tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Capsicum: practical capabilities for UNIX

On Sun, 26 Sep 2010 23:54:19 +0200 Jean-Yves Migeon
<> wrote:
> > Actually, it is pretty easy for most systems programs to retrofit
> > what you want. It is a lot harder for arbitrary programs, but
> > that's another story.
> I don't think so. For "small", "trivial" programs, like those used
> for hashing, compress/uncompress, it is indeed easy to retrofit.
> But if you go for programs like web browsers, web/application
> servers, databases, or even any GUI program (PDF readers, did I say
> browsers?), it is a lot less trivial to bring a capability model in.

They did Chrome in the paper, and it required very few lines of code
(under 100). They did other tests too. It appears that they've had
quite a bit of success in creating a very usable API here. I'm not
entirely surprised, given the nature of what they're doing.

I suspect programs like ntp or postfix would be quite easy to
do. Emacs would be quite hard.

Perry E. Metzger      

Home | Main Index | Thread Index | Old Index