Re: Capsicum: practical capabilities for UNIX

To: tech-kern%netbsd.org@localhost
Subject: Re: Capsicum: practical capabilities for UNIX
From: David Young <dyoung%pobox.com@localhost>
Date: Mon, 25 Oct 2010 20:13:16 -0500

On Fri, Sep 24, 2010 at 02:46:10PM -0500, David Young wrote:
> A couple of weeks ago I read a paper on Capsicum, a
> "lightweight OS capability and sandbox framework,"
> <http://www.cl.cam.ac.uk/research/security/capsicum/>.  Capsicum looks
> like a giant step in the right direction for UNIX security research.
> I'd like to see a similar function in NetBSD.  What are others'
> impressions of Capcisum?  Is anybody working on a port?
> 
> I have a couple of concerns about Capsicum at its current level of
> development.  First, I'm wary of "self-compartmentalization" of
> programs and libraries.  It seems like it could be a lot of work to add
> self-compartmentalization to just the programs in NetBSD's base system,
> and when it was finished, I doubt that so many changes would be both
> trustworthy and consistent.  The second concern is related to the first:
> a Capsicum sandbox doesn't simulate access to the global namespace for
> the purpose of unmodified programs calling, e.g., open(2)---can it?  The
> authors of the Capsicum paper are already thinking about the question
> (see section 4.3, "gzip"); I'm eager to see what they come up with.
> 
> For consistency, user confidence and convenience, I'd like to see a
> wrapper program or shell built-in, "capsicum [capabilities] [program
> [arguments ...]]", that creates a sandbox, grants it the mentioned
> <capabilities>, and starts in it the given <program> with the given
> <arguments>.  Maybe that wouldn't be hard to do.  Maybe there's a better
> way, too.  Your thoughts?

I've been wondering if the dynamic linker could simulate access to
the global namespace by supplying alternate system-call stubs.  Say
rtld-elf-cap supplies its own open(2) stub, for example, that searches
Capsicum's fdlist for a suitable file descriptor on which to call
openat(2):

int
open(const char *path, int flags, mode_t mode)
{
        const char *name;
        int fd;

        for (name, fd in fdlist) {
                if (path is-under-directory name)
                        return openat(fd, path, flags, mode);
        }
        errno = ENOENT;
        return -1;
}

Dave

-- 
David Young             OJC Technologies
dyoung%ojctech.com@localhost      Urbana, IL * (217) 278-3933

Follow-Ups:
- Re: Capsicum: practical capabilities for UNIX
  - From: Masao Uebayashi
- Re: Capsicum: practical capabilities for UNIX
  - From: Jean-Yves Migeon

References:
- Capsicum: practical capabilities for UNIX
  - From: David Young

Prev by Date: Re: Capsicum: practical capabilities for UNIX
Next by Date: Re: Capsicum: practical capabilities for UNIX
Previous by Thread: Re: Capsicum: practical capabilities for UNIX
Next by Thread: Re: Capsicum: practical capabilities for UNIX
Indexes:

Home | Main Index | Thread Index | Old Index