I am running 13-stable from a couple of weeks ago, without Capsicum
(neither CAPABILITY_MODE nor CAPABILITIES are specified in my kernel).
Despite this, I am getting Capsicum-related errors. As an example:
openat(AT_FDCWD, "/")
will return ENOTCAPABLE.Rummaging around the sources, it seems that there's a non-trivial amount of code in kern/vfs_lookup.c that's capable of returning capability-related errors but isn't protected by CAPABILITY_MODE. This seems undesirable since it means that FreeBSD is defaulting to being locked down but unless I build it with Capsicum, there's no way to change the processes capabilities. -- Peter Jeremy
signature.asc
Description: PGP signature
