[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Capsicum: practical capabilities for UNIX
A couple of weeks ago I read a paper on Capsicum, a
"lightweight OS capability and sandbox framework,"
<http://www.cl.cam.ac.uk/research/security/capsicum/>. Capsicum looks
like a giant step in the right direction for UNIX security research.
I'd like to see a similar function in NetBSD. What are others'
impressions of Capcisum? Is anybody working on a port?
I have a couple of concerns about Capsicum at its current level of
development. First, I'm wary of "self-compartmentalization" of
programs and libraries. It seems like it could be a lot of work to add
self-compartmentalization to just the programs in NetBSD's base system,
and when it was finished, I doubt that so many changes would be both
trustworthy and consistent. The second concern is related to the first:
a Capsicum sandbox doesn't simulate access to the global namespace for
the purpose of unmodified programs calling, e.g., open(2)---can it? The
authors of the Capsicum paper are already thinking about the question
(see section 4.3, "gzip"); I'm eager to see what they come up with.
For consistency, user confidence and convenience, I'd like to see a
wrapper program or shell built-in, "capsicum [capabilities] [program
[arguments ...]]", that creates a sandbox, grants it the mentioned
<capabilities>, and starts in it the given <program> with the given
<arguments>. Maybe that wouldn't be hard to do. Maybe there's a better
way, too. Your thoughts?
David Young OJC Technologies
dyoung%ojctech.com@localhost Urbana, IL * (217) 278-3933
Main Index |
Thread Index |