tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Capsicum: practical capabilities for UNIX

On Fri, Sep 24, 2010 at 02:46:10PM -0500, David Young wrote:
> A couple of weeks ago I read a paper on Capsicum, a
> "lightweight OS capability and sandbox framework,"
> <>.  Capsicum looks
> like a giant step in the right direction for UNIX security research.
> I'd like to see a similar function in NetBSD.  What are others'
> impressions of Capcisum?  Is anybody working on a port?
> I have a couple of concerns about Capsicum at its current level of
> development.  First, I'm wary of "self-compartmentalization" of
> programs and libraries.  It seems like it could be a lot of work to add
> self-compartmentalization to just the programs in NetBSD's base system,
> and when it was finished, I doubt that so many changes would be both
> trustworthy and consistent.  The second concern is related to the first:
> a Capsicum sandbox doesn't simulate access to the global namespace for
> the purpose of unmodified programs calling, e.g., open(2)---can it?  The
> authors of the Capsicum paper are already thinking about the question
> (see section 4.3, "gzip"); I'm eager to see what they come up with.
> For consistency, user confidence and convenience, I'd like to see a
> wrapper program or shell built-in, "capsicum [capabilities] [program
> [arguments ...]]", that creates a sandbox, grants it the mentioned
> <capabilities>, and starts in it the given <program> with the given
> <arguments>.  Maybe that wouldn't be hard to do.  Maybe there's a better
> way, too.  Your thoughts?

I've been wondering if the dynamic linker could simulate access to
the global namespace by supplying alternate system-call stubs.  Say
rtld-elf-cap supplies its own open(2) stub, for example, that searches
Capsicum's fdlist for a suitable file descriptor on which to call

open(const char *path, int flags, mode_t mode)
        const char *name;
        int fd;

        for (name, fd in fdlist) {
                if (path is-under-directory name)
                        return openat(fd, path, flags, mode);
        errno = ENOENT;
        return -1;


David Young             OJC Technologies      Urbana, IL * (217) 278-3933

Home | Main Index | Thread Index | Old Index