Capsicum Implementation Status

This pages describes the current status of and roadmap for the Capsicum security framework.


Kernel Implementation

Kernel patches to add Capsicum support are maintained out-of-tree at Two rounds of discussion on the Linux Kernel Mailing List (LKML) have occurred, in June and July 2014.

The Capsicum kernel patches are divided into discrete chunks, so that individual pieces of functionality that may be of use elsewhere can be picked up independently. In particular, the following changes may be of wider interest:

The capsicum-hooks-version branch is maintained as a patchset against the current upstream kernel that implements Capsicum capabilities and capability mode; the procdesc-version branch implements process descriptors (and is almost completely orthogonal – only a small merge patch is needed to join the two branches). Note that both of these branches are frequently rebased.

A test suite for Capsicum functionality is available at This test suite also includes an initial version of the Capsicum userspace support library libcaprights, and has sample autoconf macros to allow userspace programs to configure support for Capsicum in a way that is portable across Linux and FreeBSD.


In the short term, the Capsicum Linux project is focusing on the following areas.

When these are done, we aim to re-visit LKML discussion of the kernel changes.

Application Support

An experimental personal package archive for Ubuntu 14.04 is available at This PPA includes a pre-built kernel including Capsicum support, together with a few Capsicumized applications (mostly generated by simple adaptations of the equivalent FreeBSD Capsicum support):


Kernel Implementation

Capsicum support was included as of version 10.0 (Jan 2014). (FreeBSD 9.x included an earlier version of Capsicum as an experimental feature; this version of Capsicum is incompatible with the current version.)


Although FreeBSD has implemented process descriptors, the pdwait4 system call is not currently implemented. There has also been some discussion about the appropriate semantics of how process descriptors interact with other UNIX functionality.

Taken together, these mean that additional work on the FreeBSD implementation of process descriptors is likely.

Application Support

The following external application programs include support for Capsicum:

Within the FreeBSD tree itself, the following applications include support for Capsicum:

auditdistd(8) Audit-trail distribution daemon Worker processes are sandboxed using capability mode. The receiver process has append-only access to one directory. It can create newer files and append data to them. It cannot modify already stored audit records. It cannot read or modify audit trail files from other hosts. r243730
ctld(8) iSCSI target daemon Uses Capsicum to protect itself during iSCSI Login Phase - as with the initiator, the Full Feature Phase is performed in the kernel and thus cannot be sandboxed. r255570
dhclient(8) DHCP client
  • The unprivileged process can now only read from the routing socket.
  • It is no longer possible for the unprivileged process to send UDP packets to arbitrary destinations.
  • Unprivileged process can now only read from /dev/bpf and send SIOCGIFFLAGS and SIOCGIFMEDIA ioctls.
  • The unprivileged process can only overwrite lease file, it cannot read from it.
r255219, r252634
fetch(1) Retrieve file by URL Patch proposed on mailing list Patch
fstyp(8) Utility to determine filesystem type Uses Capsicum to prevent malicious input (filesystem metadata) from doing anything bad. r275680
hastctl(8) HAST control utility Now sandboxed using capability mode. r221899, r219847
hastd(8) High-availability storage daemon The worker process is now sandboxed using capability mode. Access to local provider is limited to pread(2), pwrite(2), flock(2) and DIOCGDELETE and DIOCGFLUSH ioctls. Access to GEOM Gate device is limited to G_GATE_CMD_MODIFY, G_GATE_CMD_START, G_GATE_CMD_DONE and G_GATE_CMD_DESTROY ioctls (for primary node). r255219, r248297, r223585, r223584, r221899, r221898, r219847
iscsid(8) iSCSI initiator daemon Now sandboxed using capability mode. r255570
kdump(1) kernel process tracing tool Now sandboxed using capability mode. It is not sandboxed when -r option is used, which instructs kdump(1) to convert numeric UIDs and GIDs into user and group names. With the casperd daemon and system.pwd and system.grp services kdump(1) can be sandboxed even if -r option is used. r255219, r251073, r247602
ngrep(8) Network grep FreeBSD port sandboxed using Capsicum r375232
ping(8) Send ICMP ECHO requests Now sandboxed using capability mode r261498
rwho(1) RWho client tool Now sandboxed using capability mode and has read-only access to one directory r255219, r252598
rwhod(8) RWho daemon The receiver functionality is now running is separate process, which is sandboxed using capability mode and has write-only access to one directory. r255219, r252605
tcpdump(1) Packet capture tool Now sandboxed using capability mode if -n option is used and -z and -V options are not used. With casperd's system.dns service support it enter sandbox even without -n option. r272451, r255219, r253004
uefisign(8) UEFI Secure Boot binary signing utility Is sandboxed so that all the code that parses PE structures runs compartmentalized, and without access to the private key. r279315
uniq(1) Uniq command-line tool Now sandboxed using capability mode r255219, r253457
units(1) Unit conversion program Now sandboxed using capability mode r263940