At Tue, 21 Jan 2014 12:21:50 -0600, Brooks Davis wrote: > > On Tue, Jan 21, 2014 at 10:45:11PM +0900, KAMADA Ken'ichi wrote: > > > > What is the intended behavior of sendto() with non-NULL destination > > when the capability mode is enabled? > > > > If the capability mode is *not* enabled, it is checked against > > CAP_CONNECT in kern_sendit() @ uipc_syscall.c. > > This matches the explanation in the rights(4) manual page. > > > > However, if the capability mode is enabled, it is always > > rejected in sendit(). Is this intended? > > Yes, this is intended. In capabilty mode all access to namespaces is > restricted including the IP address namespace. You must either connect > your sockets before entereing capabilty mode or use casper to provide > connected sockets. Understood. The capability mode forbids access to the global name space. What I was trying to do was applying Capsicum to a packet translator, which inherently needs to send packets to many addresses. Maybe I need something analogous to opening a subdirectory in a filesystem name space, say, a new API to "open" an subnet before entering capability mode... Thanks, Ken _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"