Re: Using capsicum with sqlite?

On Sat Nov 15, 2025 at 3:22 PM CET, Marc Coquand wrote:
> Hey Freebsd community,
>
> I'm trying to make sense of how Capsicum is intended to work. 
>
> I want to create an app that accesses a SQLite database (with WAL), and
> nothing else. I figured Capsicum would be a the way to lock down this program.
>
> As I understand Capsicum, you open the file descriptors that you're going
> to use and then use cap_enter to lock down the program, and afterward you
> can no longer open any new files.
>
> I am curious how I am supposed to use Capsicum together with sqlite, as all
> the libraries that I've used for sqlite works by passing a string to the
> filepath of the database, and for wal some files are opened dynamically ,so
> the file descriptors aren't known. Does that mean it isn't possible to use
> Sqlite with Capsicum?
>
> Marc

Hi Marc,

Jake Freeland gave a talk at the last EuroBSDCon about Capsicum and how
to use it, which was based on his blog post [1].

As I see it, you have two options:
1. Use Capsicum for everything except the (write) interactions with the
SQLite database. If you cannot determine which files the SQLite library
will open, you may still be able to improve the security of other parts
of your program by sandboxing those other parts.

2. It appears possible to restrict file access to a specific directory
("sub-domains"). If you know where the WAL files are created, you might
be able to grant access only to that directory and then open or close
files within it as needed.

I haven't used Capsicum with SQLite myself, but I hope this helps.

Regards,
Souji

[1] https://cdaemon.com/posts/capsicum

-- 
Souji Thenria
Website: www.souji-thenria.net