Re: Capsicum: practical capabilities for UNIX

[David Young <dyoung%pobox.com@localhost>]

On Sun, Sep 26, 2010 at 11:54:19PM +0200, Jean-Yves Migeon wrote:
> On 26.09.2010 19:38, Perry E. Metzger wrote:
> > On Sat, 25 Sep 2010 13:36:18 +0200 Jean-Yves Migeon
> > <jeanyves.migeon%free.fr@localhost> wrote:
> >> I, for one, welcome our new systrace overlords.
> >>
> >> oops :)
> > 
> > Systrace is a MAC-like system. It is NOT a capability architecture.
> 
> Never said the opposite. Don't remove the part I was quoting just above :)
> 
> On 24.09.2010 21:46, David Young wrote:
> >> For consistency, user confidence and convenience, I'd like to see a
> >> wrapper program or shell built-in, "capsicum [capabilities] [program
> >> [arguments ...]]", that creates a sandbox, grants it the mentioned
> >> <capabilities>, and starts in it the given <program> with the given
> >> <arguments>.  Maybe that wouldn't be hard to do.  Maybe there's a better
> >> way, too.  Your thoughts?
> 
> Doesn't it read like  using "capsicum" as a "systrace" replacement?

The chief difference I see between a process limited by Capsicum and
a process limited by Systrace is that the Capsicum-limited process
has only the privileges that the parent process grants it, while the
Systrace-limited process has a system-call firewall applied.  It's
easier with the Capsicum-limited process than with the Systrace-limited
process to reason about what the process can do, and to adjust the
process privileges, because it's easier to name and count capabilities
than to read, interpret, and re-write systrace rules.

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933