Capsicum Implementation Status

Linux

Kernel Implementation

Kernel patches to add Capsicum support are maintained out-of-tree at https://github.com/google/capsicum-linux. Two rounds of discussion on the Linux Kernel Mailing List (LKML) have occurred, in June and July 2014.

The Capsicum kernel patches are divided into discrete chunks, so that individual pieces of functionality that may be of use elsewhere can be picked up independently. In particular, the following changes may be of wider interest:

The execveat system call, which is needed to allow an implementation of fexecve that does not rely on the /proc filesystem (which is unavailable in Capsicum capability mode). This was merged in Linux v3.19.
Capsicum's openat behaviour, where paths that include .. or leading / are disallowed, is made available separately as a new O_BENEATH flag for openat. Discussed on the LKML in November 2014 and March 2015; equivalent behaviour is also being proposed for FreeBSD.
The export of additional unistd.h-like files that allow access to the system call numbers for all x86 sub-architectures (amd64, i386 and x32) simultaneously. This may help any userspace tools that process system calls in a generic way, such as strace, the audit framework and seccomp-bpf.
In March 2015, Josh Triplett and Thiago Macieira proposed a new clone4 system call and associated CLONE_FD flag, providing functionality analogous to Capsicum's process descriptors. LKML discussion led to an explicit aim of allowing process descriptor functionality to be implemented in terms of these clonefds. The procdesc-version branch (for versions >= 4.2) is therefore implemented this way.

The capsicum-hooks-version branch is maintained as a patchset against the current upstream kernel that implements Capsicum capabilities and capability mode; the procdesc-version branch implements process descriptors (and is almost completely orthogonal – only a small merge patch is needed to join the two branches). Note that both of these branches are frequently rebased.

A test suite for Capsicum functionality is available at https://github.com/google/capsicum-test. This test suite also includes an initial version of the Capsicum userspace support library libcaprights, and has sample autoconf macros to allow userspace programs to configure support for Capsicum in a way that is portable across Linux and FreeBSD.

Roadmap

In the short term, the Capsicum Linux project is focusing on the following areas.

Implement process descriptors in terms of clonefds: Re-work the previous draft implementation of process descriptors so that:
- it is implemented in terms of the clonefd patchset proposed by Josh Triplett and Thiago Macieira
- the suggested semantics for interactions with existing UNIX functionality are implemented.
Demonstrate the utility of Capsicum: Although the initial LKML discussions of Capsicum didn't induce any immediate NACKs, there wasn't clear enough support to suggest a near-term merge of the feature. Therefore, we aim to increase support by providing examples of the use of Capsicum in userspace; in particular …
Implement library remoting with Capsicum: One of the original target use-cases for Capsicum was to make it possible for libraries to provide their interface with an implementation that lives in a separate process. This separate process can be Capsicum-sandboxed, and only provided with the specific capabilities that are needed to perform its function. This allows libraries that are particularly prone to vulnerabilities (such as complex, memory-fiddling media libraries) to be isolated so that vulnerabilities in the library do not affect the application using the library.

When these are done, we aim to re-visit LKML discussion of the kernel changes.

Application Support

An experimental personal package archive for Ubuntu 14.04 is available at pkg.capsicum-linux.org. This PPA includes a pre-built kernel including Capsicum support, together with a few Capsicumized applications (mostly generated by simple adaptations of the equivalent FreeBSD Capsicum support):

OpenSSH: Updated openssh-server package, adapted from FreeBSD variant.
tcpdump: Updates trivially adapted from FreeBSD variant.
strings: The binutils package holds a Capsicumized version of the strings application.

FreeBSD

Kernel Implementation

Capsicum support was included as of version 10.0 (Jan 2014). (FreeBSD 9.x included an earlier version of Capsicum as an experimental feature; this version of Capsicum is incompatible with the current version.)

Roadmap

Although FreeBSD has implemented process descriptors, the pdwait4 system call is not currently implemented. There has also been some discussion about the appropriate semantics of how process descriptors interact with other UNIX functionality.

Taken together, these mean that additional work on the FreeBSD implementation of process descriptors is likely.

Application Support

The following external application programs include support for Capsicum:

OpenSSH: supported since version 6.5 (Jan 2014)
tcpdump: supported in version 4.7.3.
xz: support for mainline use-case added in tip codebase
file (privsep version derived from OpenBSD): support for Capability mode added in tip codebase.

Within the FreeBSD tree itself, the following applications include support for Capsicum:

Application	Description	Use	Commits
auditdistd(8)	Audit-trail distribution daemon	Worker processes are sandboxed using capability mode. The receiver process has append-only access to one directory. It can create newer files and append data to them. It cannot modify already stored audit records. It cannot read or modify audit trail files from other hosts.	r243730
ctld(8)	iSCSI target daemon	Uses Capsicum to protect itself during iSCSI Login Phase - as with the initiator, the Full Feature Phase is performed in the kernel and thus cannot be sandboxed.	r255570
dhclient(8)	DHCP client	The unprivileged process can now only read from the routing socket. It is no longer possible for the unprivileged process to send UDP packets to arbitrary destinations. Unprivileged process can now only read from /dev/bpf and send SIOCGIFFLAGS and SIOCGIFMEDIA ioctls. The unprivileged process can only overwrite lease file, it cannot read from it.	r255219, r252634
fetch(1)	Retrieve file by URL	Patch proposed on mailing list	Patch
fstyp(8)	Utility to determine filesystem type	Uses Capsicum to prevent malicious input (filesystem metadata) from doing anything bad.	r275680
hastctl(8)	HAST control utility	Now sandboxed using capability mode.	r221899, r219847
hastd(8)	High-availability storage daemon	The worker process is now sandboxed using capability mode. Access to local provider is limited to pread(2), pwrite(2), flock(2) and DIOCGDELETE and DIOCGFLUSH ioctls. Access to GEOM Gate device is limited to G_GATE_CMD_MODIFY, G_GATE_CMD_START, G_GATE_CMD_DONE and G_GATE_CMD_DESTROY ioctls (for primary node).	r255219, r248297, r223585, r223584, r221899, r221898, r219847
iscsid(8)	iSCSI initiator daemon	Now sandboxed using capability mode.	r255570
kdump(1)	kernel process tracing tool	Now sandboxed using capability mode. It is not sandboxed when -r option is used, which instructs kdump(1) to convert numeric UIDs and GIDs into user and group names. With the casperd daemon and system.pwd and system.grp services kdump(1) can be sandboxed even if -r option is used.	r255219, r251073, r247602
ngrep(8)	Network grep	FreeBSD port sandboxed using Capsicum	r375232
ping(8)	Send ICMP ECHO requests	Now sandboxed using capability mode	r261498
rwho(1)	RWho client tool	Now sandboxed using capability mode and has read-only access to one directory	r255219, r252598
rwhod(8)	RWho daemon	The receiver functionality is now running is separate process, which is sandboxed using capability mode and has write-only access to one directory.	r255219, r252605
tcpdump(1)	Packet capture tool	Now sandboxed using capability mode if -n option is used and -z and -V options are not used. With casperd's system.dns service support it enter sandbox even without -n option.	r272451, r255219, r253004
uefisign(8)	UEFI Secure Boot binary signing utility	Is sandboxed so that all the code that parses PE structures runs compartmentalized, and without access to the private key.	r279315
uniq(1)	Uniq command-line tool	Now sandboxed using capability mode	r255219, r253457
units(1)	Unit conversion program	Now sandboxed using capability mode	r263940