• Capsicum

Capsicum technologies

Capsicum consists of various technologies:

• Capability mode, see capsicum(4) and cap_enter(2) for more info.

• Capability rights for descriptors, see capsicum(4) and cap_rights_limit(2) for more info.

• Casper daemon, casper services, see libcasper(3) and capsicum_helpers(3) for more info.

• Name-value pair library - libnv, which is a general purpose name-value pair library, see libnv(9) for more info.

More information, links

• Capsicum: practical capabilities for UNIX at the University of Cambridge Computer Laboratory

• Capsicum in FreeBSD

• Capsicum talk at USENIX Security '10

• Capsicum and Casper - more than a lipstick on a pig at BSDCan 2014

• Sandboxing with Capsicum at ;login December 2014 VOL. 39, NO. 6

• Article: Capsicum and Casper - a fairy tale about solving security problems at AsiaBSDCon 2016

• Talk: Capsicum and Casper - a fairy tale about solving security problems at BSDCan 2016

• Talk: Case studies of sandboxing base system with Capsicum by Mariusz Zaborski (EuroBSDcon 2017)

Existing examples to follow

• auditdistd(8) - Done,
• auditreduce(8) (To be merged with new OpenBSM release)
• basename(1) (r308432),
• brandelf(1) (r340572),
• bspatch(1) - Done,

• bhyve(8) D8290 (committed r313727, sponsored by Pawel Biernacki of Mysterious Code Ltd.)

• cmp(1) D7912 (r305981),

• ctld(8) - Done,
• col(1) (r282342),
• dc(1) (r308432),

• dd(1) D8543 (committed r309735, sponsored by Pawel Biernacki of Mysterious Code Ltd.)

• decryptcore(8) - Done,
• dhclient(8) - Done,
• dirname(1)(r308432),

• dma-mbox-create D7988 (r310140),

• dumpon(8) - Done,
• echo(1) (r308432),
• elfdump(1) - Done,

• factor(6) D7982 (r306502),

• fold(1) (r308432),
• getopt(1) (r308432),
• hastd(8) - Done, hastctl(8),
• head(1) r340376,

• hexdump(1) D7915 (r310143),

• indent(1) D7920 (r305983),

• iscsid(8) - Done,

• jot(1) D1345 (r307660),

• last(1) D8001 (r310139),

• locate(1) (r308432),
• logname(1) (r308432),
• kdump(1) - Done,

• ktrdump(8) D7921 (r310142),

• md5(1) D8271 (r307658),

• ministat(1) D7925 (r310141),

• OpenSSH,
• praudit(8) (To be merged with new OpenBSM release)

• primes(6) D7982 (r306502),

• ping(8)/ping6(8) - Done,
• printenv(1) (r308432),
• procstat(1) - Done,
• rtsol(8), rtsold(8) (r342788)
• rwho(1) - Done,
• rwhod(8) - Done,
• savecore(8) (r342699)
• sleep(1) (r308432),

• soelim(1) D7936 (committed r305936)

• tcpdump(8) - Done,

• tee(1) D7940 (committed r305937),

• tr(1) D7928 (r305982),

• traceroute(8) https://reviews.freebsd.org/D9303 (r314000)

• units(1) - Done,
• uniq(1) - Done,
• wc(1) (r340374),

• write(1) D7999 (r306761),

• yes(1) (r308432).

Candidate programs

(should be relatively easy to sandbox using Capsicum)

• crontab(1) (CEM: Also seems difficult. Lots of filesystem interaction, stat(2).),

• elf2aout(1) D1331,

• finger(1) (CEM: Another difficult one. Lots of surprising filesystem interaction hidden between libc calls; network interaction; arbitrary list of inputs.),
• jls(8),
• true(1),
• xargs(1),
• dma(8).

Multiple file arguments

Some of those are more tricky, as they take multiple files as arguments and we don't want to open all of them at once before entering the sandbox. The best way to support this class of utilities is to provide a casperd service which can help iterate through all the files.

• b64decode(1) D7655,

• b64encode(1) D11131,

• compress(1) (CEM: Seems difficult. Not only do the program's routines work specifically with filenames rather than fds, the program moves files around after doing the compression. And the program works on an arbitrarily long list of filenames.),

• file(1) D7734,

• patch(1)

• praudit(8) D7926,

• sort(1),
• tail(1),
• uncompress(1),
• unzip(1),

• uudecode(1) D7655,

• uuencode(1) D11131,

• xstr(1).

setuid / setgid binaries

• r* binaries (bin/rcp, usr.bin/rlogin, usr.bin/rsh

• libexec/ulog-helper (CEM: Not much we can do to this one. Tiny program; reads passwd for uid->nam conversion; (re)writes utmpx files. To sandbox this we need the ability to preopen pwd/nsswitch; ability to preopen utmpx. Both would require libc API changes.)

• libexec/dma/dmagent
• usr.bin/login
• usr.bin/newgrp
• usr.bin/opiepasswd
• usr.bin/chpass
• usr.bin/bluetooth/btsockstat
• usr.bin/lock
• usr.bin/passwd
• usr.bin/quota
• usr.bin/su
• usr.bin/netstat
• usr.bin/at
• usr.bin/opieinfo
• usr.bin/wall
• sbin/shutdown
• sbin/mksnap_ffs
• usr.sbin/cron/crontab
• usr.sbin/lpr/lprm
• usr.sbin/lpr/lpr
• usr.sbin/lpr/lpq
• usr.sbin/lpr/lpc
• usr.sbin/sendmail
• usr.sbin/trpt
• usr.sbin/timed/timedc
• usr.sbin/authpf
• usr.sbin/ppp
• usr.sbin/traceroute6

Network daemons

• syslogd
• ntpd
• mountd
• rpcbind
• bsnmpd

Capsicum regression tests

in the source tree:

• tools/regression/security/cap_test

• tools/regression/capsicum/ D7759

external:

• capsicum-test