Capsicum: practical capabilities for UNIX

[David Young <dyoung%pobox.com@localhost>]

A couple of weeks ago I read a paper on Capsicum, a
"lightweight OS capability and sandbox framework,"
<http://www.cl.cam.ac.uk/research/security/capsicum/>.  Capsicum looks
like a giant step in the right direction for UNIX security research.
I'd like to see a similar function in NetBSD.  What are others'
impressions of Capcisum?  Is anybody working on a port?

I have a couple of concerns about Capsicum at its current level of
development.  First, I'm wary of "self-compartmentalization" of
programs and libraries.  It seems like it could be a lot of work to add
self-compartmentalization to just the programs in NetBSD's base system,
and when it was finished, I doubt that so many changes would be both
trustworthy and consistent.  The second concern is related to the first:
a Capsicum sandbox doesn't simulate access to the global namespace for
the purpose of unmodified programs calling, e.g., open(2)---can it?  The
authors of the Capsicum paper are already thinking about the question
(see section 4.3, "gzip"); I'm eager to see what they come up with.

For consistency, user confidence and convenience, I'd like to see a
wrapper program or shell built-in, "capsicum [capabilities] [program
[arguments ...]]", that creates a sandbox, grants it the mentioned
<capabilities>, and starts in it the given <program> with the given
<arguments>.  Maybe that wouldn't be hard to do.  Maybe there's a better
way, too.  Your thoughts?

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933