8.1, v4.8.0, v4.6.2, v4.9.0, v4.8.0rc, v4.6.1, v4.6.0, v4.6.0rc2, v4.6.0rc, v4.7.0 |
|
#
4c52388b |
| 24-May-2016 |
Sascha Wildner <saw@online.de> |
kernel/ath: Fix building with ATH_DIAGAPI.
|
#
dc249793 |
| 12-May-2016 |
Matthew Dillon <dillon@backplane.com> |
wlan - Sync dev/netif/ath from FreeBSD part 5/N
* Adjustments relative to previous commit to compile ath on DragonFly.
* Tested with chromebook.
|
#
b14ca477 |
| 12-May-2016 |
Matthew Dillon <dillon@backplane.com> |
wlan - Sync dev/netif/ath from FreeBSD part 4/N
* Sync dev/netif/ath from FreeBSD, fbsd git dd885b9a0a0e, May 11 2016. (freebase + our Makefiles, does not include dfly adjustments).
|