This pages describes the current status of and roadmap for the Capsicum security framework.
Kernel patches to add Capsicum support are maintained out-of-tree at https://github.com/google/capsicum-linux. Two rounds of discussion on the Linux Kernel Mailing List (LKML) have occurred, in June and July 2014.
The Capsicum kernel patches are divided into discrete chunks, so that individual pieces of functionality that may be of use elsewhere can be picked up independently. In particular, the following changes may be of wider interest:
The capsicum-hooks-version branch is maintained as a patchset against the current upstream kernel that implements Capsicum capabilities and capability mode; the procdesc-version branch implements process descriptors (and is almost completely orthogonal – only a small merge patch is needed to join the two branches). Note that both of these branches are frequently rebased.
A test suite for Capsicum functionality is available at https://github.com/google/capsicum-test. This test suite also includes an initial version of the Capsicum userspace support library libcaprights, and has sample autoconf macros to allow userspace programs to configure support for Capsicum in a way that is portable across Linux and FreeBSD.
In the short term, the Capsicum Linux project is focusing on the following areas.
When these are done, we aim to re-visit LKML discussion of the kernel changes.
An experimental personal package archive for Ubuntu 14.04 is available at pkg.capsicum-linux.org. This PPA includes a pre-built kernel including Capsicum support, together with a few Capsicumized applications (mostly generated by simple adaptations of the equivalent FreeBSD Capsicum support):
Capsicum support was included as of version 10.0 (Jan 2014). (FreeBSD 9.x included an earlier version of Capsicum as an experimental feature; this version of Capsicum is incompatible with the current version.)
Although FreeBSD has implemented process descriptors, the pdwait4 system call is not currently implemented. There has also been some discussion about the appropriate semantics of how process descriptors interact with other UNIX functionality.
Taken together, these mean that additional work on the FreeBSD implementation of process descriptors is likely.
The following external application programs include support for Capsicum:
Within the FreeBSD tree itself, the following applications include support for Capsicum:
|auditdistd(8)||Audit-trail distribution daemon||Worker processes are sandboxed using capability mode. The receiver process has append-only access to one directory. It can create newer files and append data to them. It cannot modify already stored audit records. It cannot read or modify audit trail files from other hosts.||r243730|
|ctld(8)||iSCSI target daemon||Uses Capsicum to protect itself during iSCSI Login Phase - as with the initiator, the Full Feature Phase is performed in the kernel and thus cannot be sandboxed.||r255570|
|fetch(1)||Retrieve file by URL||Patch proposed on mailing list||Patch|
|fstyp(8)||Utility to determine filesystem type||Uses Capsicum to prevent malicious input (filesystem metadata) from doing anything bad.||r275680|
|hastctl(8)||HAST control utility||Now sandboxed using capability mode.||r221899, r219847|
|hastd(8)||High-availability storage daemon||The worker process is now sandboxed using capability mode. Access to local provider is limited to pread(2), pwrite(2), flock(2) and DIOCGDELETE and DIOCGFLUSH ioctls. Access to GEOM Gate device is limited to G_GATE_CMD_MODIFY, G_GATE_CMD_START, G_GATE_CMD_DONE and G_GATE_CMD_DESTROY ioctls (for primary node).||r255219, r248297, r223585, r223584, r221899, r221898, r219847|
|iscsid(8)||iSCSI initiator daemon||Now sandboxed using capability mode.||r255570|
|kdump(1)||kernel process tracing tool||Now sandboxed using capability mode. It is not sandboxed when -r option is used, which instructs kdump(1) to convert numeric UIDs and GIDs into user and group names. With the casperd daemon and system.pwd and system.grp services kdump(1) can be sandboxed even if -r option is used.||r255219, r251073, r247602|
|ngrep(8)||Network grep||FreeBSD port sandboxed using Capsicum||r375232|
|ping(8)||Send ICMP ECHO requests||Now sandboxed using capability mode||r261498|
|rwho(1)||RWho client tool||Now sandboxed using capability mode and has read-only access to one directory||r255219, r252598|
|rwhod(8)||RWho daemon||The receiver functionality is now running is separate process, which is sandboxed using capability mode and has write-only access to one directory.||r255219, r252605|
|tcpdump(1)||Packet capture tool||Now sandboxed using capability mode if -n option is used and -z and -V options are not used. With casperd's system.dns service support it enter sandbox even without -n option.||r272451, r255219, r253004|
|uefisign(8)||UEFI Secure Boot binary signing utility||Is sandboxed so that all the code that parses PE structures runs compartmentalized, and without access to the private key.||r279315|
|uniq(1)||Uniq command-line tool||Now sandboxed using capability mode||r255219, r253457|
|units(1)||Unit conversion program||Now sandboxed using capability mode||r263940|