Capsicumization of the base system

Project description

Writing an application which makes use of capsicum’s principles is not difficult. But what poses a challenge is to modify the existing applications. Most of the applications’ code was not written with privilege separation in mind. So, in order to capsicumize an application, we need to study what all does an application interact with, what all resources does it require, which can be a good point to enter the capability mode. The application might require a casper service, either out of the existing casper services or a new one. While working on a new casper service we need to focus on:

We aim to capsicumize i.e sandbox all of the existing base applications. Many applications have been sandboxed but still a lot of applications need to be capsicumized. This project aims to sandbox some of them, namely traceroute6, fsck_ffs, fsdb, fsck_msdosfs, syslogd/file(1).

Introductory Blog Post

Differential revisions Submitted





Capsicumize traceroute6

Accepted (./)


Capsicumize fsck_msdosfs

Under Review


Capsicumize fsdb

Under Review


Capsicumize fsck_ffs

Under Review


Capsicumize file(1)

Under Review

Bugs Reported



traceroute6: Fix most warnings at the default WARNS level

Fixed (./)

Approach used

The generic approach that we will use to sandbox an application will involve:

Read the code

The first phase involves getting to know the application, reading the code and understanding what the application does. This will help in identifying which part of the code is allowed in the capability mode and which is not.

Reorganize the code

After we are well versed with the application, we are ready to sandbox it. After understanding what all descriptors does the application need before entering the sandbox, we can provide those descriptors before cap_enter() We can further read the code to understand what all capabilities do the descriptors need. For example in D9303(capsicumizing traceroute) it can be clearly seen that the connect() call was made before the call to cap_enter()

See if any casper service is required

The application might need a service such as a DNS lookup or opening multiple files, which won't be allowed in the sandbox. Casper makes it possible to utilise these services from inside the sandbox. If writing a new casper service, we need to figure out what API are we trying to provide and what limitations it enforces.

Enter the sandbox

Finally, we select the most suitable point of calling cap_enter() and enter inside the sandbox. Now, our application runs inside a sandbox making use of Capsicum and Casper.

Project Overview

The project involved picking up applications one by one and sandboxing them while working on the reviews that my mentors provided.






Where and why did I enter the capability mode?

Why did I use cap_pwd and cap_grp casper services








This year, GSoC was a tremendous learning experience for me, wherein I worked for hands on modifying legacy applications and understand the logic that they use. Trying to sandbox an application requires you to understand the underlying logic that the application uses, then only we can begin sandboxing it. Everything from writing a UDP header for traceroute to utilizing the casper services for our purpose, analyzing the different approaches, and understanding which one to choose added immensely to my learning curve.

I plan on staying in touch with my mentors and sandboxing file(1) and then start picking up some advanced work like sandboxing syslogd, which might require writing a new casper service. FreeBSD community has always been very helpful and supporting, which makes me more excited about working with them ahead in time.

My Fork

My Past Contributions to FreeBSD


SummerOfCode2020Projects/CapsicumizationOfTheBaseSystem (last edited 2023-01-25T15:12:12+0000 by vermaden)